![Page 1: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/1.jpg)
incident reponse unravelled
Tux's Angels: Incident Response Unravelledlinux.conf.au MEL8OURNE2008
![Page 2: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/2.jpg)
incident reponse unravelled
Tux's Angels: Incident Response Unravelled
Something to lighten the mood...
angels@lca:~/
![Page 3: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/3.jpg)
incident reponse unravelledangels@lca:~/
![Page 4: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/4.jpg)
incident reponse unravelled
Who we are
Amelia, Kate, Vanessa IT Security Geeks Department of Defence Information Security Group Computer Network Vulnerability Team (CNVT)
angels@lca:~/who_we_are
![Page 5: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/5.jpg)
incident reponse unravelled
What we do
For Federal and State Government: 24/7 Incident response IT Security advice and assistance Vulnerability assessments Penetration testing / red teaming Research and Development Education and Training
angels@lca:~/what_we_do
![Page 6: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/6.jpg)
incident reponse unravelled
Agenda
Incident response Linux + FOSS Investigation Conclusion
angels@lca:~/agenda
![Page 7: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/7.jpg)
incident reponse unravelled
Agenda
Incident response Linux + FOSS Investigation Conclusion
angels@lca:~/incident_response
![Page 8: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/8.jpg)
incident reponse unravelled
Incident response
Incident: Events that threaten IT Security Incident response: Process of handling this
situation Things to keep in mind:
Inform management Involve law enforcement for criminal activity Preserve forensic integrity
angels@lca:~/incident_response
![Page 9: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/9.jpg)
incident reponse unravelled
Incident response
angels@lca:~/incident_response
IR life cycle: Detection Collection Analysis
Detection
CollectionAnalysis
![Page 10: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/10.jpg)
incident reponse unravelled
Agenda
Incident response Linux + FOSS Investigation Conclusion
angels@lca:~/incident_response
![Page 11: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/11.jpg)
incident reponse unravelled
Agenda
Incident response Linux + FOSS Investigation Conclusion
angels@lca:~/linux_+_FOSS
![Page 12: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/12.jpg)
incident reponse unravelled
Linux + FOSS: why?
Why do we use Linux in Incident Response? Not invasive Multiple filesystem support More OS control Loopback device
Why FOSS? Cutting edge technology Customisable, and more control
Free!angels@lca:~/linux_+_FOSS
![Page 13: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/13.jpg)
incident reponse unravelled
Linux + FOSS: tool selection
How do we select tools for IR? Ease of installation Easy to understand, use and configure How accurate and updated it is Support and documentation available Reputation of the developers
angels@lca:~/linux_+_FOSS
![Page 14: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/14.jpg)
incident reponse unravelled
Agenda
Incident response Linux + FOSS Investigation Conclusion
angels@lca:~/linux_+_FOSS
![Page 15: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/15.jpg)
incident reponse unravelled
Agenda
Incident response Linux + FOSS Investigation Conclusion
angels@lca:~/investigation
![Page 16: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/16.jpg)
incident reponse unravelled
Investigation
The incident IR life cycle
● Detection● Collection● Analysis
angels@lca:~/investigation
![Page 17: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/17.jpg)
incident reponse unravelled
Investigation
The incident IR life cycle
● Detection● Collection● Analysis
angels@lca:~/investigation/the_incident
![Page 18: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/18.jpg)
incident reponse unravelled
The incident
Who? Administrator from Playground Inc. What? Suspected compromise of workstation ”ALPHA” When? Reported at 4:30pm on 19th Dec 2007 playground.net1.myturf.net domain Requested onsite assistance from Tux's Angels
angels@lca:~/investigation/the_incident
![Page 19: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/19.jpg)
incident reponse unravelled
The network
angels@lca:~/investigation/the_incident
![Page 20: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/20.jpg)
incident reponse unravelled
The network
angels@lca:~/investigation/the_incident
![Page 21: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/21.jpg)
incident reponse unravelled
Timeline: what we know
angels@lca:~/investigation/what_we_know
![Page 22: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/22.jpg)
incident reponse unravelled
Timeline: what we know
angels@lca:~/investigation/what_we_know
![Page 23: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/23.jpg)
incident reponse unravelled
Timeline: what we know
Simile Timeline: http://simile.mit.edu/timeline/
angels@lca:~/investigation/what_we_know
![Page 24: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/24.jpg)
incident reponse unravelled
Investigation
