Streamlined Malware Incident Response with EnCase

Similar documents
Protection Against Advanced Persistent Threats

Unified Security, ATP and more

Cisco Advanced Malware Protection Sandboxing Capabilities

Tracking Anti-Malware Protection 2015

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Concierge SIEM Reporting Overview

RSA Security Analytics

Check Point: Sandblast Zero-Day protection

Digital Forensic Techniques

How To Test Security Products

5 Steps to Advanced Threat Protection

How Lastline Has Better Breach Detection Capabilities. By David Strom December 2014

Networks and Security Lab. Network Forensics

All Information is derived from Mandiant consulting in a non-classified environment.

Cisco Advanced Malware Protection

Getting Ahead of Malware

Enterprise Anti-Virus Protection

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Managed Antivirus Quick Start Guide

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

After the Attack: RSA's Security Operations Transformed

Overcoming PCI Compliance Challenges

Fighting Advanced Threats

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Fighting Advanced Persistent Threats (APT) with Open Source Tools

Incident Response. Six Best Practices for Managing Cyber Breaches.

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Home Anti-Virus Protection

Defending Against Cyber Attacks with SessionLevel Network Security

Security Controls Implementation Plan

AppGuard. Defeats Malware

Persistence Mechanisms as Indicators of Compromise

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

WHITE PAPER: THREAT INTELLIGENCE RANKING

THE SCRIPTING THREAT GAINING POPULARITY

Modern Approach to Incident Response: Automated Response Architecture

Automation Suite for. 201 CMR Compliance

Endpoint Threat Detection without the Pain

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

Practical Threat Intelligence. with Bromium LAVA

Enterprise Anti-Virus Protection

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

Windows 7, Enterprise Desktop Support Technician

Active Response: Automated Risk Reduction or Manual Action?

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

What Do You Mean My Cloud Data Isn t Secure?

End-user Security Analytics Strengthens Protection with ArcSight

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Cisco Advanced Malware Protection for Endpoints

Things To Do After You ve Been Hacked

A Case for Managed Security

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

24/7 Visibility into Advanced Malware on Networks and Endpoints

Zscaler Cloud Web Gateway Test

Integrating MSS, SEP and NGFW to catch targeted APTs

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Endpoint Security for DeltaV Systems

Using SIEM for Real- Time Threat Detection

Memory Forensics & Security Analytics: Detecting Unknown Malware

You ll learn about our roadmap across the Symantec and gateway security offerings.

ENABLING FAST RESPONSES THREAT MONITORING

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

What is Next Generation Endpoint Protection?

Advanced Endpoint Protection

Network Security. Mike Trice, Network Engineer Richard Trice, Systems Specialist Alabama Supercomputer Authority

WildFire Features. Palo Alto Networks. PAN-OS New Features Guide Version 6.1. Copyright Palo Alto Networks

The Incident Response Playbook for Android and ios

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Small Business Anti-Virus Protection

Unknown threats in Sweden. Study publication August 27, 2014

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Managing a Malware Outbreak

APPLICATION PROGRAMMING INTERFACE

Anti-Virus Evasion Techniques and Countermeasures

Fighting Advanced Persistent Threats (APT) with Open Source Tools

10 Things Every Web Application Firewall Should Provide Share this ebook

Small Business Anti-Virus Protection

Real World and Vulnerability Protection, Performance and Remediation Report

Advanced Endpoint Protection Overview

Enterprise Anti-Virus Protection

Transcription:

Streamlined Malware Incident Response www.encase.com/ceic C:\>whoami Joseph R. Salazar Information Technology since 1995 Information Security since 1997 Major (retired, USAR) with 22 years as a Counterintelligence Agent, Military Intelligence Officer, and Cyber-Security Officer EnCE CISSP, CEH, and some other stuff Practitioner of Safe-Sarcasm Page 2 Joseph Salazar 1

C:\>telnet audience.org 80 Audience assumptions: You know how to use EnCase to conduct a forensic examination and find files You have some exposure to EnCase Enterprise You have some knowledge of EnCase Cybersecurity You are interested in protecting your environment and users from malware Page 3 Objectives To outline a framework that minimizes user and system exposure to malware To give advice on supporting infrastructure and processes To show the flexibility of EnCase Enterprise and Cybersecurity Page 4 Joseph Salazar 2

Why? Isn t Anti-Virus enough to detect and remediate malware threats? Is Malware really that big of a deal? Aren t malware sandboxes good enough? Isn t this a waste of time? Page 5 Page 6 Joseph Salazar 3

Because Malware is a real threat Relying on AV is ineffective Malware Sandboxes are not a panacea Users are bad at security Page 7 The malware threat Malware economy Generate malicious code Distribution network Command and Control Money mules Money laundering and shipping Data Theft Page 8 Joseph Salazar 4

AV (in)effectiveness Imperva Hacker Intel monthly trend report #14 Antivirus is dead Symantec exec Damballa research findings Lastline Labs findings Evading signature detection Page 9 Sandboxes and users Techniques to evade Sandbox detection Escape the sandbox Make it wait Users the weakest link Bromium survey Page 10 Joseph Salazar 5

