@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #330: Sunday Funday 5/18/14 Winner!

Hello Reader,
   Another Sunday Funday come and gone and I am now only 35 blog posts away from my year! This week I am happy to reveal our winning answer as I believe the answer really presents the itself in a well organized fashion that will help many people get a handle on the killchain as it is.

The Challenge:
Explain the 'Kill Chain' we specific DFIR examples of artifacts you would look for and remediation steps for each part of the process.

The Winning Answer:

The cyber kill chain was first coined by Lockheed Martin’s Eric Hutchins, Michael Cloppert, and Rohan Amin in 2011. Their paper, “Intelligence-Drive Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” has a wonderfully long title, and is an informative look into cyber threats. More information on this paper can be found in the ‘Further Information’ section, located at the bottom of this submission.
 
When examining where digital forensics and the cyber kill chain intersect, it’s important to understand each step of the kill chain and the forensic artifacts that may be applicable. Let’s take a walk through the kill chain, some relevant DFIR artifacts, and potential remediation/prevention steps:
 
1)    Reconnaissance
a.    Step Overview
The first step of the cyber kill chain highlights the research that an adversary may perform either to identify a potential target, or on a specific, pre-selected target. In either matter, reconnaissance may involve profiling an organization’s web presence, searching for employees and pertinent details, and/or gaining insight into other technologies an organization may use.
b.    DFIR Artifacts
·         Network logs would be artifacts of interest here, including firewall and web logs. Other outward-facing (aka DMZ) device logs would be useful as well. Data analytics can assist analysts in identifying suspicious traffic, such as scanning activity or connections from questionable locations. Correlations over time can help determine what is the “hum of the Internet” vs what may be repeated attempts to profile a network.
·         The identification of reconnaissance is also going to depend on the attacker’s objectives or capabilities. If employees are too open about their personal details on LinkedIn/Facebook/Twitter/FourSquare, an adversary may be able to profile an entire C-Suite without ever pinging an organization’s IP block.
c.    Remediation/Prevention Steps
·         Firewall ACLs can be utilized to block traffic from unwanted locations, or reaching sensitive areas.
·         To address reconnaissance using social networking sites, employee training can go a long way to help preventing too much information being released.
 
2)    Weaponize
a.    Step Overview
The second step of the cyber kill chain is an action of the attacker to take a payload, such as a Trojan or backdoor, and craft it into “weapon form”. By weapon form, the attacker needs a method with which to deliver the payload. These methods may include malicious document files, such as PDFs or MS Office documents, or malicious web sites set to execute code upon page loads.
b.    DFIR Artifacts
·   Artifacts of interest from step 2 would be the weaponized payloads that may be left on a compromised host. Artifacts of this type may include malicious PDFs, Office documents, compressed files, or actual executables delivered via step 3’s mechanism. Granted, Step 3 will be required to get these artifacts on the machine, but once on there, may provide a wealth of information. These artifacts will be utilized in subsequent steps as well.
c.    Remediation/Prevention Steps
·   As step 2 covers the weaponizing of a payload, remediation would be best efforts to prevent the execution of said weapon. This is more in line with step 4.
·   In an effort to catch weaponized malware, NIDS or NIPS tools may be used.