The incident IR life cycle
● Detection● Collection● Analysis
angels@lca:~/investigation
![Page 25: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/25.jpg)
incident reponse unravelled
Investigation
The incident IR life cycle
● Detection● Collection● Analysis
angels@lca:~/investigation/ir_life_cycle
Detection
CollectionAnalysis
![Page 26: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/26.jpg)
incident reponse unravelled
Investigation
The incident IR life cycle
● Detection● Collection● Analysis
angels@lca:~/investigation/ir_life_cycle
DetectionDetection
CollectionAnalysis
![Page 27: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/27.jpg)
incident reponse unravelled
Detection
Finding out if a security incident occurred May come from a variety of sources:
IDS Logs Users Odd system behaviour
Use all tools and resources available
angels@lca:~/investigation/ir_life_cycle/detection
![Page 28: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/28.jpg)
incident reponse unravelled
Detection
Variety of tools can be used to detect a security incident
These can be broken down into: NetworkBased Intrusion Detection Systems (NIDS) HostBased Intrusion Detection Systems (HIDS) Log watch and alerting tools
angels@lca:~/investigation/ir_life_cycle/detection
![Page 29: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/29.jpg)
incident reponse unravelled
Detection: NIDS
Networkbased Intrusion Detection System NIDS tools they considered using
Squil EasyIDS
Their NIDS tool of choice Snort with BASE
angels@lca:~/investigation/ir_life_cycle/detection
![Page 30: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/30.jpg)
incident reponse unravelled
Detection: HIDS
Hostbased Intrusion Detection System HIDS tools they considered using
AIDE Labrador
Their HIDS tool of choice Afick
angels@lca:~/investigation/ir_life_cycle/detection
![Page 31: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/31.jpg)
incident reponse unravelled
Detection: Log watch and alerting
Log watch and alerting Logging and alerting tools they considered
using LogCheck Devialog
Their logging and alerting tool of choice Swatch
angels@lca:~/investigation/ir_life_cycle/detection
![Page 32: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/32.jpg)
incident reponse unravelled
Detection: Custom IDS Solution
Their custom IDS solution!
angels@lca:~/investigation/ir_life_cycle/detection
![Page 33: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/33.jpg)
incident reponse unravelled
Detection: Custom IDS Solution
angels@lca:~/investigation/ir_life_cycle/detection
![Page 34: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/34.jpg)
incident reponse unravelled
Detection: Custom IDS Solution
SNORT
MYSQL
SYSLOG
BASE
LOGS
LOGS
ON AT BOOT
VIEWED
angels@lca:~/investigation/ir_life_cycle/detection
![Page 35: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/35.jpg)
incident reponse unravelled
Detection: Custom IDS Solution
SNORT
MYSQL
DUMPCAP
SYSLOG
BASE
LOGS
LOGS
ON AT BOOT
VIEWED
ROLLING PCAPS
CREATES
angels@lca:~/investigation/ir_life_cycle/detection
![Page 36: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/36.jpg)
incident reponse unravelled
Detection: Custom IDS Solution
SNORT
MYSQL
SWATCH
DUMPCAP
SYSLOG
BASE
BASH SCRIPT
LOGS
LOGS
WATCHES
ON ALERT KICKS OFF
ON AT BOOT
VIEWED
ROLLING PCAPS
CREATESGETS 1 BEFORE, 3 AFTER ALERT
angels@lca:~/investigation/ir_life_cycle/detection
![Page 37: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/37.jpg)
incident reponse unravelled
Detection: Custom IDS Solution
SNORT
MYSQL
SWATCH
DUMPCAP
SYSLOG
BASE
BASH SCRIPT
LOGS
LOGS
WATCHES
ON ALERT KICKS OFF
ON AT BOOT
VIEWED
ROLLING PCAPS
CREATES
MERGECAP
GETS 1 BEFORE, 3 AFTER ALERT
MERGES
TCPFLOW
EXTRACTS FLOWS
ANALYSED
angels@lca:~/investigation/ir_life_cycle/detection
![Page 38: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/38.jpg)
incident reponse unravelled
DEMO: Detecting an incident using snort, swatch,tcpflow and BASE
angels@lca:~/investigation/ir_life_cycle/detection
![Page 39: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/39.jpg)
incident reponse unravelled
Detection: results
Suspect compromise: YES Snort – unsuccessful TELNET login from ALPHA to
Internet box Afick – 3 new unexplained exe's:
inst.exe inst2.exe MS Indexer.exe
Information passed to Tux's Angelsangels@lca:~/investigation/ir_life_cycle/detection
![Page 40: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/40.jpg)
incident reponse unravelled
Timeline + Detection: what we know
angels@lca:~/investigation/ir_life_cycle/detection
![Page 41: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/41.jpg)
incident reponse unravelled
Investigation
The incident IR life cycle
● Detection● Collection● Analysis
DetectionDetection
CollectionAnalysis
angels@lca:~/investigation/ir_life_cycle/detection
![Page 42: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/42.jpg)
incident reponse unravelled
Investigation
The incident IR life cycle
● Detection● Collection● Analysis
Detection
CollectionCollectionAnalysis
angels@lca:~/investigation/ir_life_cycle/collection
![Page 43: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/43.jpg)
incident reponse unravelled
Collection
