SlideShare uma empresa Scribd logo

4 Getting Started & 5 Leads

Sam Bowne
Sam Bowne

1) The document provides guidance on developing leads during an incident response investigation. It discusses how to turn initial leads into indicators that can help detect ongoing or future attacks. 2) It covers creating both host-based indicators like file hashes and network indicators like DNS queries. Care must be taken to balance specificity and accuracy to minimize false positives. 3) Testing indicators on a sample of systems is recommended to ensure they only flag actually compromised machines and do not disrupt the environment. Resolving internal and external leads may involve documentation, avoiding leading questions, or legal options like subpoenas.

Educação
1 de 77
Baixar para ler offline
CNIT 152: Incident Response 4 Getting the Investigation Started on the Right Foot Updated 9-8-22
Collecting Initial Facts • You need speci fi c informatio n • Such as IP Addresses and time s • Validate facts and check context
Time Zones • A big proble m • Simple solution: use UTC for everything
Five Checklists • Incident summar y • How the incident was detecte d • Individual system detail s • Network detail s • Malware details
Documentation • Use your own incident documentation syste m • File share (with limited and audited access ) • Or a Request Tracker for Incident Respons e • Don't trust any part of the target's networ k • It could be compromised
Incident Summary Checklist
Incident Summary Checklist • Date and time incident was reported & detecte d • Contact information of persons who : • Reported the inciden t • Detected the inciden t • Recorded this information
Incident Summary Checklist • General nature of inciden t • Malware, phishing, failed logins, unauthorized logins, etc . • Type of affected resourc e • How incident was detecte d • AV alert, IDS alert, user report, etc.
Incident Summary Checklist • Unique identi fi er of all computers involve d • Who accessed the system since detection ? • Attempts to help may be confused with attacker activit y • Who is aware of the incident ? • Is the incident ongoing ? • Is there a need to keep the incident con fi dential?
Incident Detection Checklist
Incident Detection Checklist • Was the detection through an automated or manual process ? • What information was part of the initial detection ? • What sources provided the data ? • Has the source data been validated as accurate ? • Is the source data being preserved?
Incident Detection Checklist • How long have the detection sources been in operation and who runs them ? • What are the detection and error rates ? • Has anything related to the data sources changed?
Individual System Details Checklist
Collect Additional Details • Individual system s • Physical location, asset tag numbe r • System's make and model, OS, primary functio n • Responsible administrator or use r • IP address, hostname, domai n • Critical information stored on the system and backups
Collect Additional Details • Individual system s • Whether the system is still connected to the networ k • List of malware detected, back as far as log data goe s • List of remediation steps that have been take n • It can be dif fi cult to tell attacker actions from administrator actions, such as changing password s • Data that is being preserved by staff
Network Details Checklist
Collect Additional Details • Network detail s • All external malicious IPs and domain name s • Whether network monitoring is being conducte d • List of remediation steps that have been conducte d • Is data being preserved ? • Updates to network diagrams and con fi gurations
Malware Details Checklist
Collect Additional Details • Malware detail s • Date, time, and how malware was detecte d • List of systems where malware was foun d • Malware fi lenames, directorie s • Findings of detection mechanism: name and family of the malicious fi l e • Is malware active? What network connections are present?
Collect Additional Details • Malware detail s • Is a copy of the malware preserved ? • Status of any analysis: network and host indicators of compromis e • Was malware submitted to any third party?
Case Notes • Record the main actions your team take s • Be professional--your case notes may be discoverable
