If You Are Doing Incident Response, You Are Doing It Wrong

I’d been thinking about this for awhile, but conversations with Rob Lee and then a presentation with him really helped me clarify my thinking on this issue. Here goes:

If you are doing incident response, you are psychologically, if not operationally, in a reactive rather than proactive mode. To do it right, incident response needs to be part of your ongoing daily business process. True incident response only occurs during major breaches. As part of your incident management, you proactively – days, months, even years in advance – address the issues that might create a need to respond to an incident.

By managing incidents rather than responding to them, you:

  • Reduce the severity of the incidents that do occur.
  • Reduce the number of incidents that do occur.
  • Shift from responding to incidents to managing incidents as part of your normal operations
  • Reduce unforeseen expenses related to incident investigations
  • Increase your visibility within the business, and thus the support for your organization
  • Strengthen security posture (Thank you to Corey)
  • Reduce stress on your staff and increase their job satisfaction (unless they are adrenalin junkies)

 

An incident management mindset depends on accepting a truism:

Compromise Is Inevitable – Something truly malicious has been in, is in, and will be in your environment.

 

If you accept that compromise is inevitable, why wait for it to happen? Why not get ahead of it, reduce its impact, and increase your resilience?

Which leads me to my second point – traditional emergency management has been doing this for decades. If you do a search for “Emergency management cycle”, you will find many images similar to the following:

 

Image

 

Tornados, earthquakes, fires, automobile accidents, heart attacks, and many more emergencies happen daily. Rather than treating these as one off incidents that require all hands on deck, emergency services plan, recruit, train, and respond in a very calm, business like manner because it is their normal business. (I speak from 15 years of emergency management experience. Find a fire fighter in your organization and run this past them.) When a fire engine rolls up to a fire, does everyone jump out, run around, and add to the chaos? No, they respond in a very consistent, calm, and methodical manner.

Take a hard look at ICS – Incident Command System. FEMA has several short, online courses to familiarize you with it. Step back and think about how it might apply to your organization. The modular, scalable nature of ICS enables effective response to incidents by multiple agencies. Sounds like something that might apply to a breach investigation? (You don’t need to buy into all the labels. Just think about the core concepts.)

In closing, let me ask you to think on two points:

  • Manage incidents, and the entire lifecycle, in a way that enables you to treat incidents as part of your normal operational tempo.
  • Pay attention to how traditional emergency management works and learn from them. An enormous amount of thought and effort has been invested in emergency management already. Build on that rather than try to recreate everything.

 

Categories: Uncategorized

SANS DFIR Summit Prague – Blue Team Perspectives slides

I gave a presentation at SANS DFIR Summit in Prague this morning. My presentation was designed to introduce DFIR practitioners to the larger business context that they might be working within. This could help with career progression, avoiding frustration in the workplace, or developing your reputation within your firm to name just a few possibilities.

Any and all feedback on the presentation is welcome.

Blue Team Perspectives – SANS DFIR Summit Prague

 

Categories: Uncategorized

Patents in the DFIR community space

Good morning,

David Cowen announced that he has submitted a patent application for NTFS TriForce. Let me start off by stating that I admire David quite a bit, I think TriForce is very useful and pushes into new territory, and that I am not angry at anyone, least of all David.

That said, I’m very concerned. The discussion is going on over in G+. Here is my very off the top of my head contribution to what may be a very interesting discussion. I hope others chime in.

From the G+ post:

 —–
 
David,

I think my response may have been phrased in overly strong language. I’ve given some thought to why – why I am concerned and why my response was more emotional than the situation warranted. 

My perception was that your tool was well supported by the community, and that through your beta program, presentations, and blog posts you were engaging with the community to help develop it. I, rightly or wrongly, mentally lumped it in with other reasonably priced tools that were closely tied to the DFIR community. So when I saw your patent post my immediate thought was “There’s another tool that I’m not going to want to support any more.”

Your post set off warning bells in my hindbrain. My experience with patents has almost always been negative, and in some very personal ways at times. I’ve had colleagues say “I’m doing this for all of us” on more than one occasion. Even when they were being honest, there were negative repercussions.

