expanding response: deeper analysis for incident handlers
DESCRIPTION
Expanding Response: Deeper Analysis for Incident Handlers. Russ McRee November 2011 GIAC GCIH Gold, GCFA, GCIA, GPEN, GWAPT, GSEC Gold. Objective. Expand incident response tactics beyond common horizons Sample Overview – SpyEye Demonstrate tools for expanded toolkit Volatility 2.0 Xplico - PowerPoint PPT PresentationTRANSCRIPT
1SANS Technology Institute - Candidate for Master of Science Degree 1
Expanding Response: Deeper Analysis for Incident Handlers
Russ McReeNovember 2011
GIAC GCIH Gold, GCFA, GCIA, GPEN, GWAPT, GSEC Gold
SANS Technology Institute - Candidate for Master of Science Degree 2
Objective
• Expand incident response tactics beyond common horizons
• Sample Overview – SpyEye• Demonstrate tools for expanded
toolkit• Volatility 2.0• Xplico• Maltego• Confessor
• Summary
SANS Technology Institute - Candidate for Master of Science Degree 3
Broaden IR perspective
• Opportunities to enhance IR tactics via:• Memory analysis (Volatility)• Network Forensic Analysis Tooling (Xplico)• Derive disparate entity relationships
(Maltego)• Analysis of systems at scale with uniform
results (Confessor, MOLE)
• Review sample’s attributes with all tools
SANS Technology Institute - Candidate for Master of Science Degree 4
Sample Overview
• Trojan.SpyEye – MD5: 00b77d6087f00620508303acd3fd846a
• Modifies registry– [HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run]• cleansweep.exe = "C:\cleansweep.exe\
cleansweep.exe"
• Creates directory C:\cleansweep.exe– Populates with .exe and config file
SANS Technology Institute - Candidate for Master of Science Degree 5
Volatilty 2.0
• For the extraction of digital artifacts from volatile memory image
• “A Python version of the Windows Internals book, since you can really learn a lot about Windows by just looking at how Volatility enumerates evidence.” - Michael Hale Ligh
SANS Technology Institute - Candidate for Master of Science Degree 6
Volatilty 2.0
• Gather image info:– vol.py imageinfo –f HIOMALVM02.raw
• Network connections:– vol.py --profile=WinXPSP3x86 connscan -f
HIOMALVM02.raw
• Active processes:– vol.py --profile=WinXPSP3x86 pslist -P -f
HIOMALVM02.raw
SANS Technology Institute - Candidate for Master of Science Degree 7
Volatilty 2.0
• Process tree:– vol.py --profile=WinXPSP3x86 pstree -f
HIOMALVM02.raw
• Discover malware attributes:– vol.py --profile=WinXPSP3x86 -f
HIOMALVM02.raw malfind -p 1512 -D output/
• Demonstration
SANS Technology Institute - Candidate for Master of Science Degree 8
Xplico
•Xplico decodes packet captures (PCAP) extracting the likes of: • email content (POP, IMAP, and SMTP
protocols) • HTTP content• VoIP calls (SIP)• IM chats• FTP• TFTP
SANS Technology Institute - Candidate for Master of Science Degree 9
Xplico
• Demo: SpyEye PCAP analysis
SANS Technology Institute - Candidate for Master of Science Degree 10
Maltego
• Maltego: open source intelligence & forensics application offering extraordinary data mining and intelligence gathering capabilities
• Results are well represented in a variety of easy to understand views
• In concert with its graphing libraries, Maltego identifies key relationships between data sets and identifies previously unknown relationships between them
SANS Technology Institute - Candidate for Master of Science Degree 11
Maltego
• PCAPs can be converted to CSV then directly imported by Maltego
• tcpdump ‑vttttnnelr SpyEye.pcap | /usr/local/bin/tcpdump2csv.pl "sip dip dport" > SpyEye.csv produces a CSV that Maltego can consume easily
SANS Technology Institute - Candidate for Master of Science Degree 12
Maltego
• Demo: IP address relationships
SANS Technology Institute - Candidate for Master of Science Degree 13
Confessor
•Confessor collects from hundreds or thousands of systems simultaneously via Sysinternals:• System logs• Volatile data• User and account information• MAC times• Can run SecCheck on 32-bit systems
•Search for reg keys and existence of specific files
SANS Technology Institute - Candidate for Master of Science Degree 14
Confessor
• Confessor configuration optimized for specific registry keys and file checks
SANS Technology Institute - Candidate for Master of Science Degree 15
Summary
• Tools offered to enhance the incident handler toolkit and address challenges
• Takeaways:– Tool to scale– Seek unique opportunities to correlate– Build what you can’t buy or borrow
• Q&A: russ at holisticinfosec dot org