Attack Timeline
Investigative Priorities • Common prioritie s • Who broke i n • When its occurre d • What they accesse d • Are they still inside?
Investigative Priorities • Special case s • PCI: list of potentially compromised account numbers and date s • Plan with legal counsel fo r • Copyright infringemen t • Larceny
Management Expectations • Set reasonable goal s • Consider sources of evidence, type of incident, questions, and time constraint s • Network intrusions often use overseas jump points--making legal action dif fi cult or impossibl e • If breach was months or years ago, much evidence may be lost
Case: Warez Site • Someone ran an automated vulnerability scan on a web serve r • Entered through management interfac e • Set up a Warez site (selling stolen or illegal fi les ) • Management wanted to fi nd and prosecute the attacke r • But this is a common, automated attac k • More realistic to just fi nd and patch the vulnerability
Ch 4
CNIT 152: Incident Response 5 Initial Development of Leads
Leads • Actionable items about stolen data (tasks to perform), lik e • Network indicator s • Identities of potential subject s • Issues that led to compromise or a security incident
De fi ning Leads of Value
Example: NIDS • Network Intrusion Detection System generates an aler t • Connection to a command-and-control serve r • Identify internal origin if NAT obscures i t • Inspect raw packet s • Search other connections made by that host
Veracity and Context • Especially important when humans are the sourc e • Humans may be misinterpreting normal traf fi c • Automated systems sometimes do too
Acting on Leads • Turn leads into viable indicator s • That can detect ongoing events and future attack s • Detect suspicious conditions beyond the leads you already have
Turning Leads into Indicators • Property-based indicator s • Observable characteristics of malicious software or action s • Registry key, MD5 hash, mutex with an unique nam e • mutex is an internal Windows object used for inter-process communicatio n • Often used by malware to avoid repeat infections
Turning Leads into Indicators • Methodology-based or anomaly-based indicator s • Less speci fi c leads, where a combination of characteristics is suspiciou s • Unexpected executables in the WindowsHelp directory
Lifecycle of Indicator Generation
Editing Host-based Indicators • Binary classi fi cation: endpoint is either of interest to the investigation, or no t • Assemble a set of observables that are suspicious
Example • Malware sample from this boo k • Used in CNIT 126
File MD5 Hash • Low false positive rate, but limite d • Any change in fi le causes indicator to fai l • Won't be effective for long If { file MD5 == "ae5b468c7707a1f3d36c49b1fe2ef850" } then raise alert
Windows PE Headers • Windows programs are Portable Executable (PE) fi le s • .exe, .com, or .dl l • The PE format has a header that speci fi es general information about the fi le
Windows PE Headers If { file MD5 == "ae5b468c7707a1f3d36c49b1fe2ef850" OR ( (PE header Time/Date == "2009/09/28 01:00:25 UTC") AND (file size == "24065") ) } then raise alert
Include DNS Cache If { file MD5 == "ae5b468c7707a1f3d36c49b1fe2ef850" OR DNS cache host name contains "practicalmalwareanalysis.com" OR Service descriptive name == "Intranet Network Awareness" OR ( File name == "lab03-02.dll" 
 AND (PE header Time/Date == "2010/09/28 01:00:25 UTC" OR file size == "24065") ) } then raise alert
Balance • Goal: enough information to reliably detect fi le s • But not too much time lost analyzing malwar e • And not too slow for scanner to proces s • Snort drops packets when rules are too complex
Import Table • Part of PE heade r • Lists libraries required to run the progra m • Normal programs use libraries in common, predictable pattern s • Malware often uses strange patterns of libraries
Import Table IOC If { file PE import function name list contains "CreateServiceA" AND "RegCreateKey" AND "ReadFile" AND "CreateThread" AND "InternetOpenA" AND "CreateProcessA" } then raise alert
Non-Malware IOC • Actions an attacker may perfor m • Example: sethc.exe replacement attac k • sethc.exe enables handicapped accessibilit y • Press Shift key fi ve times before logi n • Windows offers accessible login option s • By launching sethc.exe with System privileges
