Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2016 You Have Alerts. Now What? Brian Carrier VP of Digital Forensics Basis Technology 1.

Published byLuke Harrell Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2016 You Have Alerts. Now What? Brian Carrier VP of Digital Forensics Basis Technology 1."— Presentation transcript:

1 © 2016 You Have Alerts. Now What? Brian Carrier VP of Digital Forensics Basis Technology 1

2 Who Am I? Been involved with security for over 15 years. Used to be a Incident Response consultant. Been leading the forensics team at Basis Technology for the past 10 years. Written popular open source forensics tools. Written digital forensics books. © Basis Technology, 2016 2

3 A Typical Security Team Day Alerts are being generated from SIEMS, intrusion detection systems, and smart firewalls. Some alerts are ignored. Some alerts get basic analysis. The team does not have: Enough resources Administrator access to all endpoints Forensics expertise © Basis Technology, 2016 3

4 Alerts Are Not Being Investigated Only the basics techniques are used. Anti-Virus logs are reviewed Single AV provider may not be seeing it. Only network traffic is reviewed Bad activity could be encrypted or hidden in other traffic. A request is sent to the remote non-security IT staff Insufficient training or tools. © Basis Technology, 2016 4

5 The Network is Not Fully Understood If the alerts are not understood, the network is not understood. The same alert could have many causes. Scenario: You get an alert about traffic to a command and control server from an IP address in your network. What do you do? © Basis Technology, 2016 5

6 Possible Cause #1 A user opened an email attachment. Attachment installed malware on laptop. Malware reached out to C&C server. No alert was triggered – server not in threat intel yet. Malware uploaded the following: Password hashes File names Network mounts, etc. © Basis Technology, 2016 6

7 Possible Cause #1 (contd.) Bad guy logs into system. Moves laterally into other systems to look for important data. Malware checks in again with C&C server. IDS now triggers because of threat intel updates. © Basis Technology, 2016 7

8 8

9 This Alert Is The Tip of The Iceberg. Several other endpoints are involved. http://pcwallart.com/tip-of-the-iceberg-titanic-wallpaper-2.html © Basis Technology, 2016 9

10 Possible Cause #2 A user opened an email attachment. Attachment installed malware on laptop. Malware monitors for PayPal, credit card, and other website credentials. Malware periodically reaches out to C&C server. Your IDS triggers. © Basis Technology, 2016 10

11 © Basis Technology, 2016 11

12 This Alert Is The Tip of Ice Cube No other hosts involved. Not targeted at you. http://www.creditslips.org/.a/6a00d8341cf9b753ef01b8d0c938bf970c-400wi © Basis Technology, 2016 12

13 Possible Cause #3 A server has been compromised and is hosting malware. Your user visits a website on this server Doesn’t download malware though. Your IDS triggers. It’s a false positive. © Basis Technology, 2016 13

14 What Would You Do? What would your company do with the C & C alert: Ignore it because of false positives in the past? Check the anti-virus logs to make sure it didn’t quarantine anything? Collect data from endpoint? Capture network traffic to and from endpoint? Unplug endpoint from the network? …. © Basis Technology, 2016 14

15 What You Should Do Respond quickly and thoroughly: Don’t waste time on the false positives Don’t be hasty and miss the icebergs Use a triage process to get quick answers to: Is the host compromised? Have we seen something like this before? What other hosts or resources could be involved? Initially assume the worst: Much like a police officer who pulls a car over. © Basis Technology, 2016 15

16 Did They Pull Him Over? © Basis Technology, 2016 16 https://www.youtube.com/watch?v=B_r37sYhXsM

17 Her? © Basis Technology, 2016 17 http://www.technologytell.com/in-car-tech/files/2013/10/old-lady-car.jpg

18 Or Her? © Basis Technology, 2016 18 http://womenofcaliber.com/wp-content/uploads/2009/04/get-out-of-the-car1.jpg

19 Typical Triage Process Details vary based on your tools. Lots of variations, such as: Run 12+ command line tools and manually review. Write PowerShell scripts and manually review. Remotely connect and manually use forensics tools. Use automated intrusion triage tools. Use Endpoint Detection and Response (EDR) tools (if they are deployed). © Basis Technology, 2016 19

20 Triage Requirements Relatively Fast: Not measured in hours. Flexible: Works in your environment. Easy to Use: Does not require a forensics expert. Thorough: Looks for evidence in all of the places. © Basis Technology, 2016 20

21 Triage: Relatively Fast Not measured in hours (or seconds) Don’t want to: Waste too much time on false positives. Skip steps and miss the evidence. Fine balance. Automate as much as possible so that user doesn’t have to wait. Minimize user interaction time. © Basis Technology, 2016 21

22 Triage: Flexible Needs to work with your environment. Not all companies are the same: Does your responder have admin access to each endpoint? Do you have persistent agents / EDR always deployed? Do you have a policy to unplug computers from network? Find a solution that works for your needs. © Basis Technology, 2016 22

23 Triage: Easy to Use Does not require a forensics expert. Different people need to triage: IT personnel Security team SOC Help desk Triage may not be done every day. Automation and intuitive interfaces are critical. © Basis Technology, 2016 23