Acquiring data to determine occurrences related to a specific event Collect data Verify data
angels@lca:~/investigation/ir_life_cycle/collection
![Page 44: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/44.jpg)
incident reponse unravelled
Collection
Data can come from a variety of sources: network memory disk
angels@lca:~/investigation/ir_life_cycle/collection
![Page 45: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/45.jpg)
incident reponse unravelled
Collection: network
Collecting network data Tools we considered using:
dumpcap Wireshark
Tool of choice: tcpdump
angels@lca:~/investigation/ir_life_cycle/collection
![Page 46: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/46.jpg)
incident reponse unravelled
Collection: memory
Collecting memory data Techniques we considered using:
Crash dumps Hibernation file
Tool of choice: FAU dd
angels@lca:~/investigation/ir_life_cycle/collection
![Page 47: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/47.jpg)
incident reponse unravelled
Collection: disk
Collecting disk data Tools we considered using:
dd sdd
Tool of choice: dcfldd
angels@lca:~/investigation/ir_life_cycle/collection
![Page 48: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/48.jpg)
incident reponse unravelled
Collection
What happened onsite?
angels@lca:~/investigation/ir_life_cycle/collection
![Page 49: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/49.jpg)
incident reponse unravelledangels@lca:~/investigation/ir_life_cycle/collection
![Page 50: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/50.jpg)
incident reponse unravelled
Collection
What happened onsite? Physical memory: FAU dd and dcfldd Disk image: dcfldd Startup pcaps: tcpdump Gateway pcaps: dumpcap
angels@lca:~/investigation/ir_life_cycle/collection
![Page 51: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/51.jpg)
incident reponse unravelled
DEMO: Memory acquisition using FAU dd and dcfldd
angels@lca:~/investigation/ir_life_cycle/collection
![Page 52: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/52.jpg)
incident reponse unravelled
Timeline + Collection: what we know
angels@lca:~/investigation/ir_life_cycle/collection
![Page 53: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/53.jpg)
incident reponse unravelled
Investigation
The incident IR life cycle
● Detection● Collection● Analysis
Detection
CollectionCollectionAnalysis
angels@lca:~/investigation/ir_life_cycle/collection
![Page 54: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/54.jpg)
incident reponse unravelled
Investigation
The incident IR life cycle
● Detection● Collection● Analysis
angels@lca:~/investigation/ir_life_cycle/analysis
Detection
CollectionAnalysisAnalysis
![Page 55: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/55.jpg)
incident reponse unravelled
Analysis
Analysing the data acquired in collection phase Confirmatory analysis and event reconstruction Data is Surveyed, Extracted and Examined
(SEE data analytic approach)
angels@lca:~/investigation/ir_life_cycle/analysis
![Page 56: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/56.jpg)
incident reponse unravelled
Analysis
Our priorities:1) Cause of compromise
2) Extent of compromise
3) Malware functionality & identity
angels@lca:~/investigation/ir_life_cycle/analysis
![Page 57: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/57.jpg)
incident reponse unravelled
Analysis
Data from collection phase: network disk memory
Tools to analyse each dataset
angels@lca:~/investigation/ir_life_cycle/analysis
![Page 58: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/58.jpg)
incident reponse unravelled
Analysis: network
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 59: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/59.jpg)
incident reponse unravelled
Analysis: network
Network tools we considered: tcpxtract ngrep netdude
Our network tool of choice: wireshark
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 60: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/60.jpg)
incident reponse unravelled
Analysis: network
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 61: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/61.jpg)
incident reponse unravelled
The network
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 62: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/62.jpg)
incident reponse unravelled
Analysis: network
Network capture (20071219.pcap): From 20071219 13:28 to 20071219 20:00 Taken on external gateway interface (192.168.1.1)
First observation: At 14:05 ALPHA starts using a proxy rather than a
DIRECT connection to the Internet Proxy is an untrusted IP address: 192.168.1.2
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 63: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/63.jpg)
incident reponse unravelled
Timeline: wpad DNS request
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 64: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/64.jpg)
incident reponse unravelled
Timeline: wpad DNS request
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 65: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/65.jpg)
incident reponse unravelled
Analysis: wpad.dat
function FindProxyForURL(url, host)
