network intrusion analysis : methodologies, tools, and ... analysis methodologies, tools, and...
TRANSCRIPT
Network Intrusion
Analysis
Methodologies, Tools, and
Techniques for Incident
Analysis and Response
Joe Fichera
Steven Bolt
AMSTERDAM • BOSTON • HEIDELBERG • LONDON
NEW YORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO
Syngress is an Imprint of Elsevier
Acknowledgement v
Preface xi
Chapter 1 Introduction 1
Introducing Network Intrusion Analysis 1
Chapter 2 Intrusion Methodologies and Artifacts 5
Stage 1: Pre-Intrusion Actions: AKA Reconnaissance 5
Stage 2: Intrusion Methods 6
Phase 1: Pre-Intrusion Actions, Active 10
Phase 2: Attack 12
Phase 3: Maintaining Access/Entrenchment 16
References 32
Chapter 3 Incident Response 33
Introduction 33
Section 1: Methodology 34
Trusted Toolset 35
Commercial Triage Tools 37
US-LATT Configuration 44
Witness Devices 49
Section 2: Memory Acquisition 50
Introduction 51
Acquisition 52
Mdd_1.3.Exe 52
Usage 53
Win32dd 55
Sample Syntax for Win32dd: 57
FTK Imager 59
Memoryze 64
Conclusion 69
References 70
x
wmms^;w;'^M£tf£iiemra*&&^&tu^<$ngft
Chapter 4 Volatile Data Analysis 71
Introduction 71
What is Volatile Data? 72
What is Non-Volatile Data? 72
Section 1: Collection Tools 72
Commercial Triage Tools 81
EnCase Portable, Guidance Software, Inc 81
US-LATT, WetStone Technologies, Inc 85
Section 2: Memory Analysis 88
Introduction 88
RAM Analysis 89
Data Carving Tools and Techniques 95
Disk Digger 95
GetDataBack for NTFS and FAT 97
Mandiant's Redline 106
HBGary Responder Community Edition 110
References 117
Chapter 5 Network Analysis 119
Introduction 119
Methodology 120
Network Traffic 120
Snort 121
Packet Analysis Tools 123
Wireshark 123
Analyzing Data with Wireshark 127
Netwitness Investigator 131
Analyzing Data with Netwitness 132
Collection Summary 133
Filtering 133
Rules 133
Drilling 134
Custom Drill 135
Intellisense 135
Report Icon 135
Options 136
Report Value 136
Session List 136
Breadcrumbs 136
Searching 136
Accessing the Search Function 137
Simple Search Window 137
Advanced Search Window 137
Search Preferences 137
Simple Search 137
Advanced Search 139
Exporting Sessions 139
Log Analysis 141
Witness Devices 147
Viewing, Acquiring, Triaging Devices over the
Network 149
EnCase CyberSecurity [1] 150
References 151
Chapter 6 Host Analysis 153
Introduction 153
Methodology 153
Host Based Analysis 153
Hash Analysis 154
Malware Scanning 154
Signature Analysis 154
Alternate Data Streams 154
AutoRun Locations 158
Log Files 159
Windows Event Logs 159
Schedule Task Logs 163
Antivirus Logs 163
$MFT 163
Deleted Files 164
Attacker Created Directories 165
Prefetch Directory and Included Prefetch Files 165
References 167
Chapter 7 Malware Analysis 169
Introduction 169
Malware Sandbox Creation 170
Downloading and Configuring the Required ¥iirtualized
Machines I7®
Configure of the Virtual Machines to Add Additional
Protections From Infection - - —I79
Installation and Configuration of Analysis
Applications I80
System Monitoring —182
Code Analysis Applications - -.185
Behavioral Analysis Walkthrough 191
Identification, Hashing, and Scanning Through
Aggregators 192
Hashing 193
Submitting Files to Virus Total or Offensive Computing 193
Step 2: Starting the Monitoring Applications 194
Process Explorer Detailed Overview 197
Detonate the Malware Sample 211
Reporting 214
Summary 215
Description 215
Conclusion 216
References 217
Chapter 8 Reporting After Analysis 219
Introduction 219
Getting Started 220
The Report Header 224
Requested Analysis 225
Status of Analysis:
Closed or Pending 226
Summary 226
Software 226
Glossary of Terms 227
Details of Analysis 227
Remediation
Recommendations 230
Appendices 231
Index 235