Chapter 5 Initial Development of Leads Spring Incident Response & Computer Forensics

Defining Leads of Value  Three characteristics of a lead  Relevant  Detailed  Actionable  To start with, perform the following operations  Clarify the data  Verify the accuracy  Determine the context

Acting on Leads  Turning leads into indicators  Property-based indicators  Methodology-based / Anomaly-based indicators  Lifecycle of indicator generation  Data from initial lead  Create/Edit  Verify Data Relevant to Indicator Data Common to Environment  Loop to Create/Edit step  Publish

Editing Host-based Indicators  Helps in determining if a host is compromised  An example - Property-based indicators :  Lab03-02.dll file  from Practical Malware Analysis (practicalmalwareanalysis.com/labs)  The file’s MD5 hash is used

Editing Host-based Indicators

 Extremely low false positive  A match must be a good indicator  What if there is no match?  If it is the same file, the functionality remains the same  The PE file header can be checked Compile Time and Date File size

Editing Host-based Indicators

 What if the attacker has modified the file?  The file size will not match.  Look for what the file does when executed

Editing Host-based Indicators

 Another example - Methodology -based indicators :  The Sticky Keys:  Provides accessibility features to users with disability  Executes sethc.exe file in Windows  Activated by pressing the Shift key quickly five times

Editing Host-based Indicators  Attackers can replace the sethc.exe file With  Cmd.exe  Any other file  To detect this compromise  Search for characteristics of sethc.exe file  Use known values in sethc.exe header

Editing Host-based Indicators

 If an organization has many systems, they all need to be searched  So, we need to check for all MD5 hashes and other parameters

Editing Host-based Indicators

 This can be very complicated if the organization has thousands of computers  Instead, use methodology based indicators  If we anticipate the attacker replaced the sethc.exe by cmd.exe or a similar file: We can look for cmd.exe file size parameters

Editing Host-based Indicators

Editing Network-based Indicators  The goal: Determining quickly if a particular session is relevant to the investigation  These indicators may have a limited lifespan  Consider the same example as before  Lab03-02.dll file  The malware looks up the host name practicalmalwareanalysis.com  A network monitor should be able to detect this DNS lookup

Editing Network-based Indicators  Monitor UDP port 53  The query format: See section “Question Section Format” (page 28) in RFC 1035 “Domain Names – Implementation and Specification” Build a signature of data format  Searching for “practicalmalwareanalysis.com” will not work  The QNAME portion of query would contain: Length:0x18 String: practicalmalwareanalysis Length:0x03 String:com Terminating octet: 0x00

Editing Network-based Indicators  Using Snort manual, a signature can be built to raise an alert when the sensor finds the following query:

Verification  Run indicators against a representative sample of systems  Data Relevant to Indicator: Test that the indicator performs as intended What if the attacker has already deleted what we are looking for? Example: A dropper  Data Common to Environment: Make sure the indicator properties do not match against the environment and results in numerous false positives To test, select a set of clean systems as sample and run the test on the sample to make sure there is no match.  If there are matches, go to “Edit” step to modify the indicator and then test again.