Network Intrusion

Analysis

Methodologies, Tools, and

Techniques for Incident

Analysis and Response

Joe Fichera

Steven Bolt

AMSTERDAM • BOSTON • HEIDELBERG • LONDON

NEW YORK • OXFORD • PARIS • SAN DIEGO

SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO

Syngress is an Imprint of Elsevier

Acknowledgement v

Preface xi

Chapter 1 Introduction 1

Introducing Network Intrusion Analysis 1

Chapter 2 Intrusion Methodologies and Artifacts 5

Stage 1: Pre-Intrusion Actions: AKA Reconnaissance 5

Stage 2: Intrusion Methods 6

Phase 1: Pre-Intrusion Actions, Active 10

Phase 2: Attack 12

Phase 3: Maintaining Access/Entrenchment 16

References 32

Chapter 3 Incident Response 33

Introduction 33

Section 1: Methodology 34

Trusted Toolset 35

Commercial Triage Tools 37

US-LATT Configuration 44

Witness Devices 49

Section 2: Memory Acquisition 50

Introduction 51

Acquisition 52

Mdd_1.3.Exe 52

Usage 53

Win32dd 55

Sample Syntax for Win32dd: 57

FTK Imager 59

Memoryze 64

Conclusion 69

References 70

x

wmms^;w;'^M£tf£iiemra*&&^&tu^<$ngft

Chapter 4 Volatile Data Analysis 71

Introduction 71

What is Volatile Data? 72

What is Non-Volatile Data? 72

Section 1: Collection Tools 72

Commercial Triage Tools 81

EnCase Portable, Guidance Software, Inc 81

US-LATT, WetStone Technologies, Inc 85

Section 2: Memory Analysis 88

Introduction 88

RAM Analysis 89

Data Carving Tools and Techniques 95

Disk Digger 95

GetDataBack for NTFS and FAT 97

Mandiant's Redline 106

HBGary Responder Community Edition 110

References 117

Chapter 5 Network Analysis 119

Introduction 119

Methodology 120

Network Traffic 120

Snort 121

Packet Analysis Tools 123

Wireshark 123

Analyzing Data with Wireshark 127

Netwitness Investigator 131

Analyzing Data with Netwitness 132

Collection Summary 133

Filtering 133

Rules 133

Drilling 134

Custom Drill 135

Intellisense 135

Report Icon 135

Options 136

Report Value 136

Session List 136

Breadcrumbs 136

Searching 136

Accessing the Search Function 137

Simple Search Window 137

Advanced Search Window 137

Search Preferences 137

Simple Search 137

Advanced Search 139

Exporting Sessions 139

Log Analysis 141

Witness Devices 147

Viewing, Acquiring, Triaging Devices over the

Network 149

EnCase CyberSecurity [1] 150

References 151

Chapter 6 Host Analysis 153

Introduction 153

Methodology 153

Host Based Analysis 153

Hash Analysis 154

Malware Scanning 154

Signature Analysis 154

Alternate Data Streams 154

AutoRun Locations 158

Log Files 159

Windows Event Logs 159

Schedule Task Logs 163

Antivirus Logs 163

$MFT 163

Deleted Files 164

Attacker Created Directories 165

Prefetch Directory and Included Prefetch Files 165

References 167

Chapter 7 Malware Analysis 169

Introduction 169

Malware Sandbox Creation 170

Downloading and Configuring the Required ¥iirtualized

Machines I7®

Configure of the Virtual Machines to Add Additional

Protections From Infection - - —I79

Installation and Configuration of Analysis

Applications I80

System Monitoring —182

Code Analysis Applications - -.185

Behavioral Analysis Walkthrough 191

Identification, Hashing, and Scanning Through

Aggregators 192

Hashing 193

Submitting Files to Virus Total or Offensive Computing 193

Step 2: Starting the Monitoring Applications 194

Process Explorer Detailed Overview 197

Detonate the Malware Sample 211

Reporting 214

Summary 215

Description 215

Conclusion 216

References 217

Chapter 8 Reporting After Analysis 219

Introduction 219

Getting Started 220

The Report Header 224

Requested Analysis 225

Status of Analysis:

Closed or Pending 226

Summary 226

Software 226

Glossary of Terms 227

Details of Analysis 227

Remediation

Recommendations 230

Appendices 231

Index 235