Topics
Real Incident Response Tactics
·
Preparation: Key tools, techniques, and procedures an incident
response team needs to properly respond to intrusions
·
Identification: Proper scoping of an incident and detecting all
compromised systems in the enterprise
·
Containment: Identification of exactly how the breach occurred
and what was stolen
·
Eradication: Determining the key steps that must be taken to
help stop the current incident
·
Recovery: Recording of the threat intelligence to be used in the
event of a similar adversary returning to the enterprise
·
Lessons Learned
Threat and Adversary Intelligence
·
Importance of Cyber Threat Intelligence
·
Understanding the "Kill Chain"
·
Threat Intelligence Creation and Use During Incident Response
·
Incident Response Team Life-Cycle Overview
·
Incident and Malware Detection - All Activity across a Specific
System
·
Enterprise Incident Response/Forensics - Specific Activity
across All Systems
Remote and Enterprise Incident Response
·
Remote System Access in the Enterprise
·
Remote System Host-Based Analysis
·
Scalable Host-Based Analysis (one analyst examining 1,000 systems)
·
Remote Memory Analysis
Windows Live Incident Response
·
Live Incident Response Kit and Tools
·
Volatile Data Collection
·
Comparison of Key Data Collected via Live Collection, Static
Drive, and Memory Analysis Techniques
·
Auto-Start Malware Persistence Checks
·
Trusted Windows Command Shells
·
Finding Evil: Automating Collection across the Enterprise
·
Remote Command Shell Usage - PsExec
·
Incident Response Using Powershell
·
Live Response Key Tools
Exercises
·
SIFT Workstation 3 orientation
·
Mounting remote/local drives via SIFT
Workstation
·
Remote enterprise memory acquisition using
F-Response Enterprise
·
Remote enterprise response and analysis using
F-Response Enterprise
Topics
Memory Acquisition
·
Acquisition of System Memory from both Windows 32/64 Bit Systems
·
Hibernation and Pagefile Memory Extraction and Conversion
·
Virtual Machine Memory Acquisition
Memory Forensics Analysis Process
·
Identify Rogue Processes
·
Analyze Process DLLs and Handles
·
Review Network Artifacts
·
Look for Evidence of Code Injection
·
Check for Signs of a Rootkit
·
Acquire Suspicious Processes and Drivers
Memory Forensics Examinations
·
Live Memory Forensics
·
Memory Analysis Techniques with Redline
·
Advanced Memory Analysis with Volatility
·
Code Injection, Malware, and Rootkit Hunting in Memory
·
Perform In-memory Windows Registry Examinations
·
Extract Typed Adversary Command Lines
·
Investigate Windows Services
·
Find and Dump Cached Files from RAM
·
Dumping Hashes and Credentials from Memory
Memory Analysis Tools
·
Rekall
·
Volatility
·
Redline
·
MoonSols Windows Memory Toolkit
Exercises
·
Detect unknown live and dormant custom malware in memory across
multiple systems in an enterprise environment
·
Find APT "beacon" malware over common ports that
targeted attackers use to access command and control (C2) channels
·
Find residual command-line input through scanning strings in
memory and by extracting command history buffers
·
Analysis of memory from infected systems:
·
Stuxnet
·
TDL3/ TDSS
·
Zeus/Zbot
·
Conficker
·
Sobig
·
StormWorm Rootkit
·
Black Energy
·
PsExec
·
Custom APT command and control malware
Topics
Timeline Analysis Overview
·
Timeline Benefits
·
Prerequisite Knowledge
·
Finding the Pivot Point
·
Timeline Context Clues
·
Timeline Analysis Process
Memory Analysis Timeline Creation
·
Memory Timelining
Filesystem Timeline Creation and Analysis
·
MACB Meaning by Filesystem (NTFS vs. FAT)
·
Windows Time Rules (File Copy vs. File Move)
·
Filesystem Timeline Creation Using Sleuthkit
and fls
·
Bodyfile Analysis and Filtering Using the
mactime Tool
Super Timeline Creation and Analysis
·
Super Timeline Artifact Rules
·
Program Execution, File Knowledge, File
Opening, File Deletion
·
Timeline Creation with log2timeline
·
log2timeline Input Modules
·
log2timeline Output Modules
·
Filtering the Super Timeline Using
l2t_process
·
Targeted Super Timeline Creation
·
Automated Super Timeline Creation
·
Super Timeline Analysis
Exercises
·
Using timeline analysis, determine how the
breach originally occurred by identifying an APT group beachhead and spear
phishing attack
·
Target hidden and time-stomped malware and
utility-ware that an APT uses to move in the network and maintain its presence
·
Track APT activity second-by-second through
in-depth super timeline analysis
·
Observe targeted attackers laterally move to
other systems in the enterprise by watching footprints left in filesystem times
and other temporal-based artifacts
·
