Solving data breach points of egress with sophisticated analysis
This presentation is the property of its rightful owner.
Sponsored Links
1 / 31

Solving Data Breach Points of Egress with Sophisticated Analysis PowerPoint PPT Presentation


  • 33 Views
  • Uploaded on
  • Presentation posted in: General

Solving Data Breach Points of Egress with Sophisticated Analysis. Christopher Andrews, CFCE, EnCE Director, Kroll Advisory Solutions. About the speaker.

Download Presentation

Solving Data Breach Points of Egress with Sophisticated Analysis

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Solving data breach points of egress with sophisticated analysis

Solving Data Breach Points of Egress with Sophisticated Analysis

Christopher Andrews, CFCE, EnCE

Director, Kroll Advisory Solutions


About the speaker

About the speaker

  • Christopher Andrews is a Director for Kroll Advisory Solutions, formerly with Kroll Ontrack, the recognized worldwide leader in the computer forensics industry. 

  • Mr. Andrews conducts investigations involving the analysis of electronic media for litigation and is often called upon to provide expert testimony.

  • Previously, Mr. Andrews was a Special Agent with the Northern California Computer Crimes Task Force. He assisted more than 40 law enforcement agencies with the seizure and forensic examination of computers and related storage media.

  • Mr. Andrews is a member of many professional organizations, including IACIS and HTCIA and has been a speaker at several national conferences. He has also authored numerous articles.


Agenda

Agenda

  • A recent case study

  • Witness interviews

  • Basic forensic analysis of workstations, servers and volatile memory for evidence of unauthorized access

  • Log analysis

  • Timeline analysis

  • Exfiltration of data


Solving data breach points of egress with sophisticated analysis

A recent case study


Day one discovery

Day One - Discovery

  • Victim is a health care provider

  • Victim customers call into help desk – unable to access the network

  • Victim IT finds unauthorized access to the network

  • Suspicious internal data traffic

  • Evidence of rootkits, remote access, and malware found by IT department


Day three partnership

Day Three – Partnership

  • Three days since problem initially discovered

  • Forensics experts brought in to review the problem

    • Forensic imaging

    • Log collection

    • Interviews with IT personnel

    • Determining history of known vulnerabilities


Investigation findings

Investigation - Findings

  • Proof of installation of malware including secure VPN tunnel used by intruders

  • Evidence of customized .exe files that can be used to modify the registry and gain shell access

  • Internet history includes visits to a Russian FTP site via intruder’s user profile

  • Download and launch of a Russian Virtual Server in the victim environment!

    • Server was leased an IP address by the victim servers without triggering any alarms


Investigation decision

Investigation - Decision

  • Victim password HASHES located on a Russian server

  • Over 2,000 files containing PHI had last accessed dates post-intrusion

  • These files were accessible, and the possibility that PHI was transferred could not be ruled out

  • Transaction logs that might establish exfiltration of data were destroyed/missing


Solving data breach points of egress with sophisticated analysis

Witness interviews


Response and evidence gathering

Response and Evidence Gathering

  • Goal:

    • Identify systems that are under attack or require analysis

    • Identify and document population of internal investigations and analysis

    • Develop a protocol / collect volatile and static evidence

    • Preserve other forms of data and information


Identify and interview key custodians it and other witnesses

Identify and Interview Key Custodians, IT, and Other Witnesses

  • Take your time. Plan these out. This is a very important step.

  • Okay to gain general info in a group setting, but best to interview key witnesses individually.

  • Not an interrogation. Treat witnesses like victims of a crime BUT do not say anything that might get you in trouble later if the witness turns out to be a suspect!

  • Take lots of notes. Audio/video record?


Identify and interview key custodians it and other witnesses1

Identify and Interview Key Custodians, IT, and Other Witnesses

  • Ideally, have a second investigator there to take notes and to rotate questions.

  • Get the witnesses contact information and ask if OK to follow-up later.

  • Leave the witness your card and tell them OK to contact you if they think of anything else.

  • Transcribe notes soon after interview. Note any follow-up questions.


Solving data breach points of egress with sophisticated analysis

Basic forensic analysis of workstations, servers and volatile memory for evidence of unauthorized access


Back in the lab some basic first steps

Back in the Lab – Some Basic First Steps

  • Start a tracking sheet: list all media, tasks to perform, notable findings, search terms (IP addresses, URLs, etc.)

