Tuesday, October 15, 2013

Daily Blog #114: Solving Sunday Funday 10/13/13 - Timeline intersection

Hello Reader,
           It was an interesting contest this Sunday in that we had so few responses. To those of you who watched our forensic lunch on Friday we did talk about strategies for tracking lateral movement, we just didn't get into Linux specifically. Today we are going to talk about how I would approach stitching together lateral movement based on the netflow data we have. For those not familiar with Netflow and how it works/what it can do you might want to start here.

The key to this challenge is the availability of netflow and the fact that the systems here are on the DMZ. Since we started the scenario with the knowledge of the attackers source country, this is your first pivot point and what I would do at this point is the following:

1. Load the netflow data into a datbase
2. Pull out the distinct times in days/hours where your attacker was active based on his initially detected ip
3. Determine which hosts that ip has accessed
4. Go to each of those hosts and create a timeline from the logs stored within them, this is one advantage of Linux of Windows as Linux tends by default to log more events by default.
5. Look then at the netflow data from all traffic originating from the dmz hosts identified in step 3 and find all the traffic within the network that they originated on the times identified in step 2
6. Access those hosts identified in step 5 and pull a timeline of those logs

Your next step will be to limit your timeline to those days and times identified in step 2. You want to review those systems and determine if there a reason to believe that they have been used for lateral movement as well, in which case repeat step 5 for each host where you believe this is possible.

This intersection of host based and netflow diagrams for time periods will allow you to slice and dice your timeline data from the hosts to focus on those periods of activity you most need to focus on in order to determine what the attacker was up to and their capabilities.

Tomorrow let's talk about host artifacts to inspect.