Two Methods to Trigger Attack • Replace the fi le at C: WindowsSystem32sethc.exe with cmd.exe, and the n • Press Shift key fi ve times before login, o r • Add cmd.exe to the sethc executable's debug handler in the registr y • https://www.crowdstrike.com/blog/registry- analysis-with-crowdresponse/
Detect File Replacement If { file path == "C:WindowsSystem32sethc.exe" } then if { file MD5 != "ae5b468c7707a1f3d36c49b1fe2ef850" AND (PE header Time/Date != "2009/09/28 01:00:25 UTC") } then raise alert
Two Windows Versions If { file path == "C:WindowsSystem32sethc.exe" } then if { file MD5 != "ae5b468c7707a1f3d36c49b1fe2ef850" OR "ba494efea253daa7042050c337aaa37a" AND (PE header Time/Date != "2009/09/28 01:00:25 UTC" OR "2012/07/15 09:00:40 UTC" ) } then raise alert
Another Way • In practice, attackers always replaces sethc.exe with cmd.ex e • And cmd.exe was always 10% or more larger than the largest seth.exe
Much Simpler IOC If { file path == "C:WindowsSystem32sethc.exe" } then if { file size >= 300000 } then raise alert
Detect Debugger Key If Registry key == "HKLMSoftwareMicrosoft Windows NTCurrentVersion Image File Execution Options" } then if key value contains "sethc.exe" then raise alert
OpenIOC Format
Editing Network-Based Indicators • Rapid determination of whether a session is relevant to the investigatio n • "If a set of bytes are present in the fi rst n bytes of a session, raise an alert " • As malware changes, the network signatures require editing
DNS Monitoring
DNS from RFC 1035 • Query section
QNAME Format • Domain names are split into label s • Length before each labe l • No periods are use d • 18 practicalmalwareanalysi s • 3 com
Wireshark Capture
Snort Signature
Dynamic Analysis
Veri fi cation • Before scanning thousands of systems, test IOC rules on a representative sampl e • Two review s • Data Relevant to Indicato r • Does rule detect compromised machines ? • Data Common to Environmen t • Does rule trigger on clean machines?
Attack Lifecycle
Less Effective Indicator • Properties of the droppe r • MD5 has h • File nam e • Automated email scanners typically generate this information
More Effective Indicators
Data Common to Environment • Run indicator on a sample of clean workstation s • Ensure that parameters don't matc h • If they do, modify indicators to reduce false positives
Impact on Environment • Run indicator on a representative subset of systems, including server s • Use a resource manager to see the load on the system s • If you bring down important systems with the scan, your customer won't be happy
Resolving Internal Leads (from humans) • Thoroughly document any statemen t • Allow the interviewee to tell a stor y • Avoid leading questions, and ones that require yes/no answer s • Collect the facts before allowing interviewee to opine; don't criticize or confron t • Know when to get others involved
Resolving External Leads • External parties are not usually obliged to provide you with informatio n • They may do so, if it does not cause undue ris k • Private organizations cannot serve grand jury subpoenas, 2703(d) court orders, or subpoenas
Legal Options
Filing a Subpoena to Perform Discovery • Your legal counsel fi les a complaint which leads to civil discover y • This can compel an organization, such as an ISP, to divulge information about a subscriber
Reporting an Incident to Law Enforcement • Most organizations avoid this, to prevent a public relations issu e • US very rarely requires noti fi cation of criminal act s • Child pornography requires you to contact the DoJ
• Link Ch 5a
Foreign Entities • ISPs or hosting site s • Quite complicate d • Require civil requests through formal channel s • State Dept. and Federal law enforcement agencies
Advantages of Law Enforcement • Greater capacity to investigate and prosecut e • Quicker response to subpoenas and court order s • And target is not noti fi e d • Can bring criminal action at no cost to your organizatio n • Or a small cost preparing materials
Preparing for Law Enforcement Involvement • Document the incident appropriatel y • Maintain chain of custody of evidenc e • Clear and concise picture of the unlawful activity that took plac e • Convey the information in a clear and simple manner
Information Sharing
Ch 5