Common EnCase uses Traditional investigations Static deadbox investigations Misconduct Malfeasance Illegal activity Full system forensics 10-40 hours (or more) Page 11 Uncommon EnCase uses Malware investigations (The 90 s called. They want their virus protection back) Malware Incident Response 1-3 hours detection to closure faster with commodity malware EnCase Enterprise critical to timeframe EnCase Cybersecurity for automation and remediation Page 12 Joseph Salazar 6

Requirements Network based detection Host based detection System/user identification Local/network logs Supporting policies Investigative process Page 13 Typical investigative flow Network monitoring/traffic/av alerts Locate host/user through proxy/vpn/firewall logs or via network forensic analysis Research possible malicious executable by extracting from pcap and verifying via online resources Alert Locate Research Investigate Remediate Page 14 Joseph Salazar 7

Typical investigative flow Investigate potential infection Enterprise, and confirm positive or negative result Remediation via wipe Submit system for wipe/reimage, or Use EnCase Cybersecurity to remediate via selective forensic wipe Alert Locate Research Investigate Remediate Page 15 Process highlights Try to wipe all infected systems, with a safe data transfer Data files only No exe transfers Mandatory password change for data-stealing malware Page 16 Joseph Salazar 8

Process highlights Lower reliance on AV for detection and remediation Poor detection rates Cleaning function is optimistic, and limited to what is detected Virus definition dependency limits scope Page 17 Process highlights EnCase Cybersecurity as remediation option Good for selective file deletion at the disk level Time savings vs. certainty of full wipe Page 18 Joseph Salazar 9

Process highlights 3 Tier investigation Tier 1.0 - quick investigation Tier 1.5 - deep malware investigation Tier 2.0 - full forensic investigation Page 19 Process highlights The documented process is the incident report Documented process Easier knowledge transfer Duplicable Auditable/Verifiable Investigation record Page 20 Joseph Salazar 10

Supporting infrastructure Network Based Sandboxes Network Forensic Analysis Network Based Detection Log Analysis EnCase Page 21 Supporting infrastructure Network Based Sandboxes Analyzes exes detected in network traffic Categorizes exes as benign or malicious Monitors ingress/egress points Interrogates all traffic to user zones Sends alerts on findings Page 22 Joseph Salazar 11

Supporting infrastructure Network Forensic Analysis Full pcap storage Session replay File extraction from traffic AD integration Alerting capabilities Page 23 Supporting infrastructure Network Based Detection IDS alerts Proxy alerts Firewall Host Based Detection Antivirus System integrity monitoring Page 24 Joseph Salazar 12

Supporting infrastructure Log Analysis Web proxy logs Firewall logs VPN logs Host logs EnCase Enterprise/Cybersecurity The ACTUAL investigation/remediation tools Page 25 What is malware? Dictionary.com: Software intended to damage a computer, mobile device, computer system, or computer network, or take partial control over its operation Page 26 Joseph Salazar 13

Infection vectors How does malware get onto a system? Unsecured server Third party ad servers serving malicious ads Compromised server serving up malware Careless user action Clicking on email attachments Following links to malicious sites Page 27 Malware infection phases 3 phases to a malware infection Exploit kit Exploits a vulnerability on the system that allows for execution of arbitrary code Dropper Small utility file that downloads main malware binaries Malware The actual malicious executable Page 28 Joseph Salazar 14

Malware evasion techniques Wrapping Obfuscation Packers Anti-debugging Targeting Page 29 Signature detection How does signature detection work? File byte sequences File hash How does malware evade this? Packing/Repacking an executable Test file sample against a signature database Encryption Polymorphism Page 30 Joseph Salazar 15

Finding malware Where do you look for these files? User temp directories User internet cache directories Java cache What do you look for? Renamed files (scvhost.exe, rundii.exe, etc.) Weird names (lexical rules) Legitimate files running out of different folders Page 31 Finding malware Persistence mechanisms? Registry auto runs Startup folder File properties? Time stomp Hidden/System file attribute? Page 32 Joseph Salazar 16

Confirming malware Submit to network sandbox Cuckoo Anubis Submit to online virus database VirusTotal.com VirScan.org Totalhash.com Reversing with Ida Pro or similar Page 33 Enscripts and automation Page 34 Joseph Salazar 17

Automating detection Indications of Compromise (EnScriptable) Enscript checks all entries against all scripted IOCs File Signature Analysis Executables in the wrong places Unexpected running processes Modified or blank time stamps Lexical/short file names Many other detections Tuning of false alert results Page 35 Manual detections Other IOCs (not scriptable) Java temp files (may be scriptable) Timeline to alert correlation Executables in user program directory Alert to file system correlation Unfortunately, there is no Find malware EnScript Page 36 Joseph Salazar 18

Wrap-up Page 37 Questions? Page 38 Joseph Salazar 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information