24 Triage: Thorough Look for evidence in all of the places. Types of data to collect: Malware: Places of persistence Running processes User Activity: Programs they ran, shares mounted, files deleted, etc. Event logs System Configuration © Basis Technology, 2016 24

25 Thorough Data Analysis Analysis is where triage gets hard. Bad guys hide their tracks and tools. Attacks evolve and locations of evidence change. Every computer is used differently. © Basis Technology, 2016 25

26 Data Analysis: Known Bad Evidence from previous incidents: Indicators of Compromise (IOC) Known malware Threat intelligence feeds Looking for: File names and MD5 hashes Registry keys Signatures © Basis Technology, 2016 26

27 Data Analysis: Typically Bad Heuristics often associated with bad guys: Startup programs running from “C:\Temp” “cmd.exe” process with Adobe Reader as parent process. These require knowledge of past incidents. Global knowledge, not just your network. A little more false positive prone. © Basis Technology, 2016 27

28 Data Analysis: Suspicious Lastly, look for the stuff that is not normal: Is the computer configured correctly? Is this user behavior normal for their job and technical abilities? Is this computer being accessed as expected? This is where triage gets really hard… Requires knowledge from the company, fellow responders, and global trends. Easy to miss things and generate false positives. © Basis Technology, 2016 28

29 Example: Network Shares A computer has the following shares mounted: \\BostonCommons\schematics \\BostonCommons\finance \\FenwayPark\home\jdoe \\FenwayPark\home\frank Are these bad? © Basis Technology, 2016 29

30 Example: Network Shares A computer has the following shares mounted: \\BostonCommons\schematics \\BostonCommons\finance \\FenwayPark\home\jdoe \\FenwayPark\home\frank Are these bad? It depends. Is (s)he in engineering, finance, or IT? Is (s)he jdoe, frank, or a different user? Do the share names mean anything? © Basis Technology, 2016 30

31 Automation is Critical Necessary for speed, thoroughness, and ease of use. If you are manually reviewing 12+ text files and merging them together, will you miss things? Do you remember what happened on this system 2 months ago to know how it changed? Do you remember all of the threat intelligence to know what should be suspicious? Do you know what is normal on your endpoints? Automated systems can store this info. © Basis Technology, 2016 31

32 Alert Triage Process Alert comes about suspicious network activity Run your automated triage process to determine: List of threats (known bad, typically bad, suspicious). List of remote hosts accessed by the host. List of network shares accessed by the host. Ideas about if you have seen this before Review the results and make decisions: Evidence of lateral movement. Files seen elsewhere in network? © Basis Technology, 2016 32

33 Example: Cyber Triage Cyber Triage is our endpoint triage tool. Let’s review how it implements the requirements. Relatively Fast: 60 minutes or less for collection and analysis. Collection and analysis and automated and do not need user interaction. © Basis Technology, 2016 33

34 Cyber Triage: Flexible Collection is done with a single executable. Does not need to be installed on system. If you have admin access: Push agent over network. If don’t have admin access: Send agent to someone who does. Double click to run. If system is unplugged from network, use USB. Also supports forensic images. © Basis Technology, 2016 34

35 Cyber Triage: Easy to Use Simple, one-click collection. Intuitive interfaces. Fuse data to make it as easy as possible for user to come to conclusions. © Basis Technology, 2016 35

36 Cyber Triage: Thorough Collection contains: Processes, ports, users. Startup programs, drivers, services Programs user ran Event logs and registry Suspicious files Analysis results are shown in the interface. © Basis Technology, 2016 36

37 © Basis Technology, 2016 37

38 © Basis Technology, 2016 38 Scans executables using 40+ malware engines from OPSWAT ®

39 © Basis Technology, 2016 39 Finds known bads using black lists, IOCS, & hash databases.

40 © Basis Technology, 2016 40 Identifies suspicious items using heuristics.

41 Guided Review Every host is used differently. Need human assistance to review: Network connections Network shares Remote desktop connections User accounts Cyber Triage fuses data to make data easier to review. © Basis Technology, 2016 41

42 © Basis Technology, 2016 42

43 © Basis Technology, 2016 43 Identify suspicious network activity by connection type.

44 © Basis Technology, 2016 44 Obtain context by correlating with previous collections.

45 Group Related Hosts Incident-level © Basis Technology, 2016 45

46 Summary Understanding alerts is key to understanding your network. You need to treat each alert seriously. Automation makes this possible. Have a triage plan and set of tools to help you determine the basic scope and severity. © Basis Technology, 2016 46

47 Contact Info Brian Carrier brianc@basistech.com brianc@basistech.com Twitter: @carrier4n6 © Basis Technology, 2016 47

Download ppt "© 2016 You Have Alerts. Now What? Brian Carrier VP of Digital Forensics Basis Technology 1."

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
Calendar Browser is a groupware used for booking all kinds of resources within an organization. Calendar Browser is installed on a file server and in a.

Calendar Browser is a groupware used for booking all kinds of resources within an organization. Calendar Browser is installed on a file server and in a.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Microsoft Ignite /16/2017 4:54 PM

Microsoft Ignite /16/2017 4:54 PM
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Department Of Computer Engineering

Department Of Computer Engineering
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Security Guidelines and Management

Security Guidelines and Management

Similar presentations

Ads by Google