cont-forensic-analytics-dipto-14apr2015-post
TRANSCRIPT
Introduction
• CFA is a new toolset emerged to accelerate the IR process and respond to threats with agility
• Answer the hard stuff!– “the known knowns” Facts
– “the known unknowns” Questions
– “the unknown knowns” Intuitions
– “the unknown unknowns” Exploration
2
Forensics 101
STEP 1:Preparation
Identifies the purpose and resources
STEP 2: Acquisition
Pinpoints the sources of evidence
STEP 3: Analysis
Extracts, collects and analyze evidence
STEP 4: Reporting
Documents and presents the evidence
3
Cyber Forensics is the practice of analyzing digital information in form of evidence that is legally admissible. As a case in point, Sony’s PlayStation
Network underwent digital and cyber forensics to ensure the ongoing safety of its 53 million users after experiencing a DDoS incident few months ago.
Forensics 101 (cont’d)
4
Behavior
Analysis
Environmental
Analysis
Code
Analysis
Memory
Analysis
• Network connection
• Registry changes
• File & Processes
• Packed code
• TSL callbacks
• Risky APIs
• Closed source
• Mixed source
• Open source
• Hidden processes
• Malicious drivers
• Passive shells
INSIDE RUNTIME
MA
CH
INE
US
ER
Analytics 101
ANALYTICS
• What is likely to happen?
• Discovers patterns from data using ML, clustering, etc.
ANALYSIS
• Why did something happen?
• Converts data deluge into intelligence and provides visualization
5
What’s Continuous in CFA
• Extended enterprise drives CFA
• Data Centers without walls need CFA
• Resources – internal vs. external
• Technologies – proprietary vs. open
• Services – insourced vs. outsourced
• Endpoints – de/perimeterized
• Insider threat == Outsider threat
• Continuous vs. layered forensics
6
Threat Stages in CFA
• Cyber attack “kill chain” has to be watchlisted
• It has to be quarantined before it can be mitigated
• Targeted attack has distinct stages that must be understood
• Visualization is one of the precursors to continuous forensics.
Deception
Disruption
Denial
Degradation
Destruction
Steps Needed for CFA
• Use cases for what’s taken, from where, and when
• Capture “just enough” network pcap data
• Anonymize the user & extract metadata
• Gamify to reconstruct user sessions
• Simulate the real-life scenario
• Map SIP, DIP addresses
• Payload information– Via structured queries
8
Sources:
SandStorm, Altamira
www.d3js.org Library
Skills Required for CFA
• Acquire new skills
• Upgrade current skills
• Implement solutions instead of tools
• Invest in training
9
EF
FE
CT
IVE
NE
SS
TIME
Networking
fundamentals
Software
vulnerabilities
Hacking
techniques
Secure
design
Scripting
Policy
automation
Data parsing
with regex
Performance
metrics
Security sw
knowledge
RT data
streaming
Data mining
Malware
analysis
Visualization
Machine
learning
Streaming
analytics
Basic skills Desired skills Innovative skills
Certification
System administration
Sandbox
Programmatic
RestorationIA DevOps
Jun 17 09:42:30 diptoc ifup: Determining IP information for eth0...
Jun 17 09:42:35 diptoc ifup: failed; no link present. Check cable?
Jun 17 09:42:35 diptoc network: Bringing up interface eth0: failed
Jun 17 09:42:38 diptoc sendmail: sendmail shutdown succeeded
Jun 17 09:42:38 diptoc sendmail: sm-client shutdown succeeded
Jun 17 09:42:39 diptoc sendmail: sendmail startup succeeded
Jun 17 09:42:39 diptoc sendmail: sm-client startup succeeded
Jun 17 09:43:39 diptoc vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 09:45:42 diptoc last message repeated 2 times
Jun 17 09:45:47 diptoc vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 09:56:02 diptoc vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 09:56:03 diptoc vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 09:56:03 diptoc vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 09:56:03 diptoc vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:00:03 diptoc crond(pam_unix)[30534]: session opened for user root by (uid=0)
Jun 17 10:00:10 diptoc crond(pam_unix)[30534]: session closed for user root
Jun 17 10:01:02 diptoc crond(pam_unix)[30551]: session opened for user root by (uid=0)
Jun 17 10:01:07 diptoc crond(pam_unix)[30551]: session closed for user root
Jun 17 10:05:02 diptoc crond(pam_unix)[30567]: session opened for user idabench by (uid=0)
Jun 17 10:05:05 diptoc crond(pam_unix)[30567]: session closed for user idabench
Jun 17 10:13:05 diptoc portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192
Jun 17 10:13:05 diptoc portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring
Jun 17 10:14:09 diptoc portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:14:09 diptoc portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:14:09 diptoc portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:14:09 diptoc portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:21:30 diptoc portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:21:30 diptoc portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:28:40 diptoc vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:28:41 diptoc vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:28:41 diptoc vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:28:45 diptoc vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:30:47 diptoc portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:30:47 diptoc portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:30:47 diptoc portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:30:47 diptoc portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:35:28 diptoc vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 10:35:31 diptoc vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 10:38:51 diptoc vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:38:52 diptoc vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:42:35 diptoc vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 10:42:38 diptoc vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Visualize Analytics vs. Analysis2014-02-10+52 1 825 5536872 +52 1 877 1211498
303-301-5881
303-904-7511
Mazatlan
Mexico City
2014-02-222014-02-22
Joaquin Guzman…Zarka de Mexico
Emma CoronelPatraca
Ismael Garcia
Javier Felix
Source: Lumify, Altamira
Sources:
Lumify, Altamira, lumify.io
Gephi, gephi.github.io
CFA – Why Now?
11
Top 10 types of security incidents that caused breaches Forensic incident classification patterns over time
Source: Verizon DBIR 2014 report
• Reports show over 1300+ breaches from 63,000 incidents in 95 countries annually … and growing!
• Lot of alarms, some containments … few solutions
Summarizing Continuous Forensics Analytics
• Assess looming behind the user activity patterns
• Analyze the data remnants in transient states
• Audit logs to unravel stealth data correlation
• Assert usage of content and patterns in context
• Answer the hard stuff:• “the known knowns” Facts
• “the known unknowns” Questions
• “the unknown knowns” Intuitions
• “the unknown unknowns” Exploration
13
Thank You!
14
Dipto ChakravartyOn G+, Y!: diptoc On Tw: diptowww.linkedin.com/in/diptochakravarty