{
if (shExpMatch(url, "*.playground.net1.myturf.net/*"))
{
return "DIRECT";
}
return "PROXY proxy.myturf.net:3128";
}
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 66: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/66.jpg)
incident reponse unravelled
Analysis: wpad.dat
function FindProxyForURL(url, host)
{
if (shExpMatch(url, "*.playground.net1.myturf.net/*"))
{
return "DIRECT";
}
return "PROXY proxy.myturf.net:3128";
}
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 67: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/67.jpg)
incident reponse unravelled
Analysis: wpad refresher
angels@lca:~/investigation/ir_life_cycle/analysis/network
Web Proxy Autodiscovery protocol Used by web browsers set to ”autodetect proxy
settings” DHCP and DNS wpad.<domain> Moves up hierarchy until it gets a hit
![Page 68: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/68.jpg)
incident reponse unravelled
Analysis: wpad resolving
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 69: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/69.jpg)
incident reponse unravelled
Timeline: Firefox setup.exe downloaded
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 70: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/70.jpg)
incident reponse unravelledangels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 71: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/71.jpg)
incident reponse unravelledangels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 72: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/72.jpg)
incident reponse unravelledangels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 73: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/73.jpg)
incident reponse unravelledangels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 74: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/74.jpg)
incident reponse unravelled
Analysis: network
Is this the real firefox setup.exe?
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 75: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/75.jpg)
incident reponse unravelled
Analysis: network
Is this the real firefox setup.exe? NO WAY!
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 76: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/76.jpg)
incident reponse unravelled
Analysis: network
Is this the real firefox setup.exe? NO WAY! Contenttype: application/octetstream
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 77: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/77.jpg)
incident reponse unravelled
Analysis: network
Is this the real firefox setup.exe? NO WAY! Contenttype: application/octetstream Like this:
Two executables
Legitimate executable theuser requested.e.g. the real firefox setup.exe
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 78: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/78.jpg)
incident reponse unravelled
84d p0rxy
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 79: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/79.jpg)
incident reponse unravelled
Timeline: encrypted comms to malware controller
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 80: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/80.jpg)
incident reponse unravelled
The attack network
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 81: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/81.jpg)
incident reponse unravelled
The attack network
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 82: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/82.jpg)
incident reponse unravelled
Analysis
Our priorities:1) Cause of compromise
2) Extent of compromise
3) Malware functionality & identity
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 83: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/83.jpg)
incident reponse unravelled
Analysis
Our priorities:1) Cause of compromise – wpad + malicious firefox
2) Extent of compromise
3) Malware functionality & identity
angels@lca:~/investigation/ir_life_cycle/analysis/network
![Page 84: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/84.jpg)
incident reponse unravelled
Analysis: disk
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 85: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/85.jpg)
incident reponse unravelled
Analysis: disk
Disk tools we considered: Suite: sleuthkit + autopsy Utilities: many
Tasks: Antivirus scan, MAC time analysis, browser history, event logs, registry, file carving
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 86: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/86.jpg)
incident reponse unravelled
Analysis: disk
Our disk tools of choice: Suite: pyFLAG Utilities: clamav, mork.pl, sleuthkit (fls, mactime,
dls), scalpel, md5sum, strings, file
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 87: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/87.jpg)
incident reponse unravelled
Analysis: disk
Antivirus scan using clamav Scheduled to update & scan using cron Log file can be easily grep'd Results can be scripted to extract infected files
AV can be hit or miss due to variants Infected file: 36 (Trojan.Small2497) VirusTOTAL: Backdoor.Poison variant ?
