© 2016 You Have Alerts. Now What? Brian Carrier VP of Digital Forensics Basis Technology 1.

Slides:



Advertisements
Similar presentations
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Advertisements

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Access Control Chapter 3 Part 5 Pages 248 to 252.
Calendar Browser is a groupware used for booking all kinds of resources within an organization. Calendar Browser is installed on a file server and in a.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Microsoft Ignite /16/2017 4:54 PM
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Maintaining and Updating Windows Server 2008
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Department Of Computer Engineering
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Security Guidelines and Management
Correlations, Alarms and Policies
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
Honeypot and Intrusion Detection System
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
Learningcomputer.com SQL Server 2008 – Administration, Maintenance and Job Automation.
Computer Emergency Notification System (CENS)
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Module  Introduction Introduction  Techniques and tools used to commit computer crimes Techniques and tools used to commit computer crimes.
NetTech Solutions Protecting the Computer Lesson 10.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
Role Of Network IDS in Network Perimeter Defense.
Staff addresses Availability tradeoffs December 13, 2012.
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.
ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.
Troubleshooting Windows Vista Lesson 11. Skills Matrix Technology SkillObjective DomainObjective # Troubleshooting Installation and Startup Issues Troubleshoot.
Maintaining and Updating Windows Server 2008 Lesson 8.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Computer Security Keeping you and your computer safe in the digital world.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Proactive Incident Response
SIEM Rotem Mesika System security engineering
OIT Security Operations
Common Methods Used to Commit Computer Crimes
Defeat Tomorrow’s Threats Today
Active Cyber Security, OnDemand
Lesson Objectives Aims You should be able to:
Leverage What’s Out There
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Shifting from “Incident” to “Continuous” Response
Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.
Leveraging Visual Basic for Security
6. Application Software Security
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

© 2016 You Have Alerts. Now What? Brian Carrier VP of Digital Forensics Basis Technology 1

Who Am I? Been involved with security for over 15 years. Used to be a Incident Response consultant. Been leading the forensics team at Basis Technology for the past 10 years. Written popular open source forensics tools. Written digital forensics books. © Basis Technology,

A Typical Security Team Day Alerts are being generated from SIEMS, intrusion detection systems, and smart firewalls. Some alerts are ignored. Some alerts get basic analysis. The team does not have: Enough resources Administrator access to all endpoints Forensics expertise © Basis Technology,

Alerts Are Not Being Investigated Only the basics techniques are used. Anti-Virus logs are reviewed Single AV provider may not be seeing it. Only network traffic is reviewed Bad activity could be encrypted or hidden in other traffic. A request is sent to the remote non-security IT staff Insufficient training or tools. © Basis Technology,

The Network is Not Fully Understood If the alerts are not understood, the network is not understood. The same alert could have many causes. Scenario: You get an alert about traffic to a command and control server from an IP address in your network. What do you do? © Basis Technology,

Possible Cause #1 A user opened an attachment. Attachment installed malware on laptop. Malware reached out to C&C server. No alert was triggered – server not in threat intel yet. Malware uploaded the following: Password hashes File names Network mounts, etc. © Basis Technology,

Possible Cause #1 (contd.) Bad guy logs into system. Moves laterally into other systems to look for important data. Malware checks in again with C&C server. IDS now triggers because of threat intel updates. © Basis Technology,

8

This Alert Is The Tip of The Iceberg. Several other endpoints are involved. © Basis Technology,

Possible Cause #2 A user opened an attachment. Attachment installed malware on laptop. Malware monitors for PayPal, credit card, and other website credentials. Malware periodically reaches out to C&C server. Your IDS triggers. © Basis Technology,

© Basis Technology,

This Alert Is The Tip of Ice Cube No other hosts involved. Not targeted at you. © Basis Technology,

Possible Cause #3 A server has been compromised and is hosting malware. Your user visits a website on this server Doesn’t download malware though. Your IDS triggers. It’s a false positive. © Basis Technology,

What Would You Do? What would your company do with the C & C alert: Ignore it because of false positives in the past? Check the anti-virus logs to make sure it didn’t quarantine anything? Collect data from endpoint? Capture network traffic to and from endpoint? Unplug endpoint from the network? …. © Basis Technology,

What You Should Do Respond quickly and thoroughly: Don’t waste time on the false positives Don’t be hasty and miss the icebergs Use a triage process to get quick answers to: Is the host compromised? Have we seen something like this before? What other hosts or resources could be involved? Initially assume the worst: Much like a police officer who pulls a car over. © Basis Technology,

Did They Pull Him Over? © Basis Technology,

Her? © Basis Technology,

Or Her? © Basis Technology,

Typical Triage Process Details vary based on your tools. Lots of variations, such as: Run 12+ command line tools and manually review. Write PowerShell scripts and manually review. Remotely connect and manually use forensics tools. Use automated intrusion triage tools. Use Endpoint Detection and Response (EDR) tools (if they are deployed). © Basis Technology,