3)    Deliver
a.    Step Overview: While step 2 focused on the weaponization of a payload, step 3 is the actual delivery of said weapon. Methods of delivery may include an email with an attachment from step 2, a maliciously crafted website, or a strategically placed USB drive.
b.    DFIR Artifacts
·         The artifacts an analyst might be interested in from Step 3 will be dependent on the method of delivery. For a spear phishing email, analysts will want to analyze the email messages, including headers, attachments, source, etc. For malicious websites, collecting internet history artifacts, including cached HTML files, scripts, cookies, etc. will be important. If the delivery mechanism is something physical, such as a USB drive with AutoRun malware, then forensically preserving the drive becomes an artifact itself.
c.    Remediation/Prevention Steps
·         Employee training is a valuable step in preventing delivery of malware. While this is a pipe dream for some organizations, educating employees to be cautious of emails containing suspicious attachments or originating from unknown sources. Users should also be cautious when browsing the web, although sometimes even mainstream sites can be hit with vulnerabilities
·         Depending on the delivery vector, there are a multitude of technologies that can help. Endpoint USB protection can help prevent executables from running, and/or disabling Windows features such as AutoRun.
·         Email traffic monitoring, either via inline malware detection or endpoint detection, may help to find malicious files within emails. Also, these tools may be used to
·         Utilizing web proxies may help prevent users from visiting malicious sites. Proxies that ingest data sources like trusted sites and blacklisted IPs are a step closer to prevention.
4)    Exploit
a.    Step Overview: Steps 2 and 3 weaponized and delivered malicious code: Step 4 is the exploitation that allows the malicious code to run. If the delivery mechanism was a PDF, the exploitation may be a vulnerability that allows for JavaScript files to be run and subsequently download a Trojan.
b.    DFIR Artifacts
·         Artifacts of forensic interest for step 4 are going to be similar to step 2 and 3, and will involve the actual weaponized payload itself. Whether it’s a Java, Windows, Internet Explorer, Office, or Adobe exploit (to name some amongst many, many others), performing analysis on the malware may help determine information about the specific exploit(s) used.
·         Step 4 is also where an analyst may want to begin looking at system artifacts. While step 4 does not yet cover a full installation of the malware, system artifacts may yield information such as time of infection or steps that the user took to get infected (unknowingly, we hope). A timeline using a wide range of Windows artifacts (MFT, registry, internet histories, etc.) would be able to identify the time when the email arrived or USB drive was plugged in, and actions that occurred within the seconds (or milliseconds) afterwards.
·         Specific browser artifacts, including pages visited and/or downloads, may also yield information about the exploit.
·         The Windows registry hives (system, sam, software, security, ntuser, and usrclass files) may also provide unique information, such as data on removable drives, recent executables/files.
·         Link (lnk) and prefetch files may provide more information about executables around the time of exploit.
·         A forensic analyst may also, at this point, find themselves accessing logs on various servers – again, dependent on the method of delivery. Web-based exploits would have valuable information in web logs, proxy logs, and/or firewall logs. If the delivery method was email, the analyst may want to pull email information from the central mail server(s) to trace the source of the delivery.
c.    Remediation/Prevention Steps
·         A myriad of steps can help prevent against weapons successfully exploiting on a target host. Keeping software up to date, for example, is important given the number of vulnerabilities that exist in third-party software tools or document…readers.
·         Utilizing host-based intrusion detection and prevention tools, such as HIDS, HIPS, and/or anti-virus can help to protect against exploitation. These tools will also help remediate Step 5, which is the installation of the malware. Note that keeping these endpoint solutions up to date is also extremely important – anti-virus is only as useful as the signatures it knows!
5)    Install
a.    Step Overview: Step 5 focuses on the installation of the weapon from Step 2 via the exploit in Step 4.
b.    DFIR Artifacts
·         Now that the weaponized payload has been installed on the host, the file(s) discussed in steps 2-4 will now certainly be of importance. The analyst should try to capture any remnants of the malware, including executables and other dropped files. Sandboxing or reversing the malware can help analysts determine other artifacts to look for, as well as begin crafting countermeasures for Step 6.
·         More so than step 4, system- and disk-level artifacts are going to be valuable at this point in time.
o   The MFT can help paint when the malware was installed, and other artifacts that may have been Modified/Accessed/Changed/Born. The USN journal will also yield information about changes made to the volume.
o   Windows Event Logs may provide information about the install, and any Windows events that may have been triggered.
o   The components of the Windows registry are going to provide information about application install, keys created/changed/deleted, and persistence mechanisms. UserAssist, ShimCache, and MRU may also be valuable here, although not all will be affected by every malware.