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 88: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/88.jpg)
incident reponse unravelled
Analysis: disk
md5sum identified unique viruses inst.exe inst2.exe == MS Indexer.exe == live.exe
Afick hash database identified these same files strings of each executable matched
executables in firefox setup.exe
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 89: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/89.jpg)
incident reponse unravelled
Analysis: disk
Legitimate executable theuser requested.e.g. the real firefox setup.exe
inst.exe
inst2.exe/MS Indexer.exe/live.exe
Firefox setup.exe
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 90: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/90.jpg)
incident reponse unravelled
MAC times (files and registry hives) Event log IE browser cache
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 91: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/91.jpg)
incident reponse unravelledangels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 92: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/92.jpg)
incident reponse unravelled
Analysis: disk
pyFLAG enabled us to: Confirm initial compromise Determine how the malware unpacks
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 93: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/93.jpg)
incident reponse unravelled
Analysis: how the malware unpacks
Legitimate executable theuser requested.e.g. the real firefox setup.exe
inst.exe
inst2.exe/MS Indexer.exe/live.exe
Firefox setup.exe
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 94: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/94.jpg)
incident reponse unravelled
Analysis: how the malware unpacks
Legitimate executable theuser requested.e.g. the real firefox setup.exe
Unpacker
inst2.exe/MS Indexer.exe/live.exe
Firefox setup.exe
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 95: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/95.jpg)
incident reponse unravelled
Analysis: how the malware unpacks
Legitimate executable theuser requested.e.g. the real firefox setup.exe
Unpacker
Trojan/malware
Firefox setup.exe
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 96: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/96.jpg)
incident reponse unravelled
Analysis: how the malware unpacks
Legitimate executable theuser requested.e.g. the real firefox setup.exe
Unpacker
Trojan/malware
Firefox setup.exe
THIS IS MY BAD FOOD. BAAAAD FOOD
THIS IS MY BAD FOOD. BAAAAD FOOD
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 97: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/97.jpg)
incident reponse unravelled
Timeline: persistence
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 98: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/98.jpg)
incident reponse unravelled
Analysis
Our priorities:1) Cause of compromise – wpad + malicious firefox
2) Extent of compromise ●
●
3) Malware functionality & identity
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 99: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/99.jpg)
incident reponse unravelled
Analysis
Our priorities:1) Cause of compromise – wpad + malicious firefox
2) Extent of compromise● Malware: inst2.exe● Methods of persistence: reg keys, start up
3) Malware functionality & identity
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 100: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/100.jpg)
incident reponse unravelled
Analysis
Our priorities:1) Cause of compromise – wpad + malicious firefox
2) Extent of compromise● Malware: inst2.exe● Methods of persistence: reg keys, start up
3) Malware functionality & identity●
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 101: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/101.jpg)
incident reponse unravelled
Analysis
Our priorities:1) Cause of compromise – wpad + malicious firefox
2) Extent of compromise● Malware: inst2.exe● Methods of persistence: reg keys, start up
3) Malware functionality & identity● Functionality: keylogging, password hashes, file
upload, encrypted comms
angels@lca:~/investigation/ir_life_cycle/analysis/disk
![Page 102: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/102.jpg)
incident reponse unravelled
Analysis: memory
angels@lca:~/investigation/ir_life_cycle/analysis/memory
![Page 103: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/103.jpg)
incident reponse unravelled
Analysis: memory
Memory tools we considered: PTFinder PoolTools Windows IR/CF tools
Our memory tool of choice: volatility
angels@lca:~/investigation/ir_life_cycle/analysis/memory
![Page 104: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/104.jpg)
incident reponse unravelled
DEMO: Memory analysis using volatility
angels@lca:~/investigation/ir_life_cycle/analysis/memory
![Page 105: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/105.jpg)
incident reponse unravelled
Analysis: memory
pslist: firefox.exe (1812) firefox.exe not running when memory acquired! connections: firefox.exe (1812) to
192.168.1.3:3460 dlllist: parameters to firefox.exe, nonstandard?
