tag:blogger.com,1999:blog-4080617372940068027.post8323366265934847013..comments2024-03-13T01:32:25.097-04:00Comments on Journey Into Incident Response: Where Is the Digital Forensics Threat ReportCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-4080617372940068027.post-59884586404536620342011-08-25T10:37:21.856-04:002011-08-25T10:37:21.856-04:00Do you think it could be done on a smaller scale i...<i>Do you think it could be done on a smaller scale if you don't have the infrastructure?</i><br /><br />You've already done it, apparently.<br /><br />Here's what I would do...with an image, the in-take process would be to run mmls/fls (as approp.), then mount the volume and extract relevant data. Pretty easy...at least, as I'm building my forensic scanner, it <i>seems</i> pretty easy to me...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-84102715115922474612011-08-23T17:29:51.867-04:002011-08-23T17:29:51.867-04:00Harlan,
That's an interesting idea to automat...Harlan,<br /><br />That's an interesting idea to automate it. I basically use the same process to locate exploit artifacts as I do to locate remnants of certain attacks. Do you think it could be done on a smaller scale if you don't have the infrastructure?Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-66259537106708594122011-08-23T13:25:49.234-04:002011-08-23T13:25:49.234-04:00I read both reports produced by Mandiant and Veriz...I read both reports produced by Mandiant and Verizon. However, a DF Threat report would provide more information that would be useful in examinaing a system.<br /><br />I'd like to see a reference to an investigation methodology to use. Take the example of a compromised web server distributing malware. The report should mention some of the initial steps to perform when examining this kind of security incident. If the Sophos numbers are correct 19,000 malicious URLs is alot. I wonder how many people are aware of the investigation method to locate and resolve the issue.<br /><br />The second thing I'd like to see in the report are the potential artifacts indicating the threat/breach type. Knowing the potential artifacts can help you better understand the activity on the system. Take the VBIR report and their mention of the attack paths on pg 36 in the 2011 Data Breach report. The attack paths laid out include remote access services, backdoor, web application, or file sharing. If I'm doing an examination and determine the timeframe I'm interested is X. Then I proceed to examine the activity that occured around X. How do I know which attack path was used? If I was aware about the potential artifacts such as certain programs executing, files being created in certain directories, certain event logs, etc then it would be easier for me to identify the attack path. It would also be easier for me to rule out certain attack paths.<br /><br />I guess I'm looking more for a report targeted at the digital forensic practioner. To make us more aware of how the threats/breaches/cyber crime trends look like from the data we are seeing during an examination.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-59143260672012161132011-08-23T13:23:54.664-04:002011-08-23T13:23:54.664-04:00Alex,
I think what Corey is looking for is not t...Alex, <br /><br />I think what Corey is looking for is not the trends in the exploits being used, but what the most-popularly-employed exploits "look like" on a system, with respect to exploit artifacts. <br /><br />One example might be that one of the reports you mentioned would suggest that SQL Injection is widely used, but that doesn't really help analysts that aren't familiar with SQL Injection attacks. Following with what Corey is asking about, a DF "threat report" (perhaps "artifact report" is a better term) would illustrate what the artifacts of a SQL Injection attack look like.<br /><br />HTHH. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-78449359971549604672011-08-23T12:52:32.105-04:002011-08-23T12:52:32.105-04:00Mandiant has their M-Trends and "State of the...Mandiant has their M-Trends and "State of the Hack" that provide current DFIR trends, including case studies. Also, the Verizon DBIR report has high-level stats on the breaches they investigate. What are you looking for in a DF "threat report" beyond what they do?Alexhttps://www.blogger.com/profile/00338875228138269114noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-45746576611840251272011-08-23T09:05:02.546-04:002011-08-23T09:05:02.546-04:00I'm sure that with the right infrastructure, s...I'm sure that with the right infrastructure, something like this could be made easier to complete. For example, look at the process of what is done to identify exploit artifacts:<br /><br />- Snapshot the file system and Registry<br /><br />- Run exploit<br /><br />- Create a second snapshot; 'diff' to identify what should be searched for in a timeline<br /><br />I'm thinking that this could be automated to a degree, in much the same way malware analysis is sandboxed.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-17556868480806699342011-08-23T07:34:20.893-04:002011-08-23T07:34:20.893-04:00To compile the report wouldn't necessary requ...To compile the report wouldn't necessary require an organization. I was thinking along the lines to use the trend reports being put out by the various security companies such as Sophos, Symantec, Mandiant, etc.. Their reports already identify trends so all that would be needed is for the trend to be replicated on a test system for documentation. For example, with the Facebook attacks one would just need to find an active attack and then infect a test system to document the artifacts. This wouldn't release any actual case data since it is a testing environment. The person could share their perspective on how they would approach the investigation.<br /><br />I don't think an organization who is identifying trends would necessary be required to compile the report since trends reports from other sources would be used. It could be done by one person with others to help write the content. <br /><br />I agree with you that most folks won't discuss a case in such detail. This is why I thought using test systems and trends identified by other security organizations could help avoid that. The one thing I found out is it takes a lot of time and testing to document the artifacts from an exploit or simulated attack. I'm not sure how many people would be willing to give up so much time to writeup an article.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-50133375840682100682011-08-23T06:55:36.611-04:002011-08-23T06:55:36.611-04:00Corey,
In your mind, who would compile such a re...Corey, <br /><br />In your mind, who would compile such a report?<br /><br />As you've demonstrated in your blog, it's not hard to set up a system, run an exploit against it and then post the results of a forensic examination. However, the question would be, who (which company) is doing enough to identify trends in their examinations, and would be willing to share that information?<br /><br />When I was on the IBM ISS team, we couldn't get most analysts to post their reports to a share on a server, let alone share their findings. <br /><br />It may be cynical of me, but I don't think folks out there are going to do something like this, as in a lot of ways, I think that they believe that it would expose them to too much risk.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com