o   Similar to Step 4, link and prefetch files may yield information about the executable(s) run to support the installation.
o   File (file://) entries in the index.dat will also provide local and remote file access.
·         A memory capture of an infected host may yield more information about the malware. Of course, it’s difficult to trigger a memory capture as soon as malware is installed on a host, however there is valuable data in the memory of an infected host.
c.    Remediation/Prevention Steps
·         By this point in time, the malware has successfully been executed on a host and has successfully “passed through” the intended exploit. HIDS/HIPS may be useful in prevention/detection, allowing the malware to get as far as attempting to install on the disk or make registry changes before it’s blocked.
·         If the malware is known, anti-virus software may succeed in stopping the infection at this point. It’s also possible that the malware went undetected up to this point, but a dropped executable or DLL file triggered a Quarantine.
·         Application whitelisting may also be useful at this level, preventing untrusted executables from running.
6)    Command and Control (C2)
a.    Step Overview: Perhaps the sign that many DFIR analysts are familiar with, Step 6 focuses on the beaconing of a compromised host to a C2 server. Once Steps 1-5 have been executed, the host is now likely compromised, and relays back to its C2 infrastructure for next steps.
b.    DFIR Artifacts
·         Artifacts from Step 5 are still going to be useful in this stage, especially if a host is actively beaconing the source of that beaconing has yet to be identified. Finding what is causing the beaconing should be a top priority.
·         If identified, the source of the beaconing should be captured and analyzed. Malware may have multiple C2 servers embedded and MD5 hash values may allude to other intel.
c.    Remediation/Prevention Steps
·         As with other steps, NIDS/NIPS solutions installed in an environment may be able to alert and detect or prevent against suspicious traffic. Other steps in the kill chain may have been successful thus far, however NIDS/NIPS may prevent C2 communications from reaching outbound.
·         If intel is gathered about C2 domains/IPs, firewall ACLs can be put into place to prevent outbound or inbound communication.
7)    Act on Objectives
a.    Step Overview
The final step of the cyber kill chain identifies that once an attacker has gained a foothold into an organization, their true objectives come to light. If an attacker compromised the laptop of a CFO, and the original target was next quarter’s financials, then this step represents the exfiltration of said data. Another type of objective may have been to infiltrate an entry point, and then move laterally throughout a network.
b.    DFIR Artifacts
·         Step 7 is not a fun place to be in the cyber kill chain, however from a forensic analyst’s point of view, it is sometimes the most fruitful. It may also be the most common. A large majority of artifacts discussed in previous steps can be useful at this step. Of course, understanding the motives of the attackers will denote how useful each one will be.
·         If the attacker was hoping to compromise an initial host and move throughout an environment, lateral movement artifacts will be useful at this step. This may include:
o   Remote Desktop Protocol (RDP) history
o   Windows Event Logs to identify failed/successful logins, logon types (remote, local, etc.), and other events
o   Windows Registry Hives to check for new Windows user accounts, user activity. Shellbags may also highlight lateral movement.
·         If the attacker was seeking to exfiltrate data, then a forensic analyst will want to look for evidence of files being removed from the system, or creation of new compressed files.
o   Newly-created, and oddly named compressed files such as RARs or ZIPs may differ from user behavior and resemble attacker exfiltration.
o   MFT entries may show new compressed files created
o   Prefetch and/or LNK files may show compression tools being utilized
·         An analyst will also want to again consult network logs available to detect outbound information. Network device logs may allude to exfiltration IPs/hosts, or even provide bytes out to determine how much data left the environment.
c.    Remediation/Prevention Steps
·         Again, remediation/prevention is going to depend on the attacker’s objectives. An unprotected system in a poorly-maintained environment is going to leak data without detection. That being said, maintaining proper network intrusion prevention/detection, host-based intrusion prevention/detection, anti-virus, and a responsive DFIR team will be useful.
·         More specifically, to block outbound communications, firewall ACLs can again be utilized to block communication.
·         User access controls and permissions can be useful in preventing damaging lateral movement.
 
Note that the preceding is, by no means, an exhaustive list. To pretend that infosec is the same as it was five minutes ago is a dream, and analysts should be prepared to be nimble. There is no single “do it all” tool that offers “push button” forensics and information security. But the right tools, when combined in the right environment, and with the right people, can go a long way in helping an organization keep its data where it should be.
 
Further Information:

Post a Comment

[blogger][disqus][facebook][spotim]

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.