Learn how to filter system artifact, fil
system, and registry timelines to target specific data efficiently
Topics
Advanced "Evidence of
Execution" Artifacts
·
RecentFileCache.bcf /Amcache.hve
·
Application Compatibility Cache (ShimCache)
Windows 7/8 Server 2008/2012 Shadow Volume
Copy Analysis
·
Volume Shadow Copy Data Analysis
·
Acquiring Shadow Copy Volume Images
·
Raw and Live Shadow Copy Examination Using
the SIFT Workstation
·
Creating and Analyzing Shadow Volume
Timelines
Deep Dive Malware and Anti-Forensic Detection
·
Sleuthkit Toolset
·
File-Based Data Carving
·
Carving Key Files from a Compromised System
(Malware, .rar Files, Prefetch Files, and Shortcut Files)
·
NTFS Filesystem Analysis
·
Master File Table (MFT) In Depth
·
NTFS System Files
·
NTFS Metadata Attributes
($Standard_Information, $Filename, $Data)
·
Rules of Windows Timestamps for $StdInfo and
$Filename
·
NTFS Timestamps
·
Resident vs. Nonresident Files
·
Alternate Data Streams
·
Directory Listings and the $I30 file
·
Transaction Logging and the $Logfile and
$UsnJrnl
·
What Happens When Data is Deleted from a NTFS
Filesystem?
Anti-Forensic Detection Methodologies
·
MFT Anomalies
·
Timeline Anomalies
·
Deleted File
·
Deleted Registry Keys
·
File Wiping
·
Clearing Browsing History
·
Privacy Cleaner
·
Adjusting Timestamps
Exercises
·
Recover data cleared through anti-forensic
techniques used by targeted attackers via Volume Shadow Copy and Restore Point
analysis
·
Extract stream-based data and identify
critical artifacts such as domains, IP addresses, and email addresses that were
used during the attack
·
Find evidence of Poison Ivy use on the
compromised system
·
Detect and identify key files out of
unallocated space including malware, prefetch files, LNK files, and more
·
Use filesystem knowledge to detect evidence
of anti-forensic and timestomping
·
Recover .rar files used by an APT to
exfiltrate data from the network
Topics
Adversary and Malware
Hunting
·
Rapid Data Triage Analysis
·
Cyber Threat Intelligence & Indicators of
Compromise (IOC) Searching
·
Evidence of Persistence
·
Supertimeline Examination
·
Packing/Entropy/Executable Anonmaly/Density
Checks
·
System Logs
·
Memory Analysis
·
Malware Identification
Methodology to Analyze and Solve Challenging
Cases
·
Malware/Intrusion
·
Spear Phishing Attacks
·
Web Application Attacks/SQL Injection
·
Advanced Persistent Threat Actors
·
Detecting Data Exfiltration
Exercises
·
Find unknown malware across your enterprise
by looking for dormant and active malware traces
·
Discover which systems the targeted attackers
laterally moved to in the enterprise and how they transitioned from system to
system so easily without being detected
·
Understand how an APT group can acquire
domain admin rights in a locked-down environment
Topics
·
The Intrusion Forensic Challenge will have
each incident response team analyzing multiple systems in an enterprise
network.
·
Each incident response team will be asked to
answer the following key questions during the challenge just as they would
during a real-breach in their organizations:
IDENTIFICATION AND SCOPING:
1. How and when did the APT group breach our
network?
2. List all compromised systems by IP address
and specific evidence of compromise.
3. When and how did the attackers first
laterally move to each system?
CONTAINMENT AND SECURITY INTELLIGENCE
GATHERING:
4. How and when did the attackers obtain
domain administrator credentials?
5. Once on other systems, what did the
attackers look for on each system?
6. Find extracted email from executive
accounts and perform damage assessment.
7. Determine what was stolen: Recover any
.rar files or other archives exfiltrated, find encoding passwords, and extract
the contents to verify extracted data.
8. Collect and list all malware used in the
attack.
9. Develop and present security intelligence
or an indicator of compromise (IOC) for the APT-group "beacon"
malware for both host- and network-based enterprise scoping. What specific
indicators exist for the use of this malware?
REMEDIATION AND RECOVERY
10. Do we need to change the passwords for
every user in domain or just the ones affected by the systems compromised?
11. Based on the attacker techniques and
tools discovered during incident, what are the recommended steps to remediate
and recover from this incident?
a. What systems need to be rebuilt?
b. What IP addresses need to be blocked?
c. What countermeasures should we deploy to
slow or stop these attackers if they come back?
d. What recommendations would you make in
order to detect these intruders in our network again?
Tidak ada komentar:
Posting Komentar