Recomendados

CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookSam Bowne
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceSam Bowne
 
CNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationCNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationSam Bowne
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceSam Bowne
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionSam Bowne
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
 

Recomendados

CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookSam Bowne
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceSam Bowne
 
CNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationCNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationSam Bowne
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceSam Bowne
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionSam Bowne
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
 
CNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic DuplicationCNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic DuplicationSam Bowne
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)Sam Bowne
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain AttacksLionel Faleiro
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration TestingMayank Singh
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collectionFakrul Alam
 
The Forensic Lab
The Forensic LabThe Forensic Lab
The Forensic Labprimeteacher32
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisAhmed Banafa
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsVidoushi B-Somrah
 
CNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationSam Bowne
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationSam Bowne
 

Mais conteúdo relacionado

Mais procurados

CNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic DuplicationCNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic DuplicationSam Bowne
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)Sam Bowne
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration TestingMayank Singh
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collectionFakrul Alam
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisAhmed Banafa
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
CNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationSam Bowne
 

Mais procurados (20)

CNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic DuplicationCNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic Duplication
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensics
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
 
The Forensic Lab
The Forensic LabThe Forensic Lab
The Forensic Lab
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic Analysis
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
CNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the Application
 

Semelhante a 4 Getting Started & 5 Leads

CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationSam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
CNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologyCNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologySam Bowne
 
RuSIEM overview (english version)
RuSIEM overview (english version)RuSIEM overview (english version)
RuSIEM overview (english version)Olesya Shelestova
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas IndonesiaIGN MANTRA
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)Sam Bowne
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 

Semelhante a 4 Getting Started & 5 Leads (20)

CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data Collection
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
CNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologyCNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis Methodology
 
RuSIEM overview (english version)
RuSIEM overview (english version)RuSIEM overview (english version)
RuSIEM overview (english version)
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 

Mais de Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers Sam Bowne
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)Sam Bowne
 

Mais de Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)
 

Último

How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Último (20)

Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 

4 Getting Started & 5 Leads

  • 1. CNIT 152: Incident Response 4 Getting the Investigation Started on the Right Foot Updated 9-8-22
  • 2. Collecting Initial Facts • You need speci fi c informatio n • Such as IP Addresses and time s • Validate facts and check context
  • 3. Time Zones • A big proble m • Simple solution: use UTC for everything
  • 4. Five Checklists • Incident summar y • How the incident was detecte d • Individual system detail s • Network detail s • Malware details
  • 5. Documentation • Use your own incident documentation syste m • File share (with limited and audited access ) • Or a Request Tracker for Incident Respons e • Don't trust any part of the target's networ k • It could be compromised
  • 7. Incident Summary Checklist • Date and time incident was reported & detecte d • Contact information of persons who : • Reported the inciden t • Detected the inciden t • Recorded this information
  • 8. Incident Summary Checklist • General nature of inciden t • Malware, phishing, failed logins, unauthorized logins, etc . • Type of affected resourc e • How incident was detecte d • AV alert, IDS alert, user report, etc.
  • 9. Incident Summary Checklist • Unique identi fi er of all computers involve d • Who accessed the system since detection ? • Attempts to help may be confused with attacker activit y • Who is aware of the incident ? • Is the incident ongoing ? • Is there a need to keep the incident con fi dential?
  • 11. Incident Detection Checklist • Was the detection through an automated or manual process ? • What information was part of the initial detection ? • What sources provided the data ? • Has the source data been validated as accurate ? • Is the source data being preserved?
  • 12. Incident Detection Checklist • How long have the detection sources been in operation and who runs them ? • What are the detection and error rates ? • Has anything related to the data sources changed?
  • 14. Collect Additional Details • Individual system s • Physical location, asset tag numbe r • System's make and model, OS, primary functio n • Responsible administrator or use r • IP address, hostname, domai n • Critical information stored on the system and backups
  • 15. Collect Additional Details • Individual system s • Whether the system is still connected to the networ k • List of malware detected, back as far as log data goe s • List of remediation steps that have been take n • It can be dif fi cult to tell attacker actions from administrator actions, such as changing password s • Data that is being preserved by staff
  • 17. Collect Additional Details • Network detail s • All external malicious IPs and domain name s • Whether network monitoring is being conducte d • List of remediation steps that have been conducte d • Is data being preserved ? • Updates to network diagrams and con fi gurations
  • 19. Collect Additional Details • Malware detail s • Date, time, and how malware was detecte d • List of systems where malware was foun d • Malware fi lenames, directorie s • Findings of detection mechanism: name and family of the malicious fi l e • Is malware active? What network connections are present?
  • 20. Collect Additional Details • Malware detail s • Is a copy of the malware preserved ? • Status of any analysis: network and host indicators of compromis e • Was malware submitted to any third party?
  • 21. Case Notes • Record the main actions your team take s • Be professional--your case notes may be discoverable
  • 23. Investigative Priorities • Common prioritie s • Who broke i n • When its occurre d • What they accesse d • Are they still inside?
  • 24. Investigative Priorities • Special case s • PCI: list of potentially compromised account numbers and date s • Plan with legal counsel fo r • Copyright infringemen t • Larceny
  • 25. Management Expectations • Set reasonable goal s • Consider sources of evidence, type of incident, questions, and time constraint s • Network intrusions often use overseas jump points--making legal action dif fi cult or impossibl e • If breach was months or years ago, much evidence may be lost
  • 26. Case: Warez Site • Someone ran an automated vulnerability scan on a web serve r • Entered through management interfac e • Set up a Warez site (selling stolen or illegal fi les ) • Management wanted to fi nd and prosecute the attacke r • But this is a common, automated attac k • More realistic to just fi nd and patch the vulnerability
  • 27. Ch 4
  • 29. Leads • Actionable items about stolen data (tasks to perform), lik e • Network indicator s • Identities of potential subject s • Issues that led to compromise or a security incident
  • 31. Example: NIDS • Network Intrusion Detection System generates an aler t • Connection to a command-and-control serve r • Identify internal origin if NAT obscures i t • Inspect raw packet s • Search other connections made by that host
  • 32. Veracity and Context • Especially important when humans are the sourc e • Humans may be misinterpreting normal traf fi c • Automated systems sometimes do too
  • 33. Acting on Leads • Turn leads into viable indicator s • That can detect ongoing events and future attack s • Detect suspicious conditions beyond the leads you already have
  • 34. Turning Leads into Indicators • Property-based indicator s • Observable characteristics of malicious software or action s • Registry key, MD5 hash, mutex with an unique nam e • mutex is an internal Windows object used for inter-process communicatio n • Often used by malware to avoid repeat infections
  • 35. Turning Leads into Indicators • Methodology-based or anomaly-based indicator s • Less speci fi c leads, where a combination of characteristics is suspiciou s • Unexpected executables in the WindowsHelp directory
  • 37. Editing Host-based Indicators • Binary classi fi cation: endpoint is either of interest to the investigation, or no t • Assemble a set of observables that are suspicious
  • 38. Example • Malware sample from this boo k • Used in CNIT 126
