Wednesday, September 02, 2015

HTCIA2015 Conference Follow up

I spoke at the HTCIA 2015 conference, held in Orlando, FL, on Mon, 31 Aug.  In fact, I gave two presentations...Registry analysis, and lateral movement.  You can see the video for the lateral movement presentation I gave at BSideCincy here...many thanks to the BSides Cincy guys and Adrian.

I haven't spoken at, or attended an HTCIA conference in quite a while.  I had no idea if I was going to make it to this one, between airline delays and tropical storms.  This one was held at the Rosen Shingle Creek Resort, a huge ("palatial" doesn't cover it) conference center..."huge", in the manner of Caesar's Palace.  In fact, there was an Avon conference going on at the same time as the HTCIA conference, and there very well could have been other conferences there, as well.  Given the humidity and volume of rain, having everything you'd need in one location was a very good thing.  In fact, the rain was so heavy on Monday afternoon, after the final presentation, that there were leaks in the room.

After presenting on Monday, I attended Mari's presentation, which I've seen before...however, this is one of those presentations that it pays to see again.  I think that many times when we're deeply engaged in forensic analysis, we don't often think about other artifacts that may be of use...either we aren't aware of them, due to lack of exposure, or we simply forgot.  However, if you're doing ANYTHING at all related to determining what the user may have done on the system, you've got to at least consider what Mari was talking about.  Why?  Well, we all know that browsers have an automatic cache clean-up mechanism; if the user is right at about 19 days since the last cache clean-up in IE, and they do something bad, it's likely that the artifacts of activity are going to be deleted...which doesn't make them impossible to find, just harder.  The cookies that Mari has researched AND provided a tool to collect can illustrate user activity long after the fact, either in specific activity, or simply illustrating the fact that the user was active on the system at a particular time.

Also, Mari is one of the very few denizens of the DFIR community who finds something, digs into it, researches it and runs it down, then writes it up and provides a tool to do the things she talked about in her write-up.  This is very rare and unique within the community, and extremely valuable.  Her presentation on Google Analytics cookies could very well provide coverage of a gap that many don't even know exist in their analysis.

I was also able to see Ryan's presentation on Tuesday morning.  This one wasn't as heavily attended as the presentations on Monday, which is (I guess) to be expected.  But I'll tell you...a lot of folks missed some very good information.  I attended for a couple of was that Ryan is a competitor, as much as a compatriot, within the community.  We both do very similar work, so I wanted to see what he was sharing about what he does.  I'm generally not particularly interested in presentations that talk about "hunting", because my experience at big conferences has often been that the titles of presentations don't match up with the content, but Ryan's definitely did so.  Some of what I liked about his presentation was how he broke things down...rather than going whole hog with an enterprise roll-out of some commercial package, Ryan broke things down with, " are the big things I look for during an initial sweep...", and proceeded from there.  He also recommended means for folks who want to start hunting in their own organization, and that they start small.  Trying to do it all can be completely overwhelming, so a lot of folks don't even start.  But taking just one small piece, and then using it to get familiar with what things look like in your environment, what constitutes "noise" vs "signal"...that's the way to get started.

What's interesting is that what Ryan talked about is exactly what I do in my day job.  I either go in blind, with very little information, on an IR engagement, or I do a hunt, where a client will call and say, "hey, I don't have any specific information that tells me that I've been compromised, but I want a sanity check...", and so I do a "blind" hunt, pretty much exactly as Ryan described in his presentation.   So it was interesting for me to see that, at a certain level of abstraction, we are pretty much doing the same things.  Now, of course there are some, exact steps in the process, and even the artifacts that we're looking for or at, may be a little different.  But the fact of the matter is that just like I mentioned in my presentation, when a bad guy "moves through" an environment such as the Windows OS, there are going to be artifacts.  Looking for a footprint here, an over-turned stone there, and maybe a broken branch or two will give you the picture of where the bad guy went and what they did.  For me, seeing what Ryan recommended looking at was validating...because what he was talking about is what I do while both hunting and performing DFIR work.  It was also good to see him recommending ways that folks could start doing these sorts of things in their own environments.  It doesn't take a big commercial suite, or any special simply takes the desire, and the rest of what's needed (i.e., how to collect the information, what to look for, etc.) is all available.

All in all, I had a good time, and learned a lot from the folks I was able to engage with.

Addendum: While not related to the conference, here are some other good slides that provide information about a similar topic as Ryan's...

No comments: