Slide 1 Prepared By: Robert W. Beggs, CISSP CISA Presented To: EnergizeIT 16 June 2007 © DigitalDefence, Inc ( - AIM – Agile Incident Management

Slide 2 © DigitalDefence, Inc ( Introduction Robert Beggs, CISSP, CISA -15+ years experience in Information Security -Military, biomedical research, consulting, financial services background DigitalDefence.ca for Data Security Incidents -Focus on providing incident management services -Professional services, managed services, training

Slide 3 © DigitalDefence, Inc ( Data Security Incidents Data security incident: the act of non- compliance with the corporate security policy or procedures, or any event that negatively impacts the confidentiality, integrity and availability of your corporate data

Slide 4 © DigitalDefence, Inc ( The Threat Attackers financially motivated – skills are rewarded; “business competitors” are hacking “Trickle down effect” – powerful, easy to use tools are widely available (Metasploit) Focus on hiding attacks, beating forensics Internal attacks are commonly detected External attacks are focused on the end user, not the network -Cross-site scripting -USB devices

Slide 5 © DigitalDefence, Inc ( Law Enforcement … 61,000 police officers in Canada 245 specialize in cybercrime (0.4%) Overall, lack budget and training Still developing legal infrastructure to support criminal investigations (lawful intercept legislation) In short, an effective response is generally up to the victim Are you ready? …

Slide 6 © DigitalDefence, Inc ( Traditional Incident Response, IR Event-triggered: you have lost the initiative Competing priorities – technical (investigation) versus business (recovery) Mistakes are frequently made

Slide 7 © DigitalDefence, Inc (

Slide 8 © DigitalDefence, Inc ( Agile Incident Management Incident management is the totality of proactive and reactive measures undertaken to help prevent and manage data security incidents across an organization

Slide 9 © DigitalDefence, Inc ( Proactive Measures Develop incident management strategic plan; integrate it into corporate business strategy Risk assessment – security / privacy incidents are a business risk Develop policy and SOPs (standard operating procedures) Assign roles and responsibilities Support technical staff Augmentation with appropriate 3 rd parties

Slide 10 © DigitalDefence, Inc ( Proactive Measures Activity monitoring, including employees Pro-active forensics End-user education Create a culture of security

Slide 11 © DigitalDefence, Inc ( Reactive Measures Emphasize “agility” -Fast, Focused, Flexible Fast data collection (live response) Fast data analysis Focused and appropriate response / countermeasures Focused documentation Flexible approach – attacks can change rapidly

Slide 12 © DigitalDefence, Inc ( Live Response Live response = volatile + (sometimes) non-volatile data collected before the system is powered down and recovered Why? -Rapid response; provide guidance for traditional response -Loss of volatile information (Trojan defence) -System must be returned to production state -Too much data to image (750 GB drives common) -Data will return to encrypted / locked state

Slide 13 © DigitalDefence, Inc ( Information To Collect System time RAM contents Logged-on user(s) Open files Network information Network connections Running process information Process – to – port mapping Process memory Network status Clipboard contents Service / driver information Command history Mapped drives Shares ADS Registry (e.g. autoruns) Non-volatile information (e.g. event logs, file lists) System time

Slide 14 © DigitalDefence, Inc ( Live Response Tools Console-agent architecture -Enterprise forensic software (EnCase, LiveWire) -Mandiant’s First Response Helix bootable Linux CD or USB Open-source IR scripts Roll your own script to invoke native MS Windows commands, CLI tools -MS.BAT files are reliable, easy to explain -PERL can be more flexible

Slide 15 © DigitalDefence, Inc ( Make Your Own Response Toolset Create a bootable disk (command.com, cmd.exe) Use multiple media formats (floppy, CD, DVD, USB) Label the disk Rename the tools you will use! Make sure that all dependencies are included Do an MD5 hash of final tools, toolset Identify where output will be stored, and how it will be protected Test

Slide 16 © DigitalDefence, Inc ( Step One: Validate Your Tools Tools must not alter the target system OR all alterations must be known What is the “touch” of the file on the target? -Regmon and Filemon(Sysinternals) -ListDLLs (Sysinternals) identifies changes to DLL useage, or chaged / updated DLLs -Dependency Walker ( identifies any changes to dependent modules -Wireshark or other sniffer What is the “touch” of the delivery system (CD, USB)?

Slide 17 © DigitalDefence, Inc ( Let’s Begin …

Slide 18 © DigitalDefence, Inc ( Memory Analysis It’s the RAM! (Does not include virtual memory, swapped to the HD How do we get it? -Hardware devices -Firewire (uses direct memory access, DMA) -Crash dumps -Suspended virtual sessions -DD (“data dumper”) -Other applications (KnTTools,Nigilant32, ProDiscover IR)

Slide 19 © DigitalDefence, Inc ( Nigilant32 ( Free Black box – does not describe how it is doing it Does not provide any analysis tool

Slide 20 © DigitalDefence, Inc ( Analysis of a Memory Image Hex editor + string search -“Password”, “BOT” “backdoor”, “Trojan”, “key”, “logger”, “IRC”, various expletives Various open source scripts -Ptfinder.pl (Andreas Shuster) -Lsproc.pl, Lspd.pl, Lspi.pl (Harlan Carvey) Proprietary tools

Slide 21 © DigitalDefence, Inc ( DEMO

Slide 22 © DigitalDefence, Inc ( “Rules of the Tools” Understand the tool, and the results Test before use Have a clear objective; don’t throw everything at a suspect system Redundancy – every finding should be validated by at least 2 separate tools, preferably from 2 different vendors -FPorts (Foundstone) -OpenPorts (PortExplorer toolkit;

Slide 23 © DigitalDefence, Inc ( Live Response Tools

Slide 24 © DigitalDefence, Inc ( DEMO (Selected Tools)

Slide 25 © DigitalDefence, Inc ( Open Source – Windows Forensic Toolchest

Slide 26 © DigitalDefence, Inc ( Open Source and Easy – Helix Runs on Windows and Unix boxes; well documented CD tools may be out of date

Slide 27 © DigitalDefence, Inc ( Remember Toronto Area Security Klatch, TASK Free monthly meetings, portal site SecTor (November, 2007) Technical attacks; technical defences Dan Kaminsky, Johnny Long, Ira Winkler … Free Canadian Information Security Newsletter (

Slide 28 © DigitalDefence, Inc ( Contact