ContinuousForensic

Analytics

Dipto ChakravartyApril 14, 2015

Introduction

• CFA is a new toolset emerged to accelerate the IR process and respond to threats with agility

• Answer the hard stuff!– “the known knowns” Facts

– “the known unknowns” Questions

– “the unknown knowns” Intuitions

– “the unknown unknowns” Exploration

2

Forensics 101

STEP 1:Preparation

Identifies the purpose and resources

STEP 2: Acquisition

Pinpoints the sources of evidence

STEP 3: Analysis

Extracts, collects and analyze evidence

STEP 4: Reporting

Documents and presents the evidence

3

Cyber Forensics is the practice of analyzing digital information in form of evidence that is legally admissible. As a case in point, Sony’s PlayStation

Network underwent digital and cyber forensics to ensure the ongoing safety of its 53 million users after experiencing a DDoS incident few months ago.

Forensics 101 (cont’d)

4

Behavior

Analysis

Environmental

Analysis

Code

Analysis

Memory

Analysis

• Network connection

• Registry changes

• File & Processes

• Packed code

• TSL callbacks

• Risky APIs

• Closed source

• Mixed source

• Open source

• Hidden processes

• Malicious drivers

• Passive shells

INSIDE RUNTIME

MA

CH

INE

US

ER

Analytics 101

ANALYTICS

• What is likely to happen?

• Discovers patterns from data using ML, clustering, etc.

ANALYSIS

• Why did something happen?

• Converts data deluge into intelligence and provides visualization

5

What’s Continuous in CFA

• Extended enterprise drives CFA

• Data Centers without walls need CFA

• Resources – internal vs. external

• Technologies – proprietary vs. open

• Services – insourced vs. outsourced

• Endpoints – de/perimeterized

• Insider threat == Outsider threat

• Continuous vs. layered forensics

6

Threat Stages in CFA

• Cyber attack “kill chain” has to be watchlisted

• It has to be quarantined before it can be mitigated

• Targeted attack has distinct stages that must be understood

• Visualization is one of the precursors to continuous forensics.

Deception

Disruption

Denial

Degradation

Destruction

Steps Needed for CFA

• Use cases for what’s taken, from where, and when

• Capture “just enough” network pcap data

• Anonymize the user & extract metadata

• Gamify to reconstruct user sessions

• Simulate the real-life scenario

• Map SIP, DIP addresses

• Payload information– Via structured queries

8

Sources:

SandStorm, Altamira

www.d3js.org Library

Skills Required for CFA

• Acquire new skills

• Upgrade current skills

• Implement solutions instead of tools

• Invest in training

9

EF

FE

CT

IVE

NE

SS

TIME

Networking

fundamentals

Software

vulnerabilities

Hacking

techniques

Secure

design

Scripting

Policy

automation

Data parsing

with regex

Performance

metrics

Security sw

knowledge

RT data

streaming

Data mining

Malware

analysis

Visualization

Machine

learning

Streaming

analytics

Basic skills Desired skills Innovative skills

Certification

System administration

Sandbox

Programmatic

RestorationIA DevOps

Jun 17 09:42:30 diptoc ifup: Determining IP information for eth0...

Jun 17 09:42:35 diptoc ifup: failed; no link present. Check cable?

Jun 17 09:42:35 diptoc network: Bringing up interface eth0: failed

Jun 17 09:42:38 diptoc sendmail: sendmail shutdown succeeded

Jun 17 09:42:38 diptoc sendmail: sm-client shutdown succeeded

Jun 17 09:42:39 diptoc sendmail: sendmail startup succeeded

Jun 17 09:42:39 diptoc sendmail: sm-client startup succeeded

Jun 17 09:43:39 diptoc vmnet-dhcpd: DHCPINFORM from 172.16.48.128

Jun 17 09:45:42 diptoc last message repeated 2 times

Jun 17 09:45:47 diptoc vmnet-dhcpd: DHCPINFORM from 172.16.48.128

Jun 17 09:56:02 diptoc vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8

Jun 17 09:56:03 diptoc vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8

Jun 17 09:56:03 diptoc vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8

Jun 17 09:56:03 diptoc vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8

Jun 17 10:00:03 diptoc crond(pam_unix)[30534]: session opened for user root by (uid=0)

Jun 17 10:00:10 diptoc crond(pam_unix)[30534]: session closed for user root

Jun 17 10:01:02 diptoc crond(pam_unix)[30551]: session opened for user root by (uid=0)

Jun 17 10:01:07 diptoc crond(pam_unix)[30551]: session closed for user root

Jun 17 10:05:02 diptoc crond(pam_unix)[30567]: session opened for user idabench by (uid=0)

Jun 17 10:05:05 diptoc crond(pam_unix)[30567]: session closed for user idabench

Jun 17 10:13:05 diptoc portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192

Jun 17 10:13:05 diptoc portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring

Jun 17 10:14:09 diptoc portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68

Jun 17 10:14:09 diptoc portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring

Jun 17 10:14:09 diptoc portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68

Jun 17 10:14:09 diptoc portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring

Jun 17 10:21:30 diptoc portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68

Jun 17 10:21:30 diptoc portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring

Jun 17 10:28:40 diptoc vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8

Jun 17 10:28:41 diptoc vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8

Jun 17 10:28:41 diptoc vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8

Jun 17 10:28:45 diptoc vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8

Jun 17 10:30:47 diptoc portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68

Jun 17 10:30:47 diptoc portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring

Jun 17 10:30:47 diptoc portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68

Jun 17 10:30:47 diptoc portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring

Jun 17 10:35:28 diptoc vmnet-dhcpd: DHCPINFORM from 172.16.48.128

Jun 17 10:35:31 diptoc vmnet-dhcpd: DHCPINFORM from 172.16.48.128

Jun 17 10:38:51 diptoc vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8

Jun 17 10:38:52 diptoc vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8

Jun 17 10:42:35 diptoc vmnet-dhcpd: DHCPINFORM from 172.16.48.128

Jun 17 10:42:38 diptoc vmnet-dhcpd: DHCPINFORM from 172.16.48.128

Visualize Analytics vs. Analysis2014-02-10+52 1 825 5536872 +52 1 877 1211498

303-301-5881

303-904-7511

Mazatlan

Mexico City

2014-02-222014-02-22

Joaquin Guzman…Zarka de Mexico

Emma CoronelPatraca

Ismael Garcia

Javier Felix

Source: Lumify, Altamira

Sources:

Lumify, Altamira, lumify.io

Gephi, gephi.github.io

CFA – Why Now?

11

Top 10 types of security incidents that caused breaches Forensic incident classification patterns over time

Source: Verizon DBIR 2014 report

• Reports show over 1300+ breaches from 63,000 incidents in 95 countries annually … and growing!

• Lot of alarms, some containments … few solutions

Details Behind Cyber Forensics

12

Briefing available from ISSA. Presented on August 14, 2014

Summarizing Continuous Forensics Analytics

• Assess looming behind the user activity patterns

• Analyze the data remnants in transient states

• Audit logs to unravel stealth data correlation

• Assert usage of content and patterns in context

• Answer the hard stuff:• “the known knowns” Facts

• “the known unknowns” Questions

• “the unknown knowns” Intuitions

• “the unknown unknowns” Exploration

13

Thank You!

14

Dipto ChakravartyOn G+, Y!: diptoc On Tw: diptowww.linkedin.com/in/diptochakravarty

dipto.chakravarty@altamiracorp.com

dchakravarty@gmp4.hbs.edu