Evidentiary Integrity for Incident Response (EIIR)

Transcription

1 CYBER SECURITY DIVISION 2014 PRINCIPAL INVESTIGATORS MEETING Evidentiary Integrity for Incident Response (EIIR) Exelis Inc., Information Systems December 2014 This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD), BAA and Air Force Research Laboratory Information Directorate via contract number FA C The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of Department of Homeland Security, Air Force Research Laboratory or the U.S. Government.

2 Problem and the Solution Problem: As it stands today, there is no one production grade mechanism that exists in real time for logging, tagging, maintaining or securing evidence that is collected and harvested during an incident response investigation while utilizing the Windows CLI. Evidentiary integrity is paramount to an investigation and needs to withstand verifiable scrutiny. Solution: Proactive Incident Response Command Shell (PIRCS) is a seamless and customizable Windows operating system command shell wrapper that enables cyber incident responders to encapsulate and secure evidence collected during a command line incident response. 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 1

3 Customer Need Industry feedback via surveys, meetings, evaluation forms: Poor availability of robust command line tools that can be effectively presented in court Lack of forensic incident response documentation often prohibits prosecution Improper documented IT action hampers law enforcement investigations No good utility exists for forensically hashing digital images while they are being copied off of a suspect system. July 2013 SANS Institute: Survey of Digital Forensics & Incident Response 57% indicated they were looking for legal evidence that could hold up in court The survey emphasized the need for : Treating all cases as if they may end up in arbitration or even legal proceedings Applying rigor in the collection and management of evidence Increasing the trustworthiness so that the evidence can be defended Sound processes that can withstand challenge under outside scrutiny 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 2

4 Approach PIRCS consists of the following three core components: Secure real-time activity logging Evidentiary collection and encapsulation Secure evidence storage repository 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 3

5 Approach (continued) Secure Real-Time Activity Logging Full duplex logging of any end-user interaction with the command line interface Full service level logging that generates time-stamped entries for all software management actions All logs are populated in real-time and are supported by: Bit-stream hashing Full duplex recording Validated data integrity storage 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 4

6 Approach (continued) Evidentiary Collection and Encapsulation A custom file storage format that securely captures the entire stream of data flowing to and from the investigator and the target system. Automates the persistent encoding of metadata about the circumstances and the individuals involved in an incident investigation directly within the forensic image file architecture. Example of metadata fields include: Name of the investigator (or other means of identification) Validated date/time of the data collection Suspect/target system details Analysis/investigation host system details and other details relevant to incident investigations 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 5

7 Approach (continued) Secure Evidence Storage Repository Stores all commands and their output in a command database Downloaded attachments and evidence files are similarly stored in an attachment database, while investigator comments added to the investigation case file are stored in a comments database All three sets of captures are hashed continuously and linked in the Master Hash Index Master Hash Index is itself hashed and encrypted in the Hash Seal Locker Use of 128-bit AES level encryption to protect the Hash Seal Locker will provide a level of non-repudiation and accountability 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 6

8 Approach (continued) Testing: In an effort to test PIRCS within a real incident response environment, PIRCS was deployed to the following agencies for testing and feedback: New York State Enterprise Information Security Office Exelis Cyber Incident Response Center (CIRC) New York State Police (NYSP) Testing and feedback was also obtained via the Technology Transfer Study that was conducted by WetStone Technologies. 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 7

9 Approach (continued) Transitioned to the University of Texas at San Antonio (UTSA): On April 2014 Exelis transitioned the PIRCS technology to the University of Texas at San Antonio for inclusion into the 2014 National Collegiate Cyber Defense Competition (NCCDC). This competition assesses participants depth of understanding and operational competency in managing the challenges inherent in protecting a corporate network infrastructure and business information systems. - ( Developed and designed a scenario that centered on an insider threat and the theft of proprietary information. The participants had to perform an investigation of the insider s computer using PIRCS to locate evidence, capture the evidence, and document if their findings were sufficient to prove three progressing levels of potential actions that can be taken against the insider: (1) administrative, (2) civil, and (3) criminal. Feedback received from the NCCDC Director regarding Exelis participation in the event included: The scenario was well developed, appreciated the ability in coming up with a second scenario on the fly the second day of competition, and great involvement with the kids. 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 8