angels@lca:~/investigation/ir_life_cycle/analysis/memory
![Page 106: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/106.jpg)
incident reponse unravelled
Analysis: memory
angels@lca:~/investigation/ir_life_cycle/analysis/memory
![Page 107: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/107.jpg)
incident reponse unravelled
Analysis: memory
angels@lca:~/investigation/ir_life_cycle/analysis/memory
![Page 108: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/108.jpg)
incident reponse unravelled
Analysis
Our priorities:1) Cause of compromise – wpad + malicious firefox
2) Extent of compromise● Malware: inst2.exe● Methods of persistence: reg keys, start up
3) Malware functionality & identity● Functionality: keylogging, password hashes, file upload,
encrypted comms● Identity: PoisonIvy
angels@lca:~/investigation/ir_life_cycle/analysis/memory
![Page 109: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/109.jpg)
incident reponse unravelled
Investigation
The incident IR life cycle
● Detection● Collection● Analysis
angels@lca:~/investigation/ir_life_cycle/analysis
Detection
CollectionAnalysisAnalysis
![Page 110: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/110.jpg)
incident reponse unravelled
Investigation
The incident IR life cycle
● Detection● Collection● Analysis
angels@lca:~/investigation/ir_life_cycle
DetectionDetection
CollectionAnalysis
![Page 111: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/111.jpg)
incident reponse unravelled
Agenda
Incident response Linux + FOSS Investigation Conclusion
angels@lca:~/investigation
![Page 112: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/112.jpg)
incident reponse unravelled
Agenda
Incident response Linux + FOSS Investigation Conclusion
angels@lca:~/conclusion
![Page 113: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/113.jpg)
incident reponse unravelled
Final Timeline: Investigation SOLVED!
angels@lca:~/conclusion
![Page 114: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/114.jpg)
incident reponse unravelled
Ok, so what now?
Block outbound comms Prevent further compromise Reimage infected machines Ensure no mechanism for persistence Assess damage
angels@lca:~/conclusion
![Page 115: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/115.jpg)
incident reponse unravelled
Linux + FOSS
Tool wrap up Detection: swatch/snort/dumpcap/BASE Collection: dcfldd/FAUdd/tcpdump Analysis: wireshark/pyFLAG (and others)/volatility
How you can use these tools, even if you're not in an IR team?
angels@lca:~/conclusion
![Page 116: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/116.jpg)
incident reponse unravelled
Thanks...
Our bad guy: Eddie Cornejo LCA
angels@lca:~/thanks
![Page 117: Tux's Angels: Incident Response Unravelledmirror.linux.org.au/pub/.../204-Tux_Angels_Incident... · incident reponse unravelled Tux's Angels: Incident Response Unravelled linux.conf.au](https://reader035.vdocuments.net/reader035/viewer/2022071012/5fca581db7c97123db200182/html5/thumbnails/117.jpg)
incident reponse unravelled
Thank you. Any questions?
References (images): Alpha http://www.co.orange.nc.us/library/libsvcs/computer.gif DC http://www.mikeschinkel.com/blog/content/binary/windowshomeserver
fromhp.png Gateway http://blogs.zdnet.com/microsoft/images/Medion%20Home
%20Server.jpg Internet http://www.goemerchant.com/images/gateway.jpg Badguy http://www.daleypws.com/images/bad_pc.jpg Dragons http://www.forcounsel.com/products/4104.jpg
angels@lca:~/questions