1) The document provides guidance on developing leads during an incident response investigation. It discusses how to turn initial leads into indicators that can help detect ongoing or future attacks.
2) It covers creating both host-based indicators like file hashes and network indicators like DNS queries. Care must be taken to balance specificity and accuracy to minimize false positives.
3) Testing indicators on a sample of systems is recommended to ensure they only flag actually compromised machines and do not disrupt the environment. Resolving internal and external leads may involve documentation, avoiding leading questions, or legal options like subpoenas.
2. Collecting Initial Facts
• You need speci
fi
c informatio
n
• Such as IP Addresses and time
s
• Validate facts and check context
3. Time Zones
• A big proble
m
• Simple solution: use UTC for everything
4. Five Checklists
• Incident summar
y
• How the incident was detecte
d
• Individual system detail
s
• Network detail
s
• Malware details
5. Documentation
• Use your own incident documentation syste
m
• File share (with limited and audited access
)
• Or a Request Tracker for Incident Respons
e
• Don't trust any part of the target's networ
k
• It could be compromised
7. Incident Summary Checklist
• Date and time incident was reported & detecte
d
• Contact information of persons who
:
• Reported the inciden
t
• Detected the inciden
t
• Recorded this information
8. Incident Summary Checklist
• General nature of inciden
t
• Malware, phishing, failed logins, unauthorized
logins, etc
.
• Type of affected resourc
e
• How incident was detecte
d
• AV alert, IDS alert, user report, etc.
9. Incident Summary Checklist
• Unique identi
fi
er of all computers involve
d
• Who accessed the system since detection
?
• Attempts to help may be confused with
attacker activit
y
• Who is aware of the incident
?
• Is the incident ongoing
?
• Is there a need to keep the incident con
fi
dential?
11. Incident Detection Checklist
• Was the detection through an automated or
manual process
?
• What information was part of the initial
detection
?
• What sources provided the data
?
• Has the source data been validated as
accurate
?
• Is the source data being preserved?
12. Incident Detection Checklist
• How long have the detection sources been in
operation and who runs them
?
• What are the detection and error rates
?
• Has anything related to the data sources
changed?
14. Collect Additional Details
• Individual system
s
• Physical location, asset tag numbe
r
• System's make and model, OS, primary
functio
n
• Responsible administrator or use
r
• IP address, hostname, domai
n
• Critical information stored on the system and
backups
15. Collect Additional Details
• Individual system
s
• Whether the system is still connected to the
networ
k
• List of malware detected, back as far as log data
goe
s
• List of remediation steps that have been take
n
• It can be dif
fi
cult to tell attacker actions from
administrator actions, such as changing
password
s
• Data that is being preserved by staff
17. Collect Additional Details
• Network detail
s
• All external malicious IPs and domain name
s
• Whether network monitoring is being
conducte
d
• List of remediation steps that have been
conducte
d
• Is data being preserved
?
• Updates to network diagrams and
con
fi
gurations
19. Collect Additional Details
• Malware detail
s
• Date, time, and how malware was detecte
d
• List of systems where malware was foun
d
• Malware
fi
lenames, directorie
s
• Findings of detection mechanism: name
and family of the malicious
fi
l
e
• Is malware active? What network
connections are present?
20. Collect Additional Details
• Malware detail
s
• Is a copy of the malware preserved
?
• Status of any analysis: network and host
indicators of compromis
e
• Was malware submitted to any third party?
