Speaking of which, there were a number of exceptional presentations throughout the two days. Rob talked about using TSK's fls and ils to generate file system timelines, which led me to think that it wouldn't be too great a stretch to add the same sort of capability to RegRipper, and have the Registry data included in the timeline information. The guys from Verizon gave a great presentation on their incident statistics, and the Mandiant presentation illustrated some interesting artifacts from a real-world examination.
One prevalent theme throughout the summit was that there was a lot of folks "calling the baby ugly". As humorous as that may sound, that was the euphemism for being up-front and letting folks know, yes, we have a problem. At least one of the issues identified that both Richard Bejtlich and I (and others) seemed to agree on was that the need to protect data is no longer the driver for incident response...if it ever truly was. Currently, legislation (state notification laws) and regulatory oversight (PCI, HIPAA, etc.) are the drivers for incident response.
Also, a common thread from the consultants to the admins in the audience seemed to be, help us help you. At one point during a panel, Rob Lee asked something along the lines of, how soon should someone who's been breached call for help, and my response was "before it happens." Seriously. Get someone on-site before you
All in all, it was a great event, very beneficial to attendees and speakers alike. Rob did a great job pulling together talent such as Richard Bejtlich of GE and TaoSecurity fame, AAron Walters, Mike Poor and Tom Liston of InGuardians, Lance Mueller, Eoghan Casey, Bret Padres and Ovie Carroll, as well as Kris Harms, Wendi Rafferty and Ken Bradley from Mandiant, and Monty McDougal. Jennifer Kolde was there representing the FBI, as was Matt Shannon...F-Response is and was a huge hit. I was talking with a couple of folks who attended the summit and when the topic of F-Response came up, you could see the light come on in their eyes as they realized the potential that could be realized through a product like this.
It was also great to be able to talk with folks like Jeff Caplan, and (me being really bad with names) Doug and the guy from Ford.
One of the big take-aways that I got from the summit is the fact that folks like the speakers (consultants, in most cases) and attendees (admins, etc.) face a lot of the same problems with respect to incident response...namely, how to preview and triage systems, and how to do so in an enterprise environment.
I'm hoping to be invited to and be able to attend the next SANS Forensic Summit, in July 2009!
See what others thought:
AAron
Matt from F-Response
Harlan,
ReplyDeleteIt was cool to meet you after reading your works. Enjoyed the discussion on working regXP into a timeline analysis script.
I for one am looking forward to you releasing that tool out to the masses. Since I'm still at the SANS event for four more days, I took the time to start writing an Enscript last night.
Doug C.
Doing the timeline for registry is really valuable. I'm currently doing that in an IR tool I am working on.
ReplyDeleteIt collects via WMI, processes, software installs, file system, prefetch and registry etc etc. On analysis it puts all these into one timeline so you can see registry changes, process start ups, reboot times, security event log entries, prefetch creation, and i now even include external firewall entries. Makes pinning down an issue incredibly quick because the validation from multiple independent sources is there in one place.
Darren,
ReplyDeleteAny chance of getting that, or some part of it posted somewhere?
Harlan,
ReplyDeleteWill you be making your presentation available anywhere?
I'll see what I can do...it's not mine to post...it's IBMs...
ReplyDeleteI was hoping you would all get dysentery or something and be miserable since I was unable to attend.
ReplyDeleteSorry to hear you had such a good time.
I was still miserable b/c you weren't there, CoreE.
ReplyDeleteDarren,
ReplyDeleteI met with AAron Walters afterward to discuss my desire to create a time-stamp timeline, my idea was that it be perhaps Web-based, like a language translator--paste the text and hit a button that translates your time-stamps into a visual timeline. Aaron suggested I contact/read Florian Buchholz' work on Zeitline. Let me know if you'd like to work together, as I'd be starting from scratch.
Who is "Darren"?
ReplyDeleteDarren is the guy that got the job of cleaning up Cory's old documentation ;)
ReplyDeleteYou can find me on #volatility
I'm pushing to be able to release what I have at the moment, but I'm trying to merge my analysis framework into something sensible like pyflag so I can avoid a lot of the heavy lifting they have solved.
The current stuff converts everything into a mactime-esque format and then allows working with the results.
Zeitline looks good, it offends my C/python sensibilities, but I guess can get past that :)
nice post
ReplyDeleteur blog Is very nice
ReplyDeleteSmall business website design
Thanks for this nice post.
ReplyDelete