1 / 15

Investigative Trees – Converting Attack Trees into Guides for Incident Response

Investigative Trees – Converting Attack Trees into Guides for Incident Response. Rodney Caudle December 2009 GIAC GSEC, GCIA, GCIH, GCFA, GSNA, GCPM, GLDR, GSLC, GSPA. Objective. Setting the Stage Basics of Investigative Trees Rules for Building Investigative Trees

fahim
Download Presentation

Investigative Trees – Converting Attack Trees into Guides for Incident Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Investigative Trees – Converting Attack Trees into Guides for Incident Response Rodney Caudle December 2009 GIAC GSEC, GCIA, GCIH, GCFA, GSNA, GCPM, GLDR, GSLC, GSPA SANS Technology Institute - Candidate for Master of Science Degree

  2. Objective • Setting the Stage • Basics of Investigative Trees • Rules for Building Investigative Trees • Example: Corporate E-Mail Espionage • Demo: iTree.pm SANS Technology Institute - Candidate for Master of Science Degree

  3. Setting the Stage • Multi-Site Corporation • Information Leakage Suspected • Insider Suspected • Factor: Outsourced IT • You’re the objective third party SANS Technology Institute - Candidate for Master of Science Degree

  4. Investigative Trees • Designed to answer one question: Given a fixed amount of resources, what investigation will yield the results with the most confidence for a given outcome? SANS Technology Institute - Candidate for Master of Science Degree

  5. Building a Tree • Ask a question • Split into smaller questions that can be answered until the questions are small enough to act upon • Build procedures to answer questions. There may be multiple ways to answer • Add parameters to provide perspectives SANS Technology Institute - Candidate for Master of Science Degree

  6. Rules for iTrees • Root node is the goal or outcome • Leaf nodes represent conditions of meeting the parent node or goal • “OR” leaf nodes • “AND” leaf nodes • All nodes should be Boolean in nature SANS Technology Institute - Candidate for Master of Science Degree

  7. Rules (cont’d.) • Additional parameters can be added to provide perspectives • Leaf nodes may become root nodes of a sub-tree that can be saved as a library SANS Technology Institute - Candidate for Master of Science Degree

  8. General Parameters • Confidence – level of trust • Confidencei – level of trust (impacted) • Impacted – True or false • Weight – comparison to neighbor nodes • Category – label for organization SANS Technology Institute - Candidate for Master of Science Degree

  9. Other Parameters • Cost • Time • Rate • Units • Dependency • Early Start • Early Finish • Late Start • Late Finish • Slack Time SANS Technology Institute - Candidate for Master of Science Degree

  10. Example: Corporate E-Mail • Root Question: Can we verify the vector for delivering the e-mails? • Need to define the leaf nodes or sub-goals SANS Technology Institute - Candidate for Master of Science Degree

  11. Leaf Nodes (OR) • Were the e-mails sent via the Outlook-Exchange method? • Were the e-mails sent via the web-based OWA method? • Were the e-mails sent via a mobile device method? • Were the e-mails sent via SMTP through a gateway? SANS Technology Institute - Candidate for Master of Science Degree

  12. Continue Expanding • Were the e-mails sent via SMTP through a gateway? • Can we verify the presence of SMTP headers in the original e-mail? • Can we verify the presence of e-mail(s) in the log events from the SMTP gateway server? SANS Technology Institute - Candidate for Master of Science Degree

  13. Add Steps to Get the Answers • Can we verify the presence of SMTP headers in the original e-mail? • Can we recover the presence of SMTP headers in the original e-mail? • Can we recover a copy of the original e-mail from the desktop or laptop? • Does the e-mail contain SMTP headers (RFC821)? SANS Technology Institute - Candidate for Master of Science Degree

  14. Demo: iTree.PM • Perl module to automate the investigation tree creation process SANS Technology Institute - Candidate for Master of Science Degree

  15. Summary • Investigative Trees = good investment • Design supports KB natively • Easy to expand and share information • Perl Modules available for creation and automation www.investigativetrees.com SANS Technology Institute - Candidate for Master of Science Degree

More Related