Five Point Palm Exploding Heart Technique for Forensics

Transcription

The Five Point Palm Exploding Heart Technique for Forensics Andrew Hay
The 451 Group
The 451 Group 451 Research is focused on the business of enterprise IT innovation. dŚĞĐŽŵƉĂŶǇ͛ƐĂŶĂůǇƐƚƐƉƌŽǀŝĚĞĐƌŝƚŝĐĂůĂŶĚƚŝŵĞůǇŝŶƐŝŐŚƚinto the competitive dynamics of innovation in emerging technology segments. Tier1 Research is a single-‐source research and advisory firm covering the multi-‐tenant datacenter, hosting, IT and cloud-‐computing sectors, blending the best of industry and financial research. The Uptime Institute ŝƐ͚dŚĞGlobal Data Center ƵƚŚŽƌŝƚǇ͛and a pioneer in the creation and facilitation of end-‐user knowledge communities to improve reliability and uninterruptible availability in datacenter facilities. TheInfoPro is a leading IT advisory and research firm that provides real-‐world perspectives on the customer and market dynamics of the enterprise information technology landscape, harnessing the collective knowledge and insight of leading IT organizations worldwide. ChangeWave Research is a research firm that identifies and quantifies ͚ĐŚĂŶŐĞ͛in consumer spending behavior, corporate purchasing, and industry, company and technology trends. Introductions Andrew Hay Senior Security Analyst, The 451 Group Author, Speaker and Blogger Coverage Areas: ESIM (SIEM & Log Management) IT-‐GRC Forensics & Incident Response Intrusion Detection/Prevention Macro research areas: [Nation State] Cyber Security & Critical Infrastructure Protection What is this talk about?

Forensics has traditionally been viewed as very system-‐specific Only recently, has external (off of the target machine) sources of ĐŽƌƌŽďŽƌĂƚŝŶŐĞǀŝĚĞŶĐĞďĞĞŶĐŽŶƐŝĚĞƌĞĚ͚ǀĂůƵĂďůĞ͛ďǇŝŶǀĞƐƚŝŐĂƚŽƌƐ Image Source: http://infosecnewbie.blogspot.com/2010/11/open-source-forensics-fundamental.html
ƐƐĞŶƚŝĂůůǇ͕ǁĞŶĞĞĚůĞƐƐŽĨƚŚŝƐ͙ Image Source: http://preview.tinyurl.com/3wtpgre
ŶĚŵŽƌĞŽĨƚŚŝƐ͙ Image Source: http://preview.tinyurl.com/3ux8bo6
/ĚĞĂĨŽƌƚŚŝƐƚĂůŬ͙

The idea for this talk came from dĂƌĂŶƚŝŶŽ͛ƐKill Bill two-‐part epic revenge drama In it, martial arts master Pai Mei ƚĞĂĐŚĞƐ͚dŚĞƌŝĚĞ͛ĂƚĞĐŚŶŝƋƵĞ
wherein pressure points on the victim's chest are struck leaving them with a few footsteps before their death This technique is referred to as ƚŚĞ͚&ŝǀĞWŽŝŶƚWĂůŵǆƉůŽĚŝŶŐ
Heart dĞĐŚŶŝƋƵĞ͛ Image Source: http://inatitude.files.wordpress.com/2009/02/pai-mei.jpg
So what are the five points? Data Reduction Corroborators Orchestration Network Forensics Platform Forensics Point 1 ʹ Platform forensics

͚dƌĂĚŝƚŝŽŶĂůĨŽƌĞŶƐŝĐƐ͛ No one will argue that the artifacts residing on the suspect endpoint hold lots of information Volatile memory, application ĂƌƚŝĨĂĐƚƐĂŶĚŽƚŚĞƌ͚ĨŽŽƚƉƌŝŶƚƐ͛ One should be cognizant, however, of the other sources of information spread throughout an enterprise environment NOT residing on the target system Image Source: https://cagandoregra.wordpress.com/2010/08/03/the-36th-chamber-of-shaolin-a-camara-36-de-shaolin/
Point 1 ʹ Platform forensics: possible tools Platform Forensics Point 2 ʹ Network forensics If a host needs to talk to the world, it needs to leverage the network Likewise, if an attacker interacted with the machine remotely there may be a trail Deep packet inspection (DPI), network flow generation/collection/inspection, packet sniffers and flow analytics engines Image Source: http://www.imdb.com/media/rm2382076160/ch0001814
Point 2 ʹ Network forensics: possible tools Network Forensics Point 3 ʹ Data reduction

Feeds and sources of third party data that help analysts ĨŽĐƵƐŽŶƚŚĞ͚ďĂĚ͛ Why look at what we know ǁĞĚŽŶ͛ƚŶĞĞĚƚŽůŽŽŬĂƚ͍ ͚'ĞƚďǇ͛ǁŝƚŚĂůŝƚƚůĞŚĞůƉ
from your friends Application whitelisting, threat intelligence feeds, known compromised IP addresses/ranges, etc. Image Source: http://1morefilmblog.com/wordpress/dis-enchanted-female-power-and-authority-in-ella-enchanted-and-kill-billvolume-2/
Point 3 ʹ Data reduction: possible sources Data Reduction Point 4 ʹ Corroborators ͚,ĞůƉĞƌƐ͛ŽƌƐŽƵƌĐĞƐŽĨ
additional information Vulnerability & patch management Perimeter detection/protection Endpoint protection Change, configuration and policy management System management DLP, NAC, etc. Image Source: http://1morefilmblog.com/wordpress/dis-enchanted-female-power-and-authority-in-ella-enchanted-and-kill-billvolume-2/
Point 4 ʹ Corroborators: possible sources Corroborators Point 5 ʹ Orchestration Tools designed to correlate, normalize and alert on enterprise information (not just security information) Central repositories of ŝŶĨŽƌŵĂƚŝŽŶĂƌĞ͙ǁĞůů͙central repositories of information! SIEM, log management, IT GRC, compliance management, etc. Image Source: http://celluloidamazing.blogspot.com/2009/11/when-i-woke-up-i-went-on-what-movie.html
Point 5 ʹ Orchestration: possible tools Orchestration What will it look like? Data Reduction Corroborators Orchestration Network Forensics Platform Forensics The result? Many hands make light work ʹ this extremely true with regards to forensics Evidence on a system can almost always be enriched by external sources of corroborating evidence Hindsight is 20/20 ʹ deploy now to help later Image Source: http://totallyradicalsportz.wordpress.com/2010/10/11/smackfest/
The result? Vendors must strive to ͚ƉůĂǇ
ƚŽŐĞƚŚĞƌ͛ĨŽƌƚŚŝƐŝŶƚĞŐƌĂƚŝŽŶƚŽ
work Some vendors are starting down this path but primarily to enrich their own data WE need to teach non-‐
forensics vendors the value of forensic data WE need to teach forensics vendors the value of integration Image Source: http://blog.lowpricelessons.com/wp-content/uploads/2011/01/kill-bill-uma-in-car.jpg
The result? Image Source: http://en.wikipedia.org/wiki/File:Clenched_human_fist.png
Thank zŽƵ͙ Questions? Questions? [email protected]