Thursday, December 15, 2011

More Stuff

Online DFIR Meetups
Tonight (Thu, 15 Dec) at 8pm EST is the first Online DFIR Meetup, hosted by Mike Wilkinson.  Stop by and check it out...Mike and I will be presenting during this first meetup.

I think that we need to come up with a good hashtag for the event, particularly something that's unique to the event.

Future of IR
If you haven't already, check out the Carbon Black white paper  on the future of IR, by moving from a purely response posture to a proactive, incident preparedness posture.

Moving to a proactive posture just makes sense for a lot of reasons.  First, it doesn't matter which annual report you read...Verizon, Mandiant, TrustWave...they all pretty much state that it doesn't matter who or where you are...if you have a computer connected to the Internet, you will be compromised at some point.  In fact, you may very likely already have been compromised; you may simply not realize it yet.  Second, if all of the studies show that you're gonna get punched in the face, why keep your hands down?  Why not put on head gear, get into a good stance, and get your hands up?  If it's gonna happen, why not be ready for it, and be able to react to minimize the effects?  Finally, there are a lot of regulatory bodies out there that are all telling the organizations that they oversee that they have to take a more proactive approach to security.  Paragraph 12.9 of the PCI DSS states that organizations subject to the PCI will have (as in, "thou shalt") an incident response capability, and the subparagraphs provide additional details.

At this point, one would think that there's enough reason to have an IR capability within your organization, and be ready.  One would think...

Now, does a tool like Cb obviate the need for that response capability?  I mean, if you're able to VPN into a system and diagnose and scope an incident within minutes, does that mean we'll no longer need to do DFIR?

No, not at all.  What Cb does bring to the table is a solution for rapidly triaging, scoping, and responding to an incident; however, it does NOT obviate the need for dedicated analysis.  Once the incident has been scoped, you can then target the systems from which you need to acquire data...dumps of physical memory, selective files, or acquire full images.

As a consultant, I can see the immediate value of Cb.  The traditional "emergency response" model dictates that someone be deployed to the location, requiring the expense of last minute travel and open-ended lodging arrangements.  There's also the "cost" of the time it takes for an analyst to arrive on-site.  Remember, costs are multiplied (travel, lodging, hourly rate, etc.) for multiple analysts. 

Let's say I have a customer who has several sensors rolled out and their own internal Cb server.  With their permission, I could VPN into the infrastructure and access the server via RDP, pull up the Cb interface and being investigating the incident while we're on the phone.  Based on what is available via Cb, I could begin answering questions in very short order, with respect to the severity and scope of the issue.  I could also obtain a copy of any particular malware that is involved in the incident and send it to a malware analyst so she can rip it apart (if such activity is within scope).   Having deployed Cb, the customer has already decided to be proactive in their security posture, so we can have local IT staff immediately begin isolating and acquiring data from systems, for analysis.

So, this is the difference between the traditional "emergency response", and the future of IR (i.e., immediate response).  And yes, this is only true if you've already got Cb installed...but, as described in the white paper, Cb is still useful if it is installed after the incident.

Now, Cb also does not obviate the need for working with customers and developing relationships, so don't think that someone's going to arrive on-site, install something on your network, poke a hole in your perimeter, and you never see them again.  Rather, deploying Cb requires that an even stronger relationship be built with the customer, for two reasons.  First, being proactive is an entirely new posture for many organizations, and can require something of a shift in culture.  This is new to a lot of organizations, and new things can be scary.  Organizations who recognize the need for and are open to change are still going to tread lightly and slowly at first.

Second, Cb itself is new.  However, Cb as a number of case studies behind it already that not only demonstrate its utility as an immediate response tool, but also as a tool to solve a variety of other problems.  So, organizations rolling out Cb are going to need some help in identifying problems that can be solved via the use of Cb, as well as how to go about doing so.

During the recent SANS360 event, Mike Cloppert (see Mike's Attacking the Kill Chain post) suggested that rather than competing with an adversary on their terms on your infrastructure, that we need to change the playing field and make the adversary react to us.  With only 6 minutes, Mike didn't have the time to suggest how to do that, but Cb gives you that capability.  Cb allows you to change the IR battlefield all together.

File Extension Analysis
I posted a HowTo on file extension analysis a bit ago, and as something of a follow up, I've been working on an article for a Microsoft portal.

I guess what I find most interesting about this post is that even though I see the question that spawned the post asked in online forums and lists, the blog post doesn't have a single comment.  You'd think that as many times as I've seen this in lists and forums, someone would have looked at the post, and maybe found it useful.  Well, I tried the "HowTo" approach to the blog posts, and that didn't seem to be too well received...


SS said...

Harlan, on the 10th paragraph you forgot to end the sentence (my suggestion: ".. after the incident" )

BTW, great post as usual!

I've read some material on Carbon Black, but after seeing your blog post, I really want to try it asap..

Sandro Süffert

H. Carvey said...

Good catch! So, you're the only one to actually read the post...

SS said...

Probably! I will send you my address so you can mail me your next book as a reward for the effort.. ;]