Triage Requirements Relatively Fast: Not measured in hours. Flexible: Works in your environment. Easy to Use: Does not require a forensics expert. Thorough: Looks for evidence in all of the places. © Basis Technology,

Triage: Relatively Fast Not measured in hours (or seconds) Don’t want to: Waste too much time on false positives. Skip steps and miss the evidence. Fine balance. Automate as much as possible so that user doesn’t have to wait. Minimize user interaction time. © Basis Technology,

Triage: Flexible Needs to work with your environment. Not all companies are the same: Does your responder have admin access to each endpoint? Do you have persistent agents / EDR always deployed? Do you have a policy to unplug computers from network? Find a solution that works for your needs. © Basis Technology,

Triage: Easy to Use Does not require a forensics expert. Different people need to triage: IT personnel Security team SOC Help desk Triage may not be done every day. Automation and intuitive interfaces are critical. © Basis Technology,

Triage: Thorough Look for evidence in all of the places. Types of data to collect: Malware: Places of persistence Running processes User Activity: Programs they ran, shares mounted, files deleted, etc. Event logs System Configuration © Basis Technology,

Thorough Data Analysis Analysis is where triage gets hard. Bad guys hide their tracks and tools. Attacks evolve and locations of evidence change. Every computer is used differently. © Basis Technology,

Data Analysis: Known Bad Evidence from previous incidents: Indicators of Compromise (IOC) Known malware Threat intelligence feeds Looking for: File names and MD5 hashes Registry keys Signatures © Basis Technology,

Data Analysis: Typically Bad Heuristics often associated with bad guys: Startup programs running from “C:\Temp” “cmd.exe” process with Adobe Reader as parent process. These require knowledge of past incidents. Global knowledge, not just your network. A little more false positive prone. © Basis Technology,

Data Analysis: Suspicious Lastly, look for the stuff that is not normal: Is the computer configured correctly? Is this user behavior normal for their job and technical abilities? Is this computer being accessed as expected? This is where triage gets really hard… Requires knowledge from the company, fellow responders, and global trends. Easy to miss things and generate false positives. © Basis Technology,

Example: Network Shares A computer has the following shares mounted: \\BostonCommons\schematics \\BostonCommons\finance \\FenwayPark\home\jdoe \\FenwayPark\home\frank Are these bad? © Basis Technology,

Example: Network Shares A computer has the following shares mounted: \\BostonCommons\schematics \\BostonCommons\finance \\FenwayPark\home\jdoe \\FenwayPark\home\frank Are these bad? It depends. Is (s)he in engineering, finance, or IT? Is (s)he jdoe, frank, or a different user? Do the share names mean anything? © Basis Technology,

Automation is Critical Necessary for speed, thoroughness, and ease of use. If you are manually reviewing 12+ text files and merging them together, will you miss things? Do you remember what happened on this system 2 months ago to know how it changed? Do you remember all of the threat intelligence to know what should be suspicious? Do you know what is normal on your endpoints? Automated systems can store this info. © Basis Technology,

Alert Triage Process Alert comes about suspicious network activity Run your automated triage process to determine: List of threats (known bad, typically bad, suspicious). List of remote hosts accessed by the host. List of network shares accessed by the host. Ideas about if you have seen this before Review the results and make decisions: Evidence of lateral movement. Files seen elsewhere in network? © Basis Technology,

Example: Cyber Triage Cyber Triage is our endpoint triage tool. Let’s review how it implements the requirements. Relatively Fast: 60 minutes or less for collection and analysis. Collection and analysis and automated and do not need user interaction. © Basis Technology,

Cyber Triage: Flexible Collection is done with a single executable. Does not need to be installed on system. If you have admin access: Push agent over network. If don’t have admin access: Send agent to someone who does. Double click to run. If system is unplugged from network, use USB. Also supports forensic images. © Basis Technology,

Cyber Triage: Easy to Use Simple, one-click collection. Intuitive interfaces. Fuse data to make it as easy as possible for user to come to conclusions. © Basis Technology,

Cyber Triage: Thorough Collection contains: Processes, ports, users. Startup programs, drivers, services Programs user ran Event logs and registry Suspicious files Analysis results are shown in the interface. © Basis Technology,

© Basis Technology,

© Basis Technology, Scans executables using 40+ malware engines from OPSWAT ®

© Basis Technology, Finds known bads using black lists, IOCS, & hash databases.

© Basis Technology, Identifies suspicious items using heuristics.

Guided Review Every host is used differently. Need human assistance to review: Network connections Network shares Remote desktop connections User accounts Cyber Triage fuses data to make data easier to review. © Basis Technology,

© Basis Technology,

© Basis Technology, Identify suspicious network activity by connection type.

© Basis Technology, Obtain context by correlating with previous collections.

Group Related Hosts Incident-level © Basis Technology,

Summary Understanding alerts is key to understanding your network. You need to treat each alert seriously. Automation makes this possible. Have a triage plan and set of tools to help you determine the basic scope and severity. © Basis Technology,

Contact Info Brian Carrier © Basis Technology,

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.