  • Recover deleted files

  • Run scans for known and suspected malware using specialized malware scanning applications and HASHing

  • Run keyword searches on all data (active, deleted, slack, unallocated) for common terms associated with malware, password stealing tools, and other intrusion artifacts


Windows basics

Windows Basics

  • Parse Registry files for some basic items:

    • Auto-run lists, MRU lists, IP addresses leased, unauthorized software, unauthorized user profiles, FTP lists, Typed URLS, Jump Lists, Drive mappings, MUICache, ShellBags, UserAssist, Compression tools used (WinZIP, WinRAR), etc.

  • Parse Event logs, IIS, AV and other logs

  • Parse Prefetch files (if applicable)

  • Parse shell link files and Internet History

  • Look for unauthorized user folders and content


Linux basics

Linux Basics

  • Parse syslogs, bash history, and other logs

  • Once notable dates are identified, run searches against unallocated for missing log records

  • Look for unauthorized user folders and content

    • passwd, shadow, and group file review


Ram basics

RAM Basics

  • Parse for running processes

  • Parse for registry keys

  • Parse for drivers

  • Parse for open files

  • Run searches for known terms such as suspicious IP addresses/URLs

  • Other items (file carving?)


Malware

Malware

  • ID as much as possible. Is it known malware?

  • Reverse-Engineer the malware if possible

    • Are there unique findings that you can use as part of a search term?

    • Example: Hacker Defender / Hamachi

  • Does the malware even allow for the kind of activity that the victim is worried about?

    • Zeus variants, for example, will typically not allow remote access/data exfiltration other than typed URLS/passwords


Malware1

Malware

  • Example: unauthorized activity on a server in our scenario on November 22, 2011 at 0921 hours

  • Symantec EndPoint logs show the following activity from the suspect user profile

  • Changed value 'HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\Storages\Filesystem\RealTimeScan\OnOff' from '1' to '0‘

  • A few hours later the following files are ‘created’ on the same server.


Malware2

Malware


Solving data breach points of egress with sophisticated analysis

Log analysis


Too much data

Too Much Data!

  • Various kinds of log findings – consider software to aggregate them all together

    • Generally, we want to normalize the log data

    • Free tools like Splunk, DAD, many others

  • Take into account date/time differences

  • Focus on known suspicious findings such as IP addresses, dates/times of suspected intrusion, etc.

  • DB are somewhat unique – may require special queries to get the logs you need


Solving data breach points of egress with sophisticated analysis

Timeline analysis


Art and science

Art and Science

  • Aggregate your CF findings into one location, like a spreadsheet or database

  • Look for common dates such as created/generated, last written/modified, last accessed/opened, last run, etc.

  • Use some automated tools to assist such as the SIFT workstation

  • Be careful with overly simple interpretation!

    • Last Accessed – not so good in most cases

    • Don’t assume dates from malware and unauthorized access are 100% accurate!


Solving data breach points of egress with sophisticated analysis

Exfiltration of data


Two basic ways to approach this topic

Two Basic Ways to Approach This Topic

  • Top-down approach: Start with all data and based on the CF findings start to figure out what the suspect might have accessed

    • Requires a lot of review and you could end up with a lot of non-relevant data

    • Findings can be inconclusive if Windows profiles were hijacked

  • Bottom-up approach: Limit the review to known data that the VM has identified as important

    • Examples would be PHI within an SQL database, PII records in an Excel file, etc.


Direct evidence or circumstantial

Direct Evidence or Circumstantial?

  • The more findings the better. More machines = more evidence = PATTERNS

  • Review all CF findings, logs, etc. Run new searches as needed. Example: IP address lists typically get longer…

  • Consider “Online Analytics”. You might find “the smoking gun”!

  • Can file(s) be ruled out? Example: consider file system metadata. Is Last Accessed an accurate date? If so can notable files be ruled out?


Notification numbers of phi pii records 3 approaches

Notification/Numbers of PHI/PII Records – 3 approaches

  • Known records based on solid CF findings

  • Extrapolated records based on solid CF findings + logs and other data

  • Theoretical records based on means, motive, opportunity

    • Top-down? Can we eliminate some records?

    • Bottom-up? Do we low-ball based on CF findings and hope that we are right?


Solving data breach points of egress with sophisticated analysis

Questions & Discussion


  • Login