21. Case Notes
• Record the main actions your team take
s
• Be professional--your case notes may be
discoverable
24. Investigative Priorities
• Special case
s
• PCI: list of potentially compromised account
numbers and date
s
• Plan with legal counsel fo
r
• Copyright infringemen
t
• Larceny
25. Management Expectations
• Set reasonable goal
s
• Consider sources of evidence, type of incident,
questions, and time constraint
s
• Network intrusions often use overseas jump
points--making legal action dif
fi
cult or
impossibl
e
• If breach was months or years ago, much
evidence may be lost
26. Case: Warez Site
• Someone ran an automated vulnerability scan
on a web serve
r
• Entered through management interfac
e
• Set up a Warez site (selling stolen or illegal
fi
les
)
• Management wanted to
fi
nd and prosecute the
attacke
r
• But this is a common, automated attac
k
• More realistic to just
fi
nd and patch the
vulnerability
29. Leads
• Actionable items about stolen data (tasks
to perform), lik
e
• Network indicator
s
• Identities of potential subject
s
• Issues that led to compromise or a
security incident
31. Example: NIDS
• Network Intrusion Detection System generates
an aler
t
• Connection to a command-and-control serve
r
• Identify internal origin if NAT obscures i
t
• Inspect raw packet
s
• Search other connections made by that host
32. Veracity and Context
• Especially important when humans are the
sourc
e
• Humans may be misinterpreting normal traf
fi
c
• Automated systems sometimes do too
33. Acting on Leads
• Turn leads into viable indicator
s
• That can detect ongoing events and future
attack
s
• Detect suspicious conditions beyond the leads
you already have
34. Turning Leads into
Indicators
• Property-based indicator
s
• Observable characteristics of malicious software or
action
s
• Registry key, MD5 hash, mutex with an unique
nam
e
• mutex is an internal Windows object used for
inter-process communicatio
n
• Often used by malware to avoid repeat infections
35. Turning Leads into
Indicators
• Methodology-based or anomaly-based
indicator
s
• Less speci
fi
c leads, where a combination of
characteristics is suspiciou
s
• Unexpected executables in the WindowsHelp
directory
37. Editing Host-based
Indicators
• Binary classi
fi
cation: endpoint is either of
interest to the investigation, or no
t
• Assemble a set of observables that are
suspicious
39. File MD5 Hash
• Low false positive rate, but limite
d
• Any change in
fi
le causes indicator to fai
l
• Won't be effective for long
If {
file MD5 == "ae5b468c7707a1f3d36c49b1fe2ef850"
} then raise alert
40. Windows PE Headers
• Windows programs are Portable Executable
(PE)
fi
le
s
• .exe, .com, or .dl
l
• The PE format has a header that speci
fi
es
general information about the
fi
le
41. Windows PE Headers
If {
file MD5 == "ae5b468c7707a1f3d36c49b1fe2ef850"
OR (
(PE header Time/Date == "2009/09/28 01:00:25 UTC")
AND
(file size == "24065") )
} then raise alert
42. Include DNS Cache
If {
file MD5 == "ae5b468c7707a1f3d36c49b1fe2ef850"
OR
DNS cache host name contains
"practicalmalwareanalysis.com"
OR
Service descriptive name == "Intranet Network
Awareness"
OR (
File name == "lab03-02.dll"
AND
(PE header Time/Date == "2010/09/28 01:00:25 UTC"
OR
file size == "24065") )
} then raise alert
43. Balance
• Goal: enough information to reliably detect
fi
le
s
• But not too much time lost analyzing malwar
e
• And not too slow for scanner to proces
s
• Snort drops packets when rules are too
complex
44. Import Table
• Part of PE heade
r
• Lists libraries required to run the progra
m
• Normal programs use libraries in common,
predictable pattern
s
• Malware often uses strange patterns of libraries
45. Import Table IOC
If {
file PE import function name list contains
"CreateServiceA" AND
"RegCreateKey" AND
"ReadFile" AND
"CreateThread" AND
"InternetOpenA" AND
"CreateProcessA"
} then raise alert
46. Non-Malware IOC
• Actions an attacker may perfor
m
• Example: sethc.exe replacement attac
k
• sethc.exe enables handicapped
