tag:blogger.com,1999:blog-9518042.post4687942545176782863..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Proactive IRUnknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9518042.post-16096428743358630712011-05-03T07:10:13.910-05:002011-05-03T07:10:13.910-05:00I'm not suggesting that a CSIRP be built blind...I'm not suggesting that a CSIRP be built blindly...but visibility before having some ability to respond is going to do...what? Okay, I've got bleeding, but I know nothing about bandages or first aid...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-22325366424879826752011-05-03T01:04:43.352-05:002011-05-03T01:04:43.352-05:00Organizational culture towards security is merely ...Organizational culture towards security is merely the sum of a few parts in a corporate cogwheel that makes up the power chain to the minds and monies of a few. Those individuals don't change their thinking about security for security's sake. You don't sell them an insurance plan. Compliance laws and regulations don't change the way they think about security. It's not about convincing them of D-Day, it's about showing them that even now, under their noses, bits are trickling away to far off places and they don't even know what's in the obfuscated and encrypted packets.<br /> <br />It does start with visibility, both internal visibility and external visibility. Visibility by showing that compromise is affecting real companies all the time, from Google to RSA and HBGary Federal. Showing data on the corporate LAN being sent to China, Russia and the Cocos Islands and that the vast majority of compromises are using unmodified malware kits. Nothing stops a click.<br /><br />Visibility is the seed that allows you to grow incident response processes and systems. How can someone blindly build a response plan?Dave Nelsonnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-62034768228396411022011-04-27T06:18:41.424-05:002011-04-27T06:18:41.424-05:00Dave,
I greatly appreciate your comments...
Proa...Dave,<br /><br />I greatly appreciate your comments...<br /><br /><i>Proactive incident response systems of the future...</i><br /><br />...but I also have to disagree because I think you're way off base. Sorry, but I read your comments as you being a very technical responder, albeit perhaps an admin in an FTE position, and this is your "in an ideal world" wish list.<br /><br />Don't get me wrong...from a technical perspective, I agree. However, I've responded to enough incidents to know that it will be a LONG time before something like that gets added to an organization's infrastructure. It doesn't matter if there is a technically complete and perfect tool available that will do everything at the push of a button, if the corporate culture of the "victim" organization simply does not allow for its use or deployment.<br /><br /><i>...I suspect the free projects will be outgunned by commercial ware...</i><br /><br />Again, I disagree. Snort started out free; yes, Netwitness is commercial, but it doesn't have the availability. From a DF perspective, I'm looking at things like timeline analysis, which is something you can ONLY do with freeware tools...it's a powerful analysis technique, but commercial forensic applications are being built to their customers requirements, rather than leading those analysts where they <i>need</i> to go.<br /><br />IR prep is NOT on people's plates at the moment, and based on our culture in the US, likely won't be for a while. "Compliance" standards have been out for a while, and rather than realizing that these are a necessary first step, most organizations are pushing back, even while other companies all around them are getting hit.<br /><br />My hope is to change the culture of just one organization...change their thinking. Get them to accept that yes, an incident WILL happen, and they need to take ownership of a response plan before they think about visibility...doing it the other way around is going to mean "seeing" all of the stuff that goes on, but not being able to respond to it, and the effort will fail. I would like to change the culture of one company, to get them to accept that the data that they're processing...PCI, PHI, PII, IP, whatever...is critical to their business and needs to be protected, just like their people and facilities. <br /><br />Can I count on getting your support? Again, I greatly appreciate your comments.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1128757395986879662011-04-26T22:03:01.419-05:002011-04-26T22:03:01.419-05:00Compromise on client nodes is inevitable. Proacti...Compromise on client nodes is inevitable. Proactive incident response systems of the future are going to rely on things like automated indexing of binary hashs based on process creation, correlating least common occurrence in a network and automating the transmitting of the malware to sandboxes/repositories with risk results to flag a system for review or automate incident response scripts. Bonus points will be given for incorporating binary entropy (not at all perfect), certificates (proven fail), path info (for some reason this is still working and relevant) and event correlation but most of those aren’t really solid identifiers. Some of this is already being built into commercial ware. Some projects are being spun up that provide some of this functionality such as El Jefe and Carbon Black (we even built our own) but no one is anywhere near 'arrived'. Unfortunately, I suspect the free projects will be outgunned by commercial ware in speed, marketing and integration. Prove me wrong and make me happy.<br /><br />With the growing number of mobile devices and remotely connected devices, it's more important than ever to get artifact information as close as possible to the actual event. Monitors and triggers should be in place either as low level hooking agents (that don't stomp on other low level hooks) or customized real-time log forwarding (based on process creation) to initiate incident response scripts within minutes of an event. Only then can you build a reliable system to determine the extent of compromise and whether a node needs to be reimaged, passwords reset and the event registered in the incident log. Automated network disconnects and network initiated reimages are already here at larger companies. Eventually it will be done even faster and more widespread with VDI implementations.<br /><br />For incident response, we created a hybrid of live forensics and tools normally only used post mortem on a DD image. Combining free tools such as FGET, AnalyzeMFT, Memoryze, Regextract (not console ver anymore ), NirSoft tools and a full battery of other tools and scripts normally run on a DD image but automated and adapted to run against a live production node, we centrally gather the information to gauge the extent of compromise while the client continues to work. We've built scripts to gather file indexes from Shadow Copy and MFT information. Automation of a persistent client popup, network card disabling and workstation account disabling are fairly easy but we continue to look for a free tool or script to automate the parsing of the Windows Desktop Search database either in full or by age. I am crossing my fingers for NirSoft to take up the flag since he already has a version for Live Messenger files. <br /><br />Malware incident response has come a long way but we are still woefully short of proactive. Sometimes I feel like the sand on the shore, pounded by the mafia waves as nodes are towed out to sea.Dave Nelsonnoreply@blogger.com