Real-time Forensics through Endpoint Visibility
-
Upload
sba-research -
Category
Internet
-
view
421 -
download
3
Transcript of Real-time Forensics through Endpoint Visibility
REAL-TIME FORENSICS THROUGHENDPOINT VISIBILITY
Peter Kieseberg Sebastian Neuner, Sebastian Schrittwieser, Martin Schmiedecker, Edgar Weippl
Motivation
• Regular discussions with
o Forensics companies
o Investigators
o Legal Personal
• Additional interest
o NIS-Directive
o „Information as a resource“
Traditional forensic process
• Acquirable storage
• Manageable number of devices
• Low storage devices
2016 - SBA Research gGmbH
In the Cloud … ?
2016 - SBA Research gGmbH
Selected Frameworks
• Selected Frameworks by big vendors
o Facebook Osquery
o Google Rapid Response - GRR
o Mozilla InvestiGator - MIG
• Developed for
o Large environments
o Cloud systems
2016 - SBA Research gGmbH
Goal
• Theoretical analysis and comparison of capabilities
• Tests with real malware
o Study behavior
o Detection possibilities
• Practical evaluation
o Infected systems
o Target: What artifacts can be detected that could beuseful for detecting unknown malware.
2016 - SBA Research gGmbH
Theoretical comparison
2016 - SBA Research gGmbH
Lab Setup
2016 - SBA Research gGmbH
Malware Selection
• F1 – Process Spawning
• F2 – Persistence
• F3 – Network Connection
• S1 – Banking Trojan retefe
• S2 – Locky Ransomware
• S3 – Win32.Viking worm
2016 - SBA Research gGmbH
Sample Selection
ProcessSpawning
Persistence Network Connection
Retefe X X X
Locky X X (X)
Win32.Viking X X (X)
2016 - SBA Research gGmbH
osquery
• Extraction of information from running systems
o Linux, Ubuntu, OSX, CentOS
o Since recently also for Windows
• Structure
o Abstract Layer between OS and analyst
o Info on system internals
o Querying like a DB
2016 - SBA Research gGmbH
osquery
• Usage
o Provides „Tables“
o Interactive or deamon (for regular analysis)
o Daemon: Allows aggregation over time, fleetingchanges
2016 - SBA Research gGmbH
Osquery - retefe
• File interactiono Generated and changed files detected
• Endpoint statisticso Creation of processes detected
• Network levelo Connections to outside world detected
• Endpoint monitoringo Windows registry changed
o New root CA
2016 - SBA Research gGmbH
Osquery - Locky
• File interaction & Endpoint statistics
o Creation of files and processes detected
• Network level
o DNS-Lookups
o Connection to well-known distribution site
• Endpoint monitoring
o Nothing really outstanding
o Randomly generated key in Registry
2016 - SBA Research gGmbH
Osquery – Win32.Viking
• File interaction & Endpoint statistics
o Creation of files and processes detected
• Network level
o Invisible to osquery, no direct connections, but usesmodified IE
• Endpoint monitoring
o Changes to Registry
o Creation of Windows Service
2016 - SBA Research gGmbH
GRR
• Made to handle Google‘s internal infrastructure
• Sysadmin initiates „flow“o Sent from front-end servers
o Message containing code
o Executed on the servers
o Aggregation, Postprocessing done on front-end
• „Hunts“- many flows targeting many agents
• Live extraction, all major OSs supported
• Can check actual file content
2016 - SBA Research gGmbH
GRR
2016 - SBA Research gGmbH
Differences to osquery
• Retefeo Spawned processes and network connections
detectable, in principle but typically only used as ad-hoc tool
• Locky & Win32.Vikingo Also detects timelines of changes, and can check
content additional info
o Can detect registry key, still
o Same as for retefe
2016 - SBA Research gGmbH
MIG
• Original issue: Accidental pushes of private keys toGithub
• Agents running on the servers
o Sends information to MIG master
o Support all major OS
o Even embedded systems
2016 - SBA Research gGmbH
MIG
2016 - SBA Research gGmbH
Differences to GRR & osquery
• Retefe
o No file timelining, still detection is possible
o Cannot access Windows Registry
• Locky
o Same os for retefe
• Win32.Viking
o Problem with Registry key
o File can be detected as filename is known
2016 - SBA Research gGmbH
Conclusion
• Seemingly similar tools
• But: Quite different in actual investigation
o Usage
o Targets
o Detection capabilities
• Combination of tools could be reasonable
• Maybe targeting development of more specializedtools
2016 - SBA Research gGmbH