accessibilit
y
• Press Shift key
fi
ve times before logi
n
• Windows offers accessible login option
s
• By launching sethc.exe with System
privileges
47. Two Methods to Trigger
Attack
• Replace the
fi
le at C:
WindowsSystem32sethc.exe with cmd.exe,
and the
n
• Press Shift key
fi
ve times before login, o
r
• Add cmd.exe to the sethc executable's debug
handler in the registr
y
• https://www.crowdstrike.com/blog/registry-
analysis-with-crowdresponse/
48. Detect File Replacement
If {
file path == "C:WindowsSystem32sethc.exe" }
then if {
file MD5 != "ae5b468c7707a1f3d36c49b1fe2ef850"
AND
(PE header Time/Date != "2009/09/28 01:00:25 UTC")
} then raise alert
49. Two Windows Versions
If {
file path == "C:WindowsSystem32sethc.exe" }
then if {
file MD5 != "ae5b468c7707a1f3d36c49b1fe2ef850"
OR "ba494efea253daa7042050c337aaa37a"
AND
(PE header Time/Date != "2009/09/28 01:00:25 UTC"
OR "2012/07/15 09:00:40 UTC" )
} then raise alert
50. Another Way
• In practice, attackers always replaces sethc.exe
with cmd.ex
e
• And cmd.exe was always 10% or more larger
than the largest seth.exe
51. Much Simpler IOC
If {
file path == "C:WindowsSystem32sethc.exe" }
then if {
file size >= 300000
} then raise alert
52. Detect Debugger Key
If
Registry key == "HKLMSoftwareMicrosoft
Windows NTCurrentVersion
Image File Execution Options" }
then if
key value contains "sethc.exe"
then raise alert
54. Editing Network-Based
Indicators
• Rapid determination of whether a session is
relevant to the investigatio
n
• "If a set of bytes are present in the
fi
rst n
bytes of a session, raise an alert
"
• As malware changes, the network signatures
require editing
61. Veri
fi
cation
• Before scanning thousands of systems, test IOC
rules on a representative sampl
e
• Two review
s
• Data Relevant to Indicato
r
• Does rule detect compromised machines
?
• Data Common to Environmen
t
• Does rule trigger on clean machines?
65. Data Common to
Environment
• Run indicator on a sample of clean workstation
s
• Ensure that parameters don't matc
h
• If they do, modify indicators to reduce false
positives
66. Impact on Environment
• Run indicator on a representative subset of
systems, including server
s
• Use a resource manager to see the load on the
system
s
• If you bring down important systems with the
scan, your customer won't be happy
67. Resolving Internal Leads
(from humans)
• Thoroughly document any statemen
t
• Allow the interviewee to tell a stor
y
• Avoid leading questions, and ones that require
yes/no answer
s
• Collect the facts before allowing interviewee to
opine; don't criticize or confron
t
• Know when to get others involved
68. Resolving External Leads
• External parties are not usually obliged to
provide you with informatio
n
• They may do so, if it does not cause undue
ris
k
• Private organizations cannot serve grand jury
subpoenas, 2703(d) court orders, or subpoenas
70. Filing a Subpoena to
Perform Discovery
• Your legal counsel
fi
les a complaint which leads
to civil discover
y
• This can compel an organization, such as an
ISP, to divulge information about a subscriber
71. Reporting an Incident to
Law Enforcement
• Most organizations avoid this, to prevent a
public relations issu
e
• US very rarely requires noti
fi
cation of criminal
act
s
• Child pornography requires you to contact the
DoJ
73. Foreign Entities
• ISPs or hosting site
s
• Quite complicate
d
• Require civil requests through formal channel
s
• State Dept. and Federal law enforcement
agencies
74. Advantages of Law
Enforcement
• Greater capacity to investigate and prosecut
e
• Quicker response to subpoenas and court
order
s
• And target is not noti
fi
e
d
• Can bring criminal action at no cost to your
organizatio
n
• Or a small cost preparing materials
75. Preparing for Law
Enforcement Involvement
• Document the incident appropriatel
y
• Maintain chain of custody of evidenc
e
• Clear and concise picture of the unlawful
activity that took plac
e
• Convey the information in a clear and simple
manner