  • 39. File MD5 Hash • Low false positive rate, but limite d • Any change in fi le causes indicator to fai l • Won't be effective for long If { file MD5 == "ae5b468c7707a1f3d36c49b1fe2ef850" } then raise alert
  • 40. Windows PE Headers • Windows programs are Portable Executable (PE) fi le s • .exe, .com, or .dl l • The PE format has a header that speci fi es general information about the fi le
  • 41. Windows PE Headers If { file MD5 == "ae5b468c7707a1f3d36c49b1fe2ef850" OR ( (PE header Time/Date == "2009/09/28 01:00:25 UTC") AND (file size == "24065") ) } then raise alert
  • 42. Include DNS Cache If { file MD5 == "ae5b468c7707a1f3d36c49b1fe2ef850" OR DNS cache host name contains "practicalmalwareanalysis.com" OR Service descriptive name == "Intranet Network Awareness" OR ( File name == "lab03-02.dll" 
 AND (PE header Time/Date == "2010/09/28 01:00:25 UTC" OR file size == "24065") ) } then raise alert
  • 43. Balance • Goal: enough information to reliably detect fi le s • But not too much time lost analyzing malwar e • And not too slow for scanner to proces s • Snort drops packets when rules are too complex
  • 44. Import Table • Part of PE heade r • Lists libraries required to run the progra m • Normal programs use libraries in common, predictable pattern s • Malware often uses strange patterns of libraries
  • 45. Import Table IOC If { file PE import function name list contains "CreateServiceA" AND "RegCreateKey" AND "ReadFile" AND "CreateThread" AND "InternetOpenA" AND "CreateProcessA" } then raise alert
  • 46. Non-Malware IOC • Actions an attacker may perfor m • Example: sethc.exe replacement attac k • sethc.exe enables handicapped accessibilit y • Press Shift key fi ve times before logi n • Windows offers accessible login option s • By launching sethc.exe with System privileges
  • 47. Two Methods to Trigger Attack • Replace the fi le at C: WindowsSystem32sethc.exe with cmd.exe, and the n • Press Shift key fi ve times before login, o r • Add cmd.exe to the sethc executable's debug handler in the registr y • https://www.crowdstrike.com/blog/registry- analysis-with-crowdresponse/
  • 48. Detect File Replacement If { file path == "C:WindowsSystem32sethc.exe" } then if { file MD5 != "ae5b468c7707a1f3d36c49b1fe2ef850" AND (PE header Time/Date != "2009/09/28 01:00:25 UTC") } then raise alert
  • 49. Two Windows Versions If { file path == "C:WindowsSystem32sethc.exe" } then if { file MD5 != "ae5b468c7707a1f3d36c49b1fe2ef850" OR "ba494efea253daa7042050c337aaa37a" AND (PE header Time/Date != "2009/09/28 01:00:25 UTC" OR "2012/07/15 09:00:40 UTC" ) } then raise alert
  • 50. Another Way • In practice, attackers always replaces sethc.exe with cmd.ex e • And cmd.exe was always 10% or more larger than the largest seth.exe
  • 51. Much Simpler IOC If { file path == "C:WindowsSystem32sethc.exe" } then if { file size >= 300000 } then raise alert
  • 52. Detect Debugger Key If Registry key == "HKLMSoftwareMicrosoft Windows NTCurrentVersion Image File Execution Options" } then if key value contains "sethc.exe" then raise alert
  • 54. Editing Network-Based Indicators • Rapid determination of whether a session is relevant to the investigatio n • "If a set of bytes are present in the fi rst n bytes of a session, raise an alert " • As malware changes, the network signatures require editing
  • 56. DNS from RFC 1035 • Query section
  • 57. QNAME Format • Domain names are split into label s • Length before each labe l • No periods are use d • 18 practicalmalwareanalysi s • 3 com
  • 61. Veri fi cation • Before scanning thousands of systems, test IOC rules on a representative sampl e • Two review s • Data Relevant to Indicato r • Does rule detect compromised machines ? • Data Common to Environmen t • Does rule trigger on clean machines?
  • 63. Less Effective Indicator • Properties of the droppe r • MD5 has h • File nam e • Automated email scanners typically generate this information
  • 65. Data Common to Environment • Run indicator on a sample of clean workstation s • Ensure that parameters don't matc h • If they do, modify indicators to reduce false positives
  • 66. Impact on Environment • Run indicator on a representative subset of systems, including server s • Use a resource manager to see the load on the system s • If you bring down important systems with the scan, your customer won't be happy
  • 67. Resolving Internal Leads (from humans) • Thoroughly document any statemen t • Allow the interviewee to tell a stor y • Avoid leading questions, and ones that require yes/no answer s • Collect the facts before allowing interviewee to opine; don't criticize or confron t • Know when to get others involved
  • 68. Resolving External Leads • External parties are not usually obliged to provide you with informatio n • They may do so, if it does not cause undue ris k • Private organizations cannot serve grand jury subpoenas, 2703(d) court orders, or subpoenas
  • 70. Filing a Subpoena to Perform Discovery • Your legal counsel fi les a complaint which leads to civil discover y • This can compel an organization, such as an ISP, to divulge information about a subscriber
  • 71. Reporting an Incident to Law Enforcement • Most organizations avoid this, to prevent a public relations issu e • US very rarely requires noti fi cation of criminal act s • Child pornography requires you to contact the DoJ
  • 73. Foreign Entities • ISPs or hosting site s • Quite complicate d • Require civil requests through formal channel s • State Dept. and Federal law enforcement agencies
  • 74. Advantages of Law Enforcement • Greater capacity to investigate and prosecut e • Quicker response to subpoenas and court order s • And target is not noti fi e d • Can bring criminal action at no cost to your organizatio n • Or a small cost preparing materials
  • 75. Preparing for Law Enforcement Involvement • Document the incident appropriatel y • Maintain chain of custody of evidenc e • Clear and concise picture of the unlawful activity that took plac e • Convey the information in a clear and simple manner
  • 77. Ch 5