10 Benefits Documented Benefits/Value of PIRCS to the practitioner community: We found PIRCS to be very useful in sort of grounding our activities in the sense of centralizing and organizing our activities during incident response. We use command-line tools to import logs, we run various command-line utilities during malware analysis, etc. and PIRCS allows us to maintain a good time line / record of activities. Thank you for allowing us to test the tool - NYS Enterprise Information Security Office During field investigations and search warrants to find all network devices and In situations where I am conducting a search warrant and there are systems actively running - Attendees of the Network Investigations and Interrogations Training Class The PIRCS technology offers unique capabilities and provides forensic examiners, incident response personnel, cyber security teams and IT personnel with the capability of actively probing and investigating systems and networks while maintaining forensic integrity and a robust audit trail WetStone Technologies - Excerpt taken from the Technology Transfer Study conducted by WetStone. Centralizing and Organizing IR Activities Maintain Good Time Line/Record Find all Network Devices Unique Capabilities Actively Probing/Investigating Capabilities Maintaining Forensic Integrity Robust Audit Trail 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 9

11 Competition Identified two technologies that have similar, but not exact, capabilities to PIRCS. The Technology Transfer Study found the PIRCS solution to generally have a unique set of capabilities. 1. Windows Forensic Toolchest (WFT) Vendor: Fool Moon Software and Security 2. Memoryze Vendor: Mandiant 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 10

12 Competition Feature Matrix Comparison 8 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 11

13 Competition Feature Matrix Comparison (continued) 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 12

14 Current Status: PIRCS Book Bundle TABLE OF CONTENTS Chapter 1: Introduction Chapter 2: The intrinsic value of command line interactions Chapter 3: PIRCS Deep Dive Chapter 4: PIRCS Use Case Walk Through - 1 Chapter 5: PIRCS Use Case Walk Through - 2 Chapter 6: PIRCS Use Case Walk Through - 3 Chapter 7: PIRCS Use Case Walk Through 4 Chapter 8: Conclusions and Future View Table of Contents Chapter 1: Introduction The purpose of PIRCS The importance of the Forensic Log A plethora of use case possibilities A quick test drive of PIRCS Chapter Summary Chapter Review Questions Chapter 2: The intrinsic value of command line interactions Host Triage Scenarios - Application of common commands - Example Usage Network Triage Scenarios - Application of common commands - Example Usage Incident Response Scenarios - Application of common commands - Example Usage Chapter 1 Chapter 2 Chapter 3: PIRCS Deep Dive Secure Real Time Evidence Logging The Secure Evidence Repository Evidence Collection and Encapsulation PIRCS Case Management PIRCS Features in Depth Chapter Summary Chapter Review Questions Chapter 4: PIRCS Use Case Walk Through - 1 Overview of the use case Investigative goals and objectives Investigative strategies and alternatives Step by Step Investigation Analysis of Results Summary and Conclusions Chapter Summary Chapter Review Questions Chapter 3 Chapter 4 Chapter Summary Chapter Review Questions 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 13

15 Next Steps If book proposal is awarded by publisher, anticipated release of the Book Bundle to the commercial market would be Summer of P I R C S Forensic Integrity Putting the Proactive Incident Response Command Shell (PIRCS) to work. 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 14

16 Exploring other transition pathways PIRCS is being considered as a technology that will be included in a Cyber Security Tool Kit that is being sponsored by Exelis. Tool Kit is currently in the planning stages Expectations are to distribute the tool kit to federal government agencies to augment their current cyber security capabilities. Exploring the potential of porting PIRCS over from Windows to Linux OS for inclusion into the Tool Kit. 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 15

17 Contact Information Rosanne Pelli EIIR Program Manager Intelligence & Cyber Solutions 474 Phoenix Drive Rome, NY (315) PMP, CompTIA Security+ Jeffrey Isherwood Senior Cyber Security Analyst Intelligence & Cyber Solutions 474 Phoenix Drive Rome, NY (315) CISSP, CRISC, C EH, Linux+, LIPC-1 References: Henry, P., Williams, J., and Wright, B. (2013) The SANS Survey of Digital Forensics and Incident Response." Online. Available: 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP PIRCS/v1, Approved for Public Release 11/2014, PR