Streamlined Malware Incident Response with EnCase

Transcription

1 Streamlined Malware Incident Response C:\>whoami Joseph R. Salazar Information Technology since 1995 Information Security since 1997 Major (retired, USAR) with 22 years as a Counterintelligence Agent, Military Intelligence Officer, and Cyber-Security Officer EnCE CISSP, CEH, and some other stuff Practitioner of Safe-Sarcasm Page 2 Joseph Salazar 1

2 C:\>telnet audience.org 80 Audience assumptions: You know how to use EnCase to conduct a forensic examination and find files You have some exposure to EnCase Enterprise You have some knowledge of EnCase Cybersecurity You are interested in protecting your environment and users from malware Page 3 Objectives To outline a framework that minimizes user and system exposure to malware To give advice on supporting infrastructure and processes To show the flexibility of EnCase Enterprise and Cybersecurity Page 4 Joseph Salazar 2

3 Why? Isn t Anti-Virus enough to detect and remediate malware threats? Is Malware really that big of a deal? Aren t malware sandboxes good enough? Isn t this a waste of time? Page 5 Page 6 Joseph Salazar 3

4 Because Malware is a real threat Relying on AV is ineffective Malware Sandboxes are not a panacea Users are bad at security Page 7 The malware threat Malware economy Generate malicious code Distribution network Command and Control Money mules Money laundering and shipping Data Theft Page 8 Joseph Salazar 4

5 AV (in)effectiveness Imperva Hacker Intel monthly trend report #14 Antivirus is dead Symantec exec Damballa research findings Lastline Labs findings Evading signature detection Page 9 Sandboxes and users Techniques to evade Sandbox detection Escape the sandbox Make it wait Users the weakest link Bromium survey Page 10 Joseph Salazar 5

6 Common EnCase uses Traditional investigations Static deadbox investigations Misconduct Malfeasance Illegal activity Full system forensics hours (or more) Page 11 Uncommon EnCase uses Malware investigations (The 90 s called. They want their virus protection back) Malware Incident Response 1-3 hours detection to closure faster with commodity malware EnCase Enterprise critical to timeframe EnCase Cybersecurity for automation and remediation Page 12 Joseph Salazar 6

7 Requirements Network based detection Host based detection System/user identification Local/network logs Supporting policies Investigative process Page 13 Typical investigative flow Network monitoring/traffic/av alerts Locate host/user through proxy/vpn/firewall logs or via network forensic analysis Research possible malicious executable by extracting from pcap and verifying via online resources Alert Locate Research Investigate Remediate Page 14 Joseph Salazar 7

8 Typical investigative flow Investigate potential infection Enterprise, and confirm positive or negative result Remediation via wipe Submit system for wipe/reimage, or Use EnCase Cybersecurity to remediate via selective forensic wipe Alert Locate Research Investigate Remediate Page 15 Process highlights Try to wipe all infected systems, with a safe data transfer Data files only No exe transfers Mandatory password change for data-stealing malware Page 16 Joseph Salazar 8

9 Process highlights Lower reliance on AV for detection and remediation Poor detection rates Cleaning function is optimistic, and limited to what is detected Virus definition dependency limits scope Page 17 Process highlights EnCase Cybersecurity as remediation option Good for selective file deletion at the disk level Time savings vs. certainty of full wipe Page 18 Joseph Salazar 9

10 Process highlights 3 Tier investigation Tier quick investigation Tier deep malware investigation Tier full forensic investigation Page 19 Process highlights The documented process is the incident report Documented process Easier knowledge transfer Duplicable Auditable/Verifiable Investigation record Page 20 Joseph Salazar 10

11 Supporting infrastructure Network Based Sandboxes Network Forensic Analysis Network Based Detection Log Analysis EnCase Page 21 Supporting infrastructure Network Based Sandboxes Analyzes exes detected in network traffic Categorizes exes as benign or malicious Monitors ingress/egress points Interrogates all traffic to user zones Sends alerts on findings Page 22 Joseph Salazar 11

12 Supporting infrastructure Network Forensic Analysis Full pcap storage Session replay File extraction from traffic AD integration Alerting capabilities Page 23 Supporting infrastructure Network Based Detection IDS alerts Proxy alerts Firewall Host Based Detection Antivirus System integrity monitoring Page 24 Joseph Salazar 12

13 Supporting infrastructure Log Analysis Web proxy logs Firewall logs VPN logs Host logs EnCase Enterprise/Cybersecurity The ACTUAL investigation/remediation tools Page 25 What is malware? Dictionary.com: Software intended to damage a computer, mobile device, computer system, or computer network, or take partial control over its operation Page 26 Joseph Salazar 13

14 Infection vectors How does malware get onto a system? Unsecured server Third party ad servers serving malicious ads Compromised server serving up malware Careless user action Clicking on attachments Following links to malicious sites Page 27 Malware infection phases 3 phases to a malware infection Exploit kit Exploits a vulnerability on the system that allows for execution of arbitrary code Dropper Small utility file that downloads main malware binaries Malware The actual malicious executable Page 28 Joseph Salazar 14

15 Malware evasion techniques Wrapping Obfuscation Packers Anti-debugging Targeting Page 29 Signature detection How does signature detection work? File byte sequences File hash How does malware evade this? Packing/Repacking an executable Test file sample against a signature database Encryption Polymorphism Page 30 Joseph Salazar 15

16 Finding malware Where do you look for these files? User temp directories User internet cache directories Java cache What do you look for? Renamed files (scvhost.exe, rundii.exe, etc.) Weird names (lexical rules) Legitimate files running out of different folders Page 31 Finding malware Persistence mechanisms? Registry auto runs Startup folder File properties? Time stomp Hidden/System file attribute? Page 32 Joseph Salazar 16

17 Confirming malware Submit to network sandbox Cuckoo Anubis Submit to online virus database VirusTotal.com VirScan.org Totalhash.com Reversing with Ida Pro or similar Page 33 Enscripts and automation Page 34 Joseph Salazar 17

18 Automating detection Indications of Compromise (EnScriptable) Enscript checks all entries against all scripted IOCs File Signature Analysis Executables in the wrong places Unexpected running processes Modified or blank time stamps Lexical/short file names Many other detections Tuning of false alert results Page 35 Manual detections Other IOCs (not scriptable) Java temp files (may be scriptable) Timeline to alert correlation Executables in user program directory Alert to file system correlation Unfortunately, there is no Find malware EnScript Page 36 Joseph Salazar 18

19 Wrap-up Page 37 Questions? Page 38 Joseph Salazar 19