I think you’re going to run into prior art issues, and quite a few of them. I think that this may be part of my emotional reaction. My perception is that the prior art may be the DFIR community’s work and I’m reacting to the perception that you may be trying, directly or indirectly, to patent the work of many other people.

I fear that you may set off an arms race in the DFIR community. Maybe it is going to happen anyhow and you’re just getting there first. I don’t really want to be a part of that, and I’m not going to be thrilled about watching it happen if it does occur.

Guidance is a very poor example to cite of good behavior with respect to public relations, community engagement, and good business decisions. If they are your model for pretty much anything, you’re elevating my level of concern.

There are other ways to protect and control your intellectual property without patents. Sharing your thoughts on why you’re going with patents rather than licensing would be helpful.

Someone asked me if I am angry. I’m not. I am quite concerned though and I look forward to seeing how this plays out.

-David

Categories: Uncategorized

IRcollect – collect incident response information via raw disk reads and $MFT parsing

ircollect is a Python tool designed to collect files of interest in an incident response investigation or triage effort. This is very beta code. I’m hacking on it regularly, using it to learn about internal structures, finding minor and major issues, …. Use it at your own risk! If you have advice on how to address issues I’ve encountered, please share ….

In the process of writing this, I added data run parsing and ADS detection to analyzeMFT so those are now available.

The github site has more details and will be updated much more regularly than this blog.

Running as local admin, it:

  • Opens the raw disk
  • Reads the master boot record, collects a copy of it, and uses the MBR to find partition and disk information
  • Using the MBR information, it finds the NTFS partitions.
  • Working from the start of the NTFS partition, it finds the $MFT
  • It collects a copy of the $MFT and then builds a list of all the files on the system and their data runs
  • Using the file list and data runs, it collects interesting files through direct reads from the disk, bypassing access controls.

All collected files are stored in a directory specified with the -d option. They are further organized by hostname and the date-time the script was run.

Requirements:

pip install analyzemft

Status:

VERY beta. Active development daily, often hourly.

Currently collects master boot record, $MFT, and live (corrupted) registry hives. User can modify table in ircollect.py to specify any files they desire.

Thank you to:

  • Jamie Levy for mbr_parser
  • Willi Ballenthin – bit manipulation code, lots of useful tips for analyzeMFT
Categories: Uncategorized

analyzeMFT – ADS support added

The latest version of analyzeMFT is available on github. I’ve not pushed it out to Pypi and will hold off until I’m sure it is free of bugs due to this new work. The changes are:

Fixed parsing and printing of UTF-16 strings, removed unicodeHack stuff.

My original code took a brute force approach to parsing file names from the MFT records. What I did not know at the time was that they were UTF-16. While working on other things, I took the time to figure that out and replaced about 20 lines of kludge with one line of code.

Fixed printing of unicode strings to output files.

While figuring out how to read UTF-16, I figure out how to write UTF-8.

Added ADS support.

This is probably a work in progress but it seems to be working so I’ll push this out. Whenever analyzeMFT encounters a resident $DATA record, it stores a copy of the contents away for later use. If it encounters a named $DATA record, it does two things:

  • A duplicate of the parent record is created and the filename is changed to be <parent filename>:<ADS filename>.
  • All ADS records, parent and children, get a flag set in the new ADS column

So you might see:

/normal.txt Normal file
/file-w-ads.txt Normal file with ADS
/file-w-ads.txt:adsfile.txt The ADS file attached to file-w-ads.txt
/dir Directory
/dir:adsdir.txt The ADS file attached to dir
/file-w-large-ads.txt Normal file with ADS
/file-w-large-ads.txt:largeads.txt The (non-resident) ADS file attached to file-w-large-ads.txt
/file-w-2-ads.txt Normal file with two ADS files
/file-w-2-ads.txt:ads1.txt The first ADS file attached to file-w-2-ads.txt
/file-w-2-ads.txt:ads2.txt The second ADS file attached to file-w-2-ads.txt

All of the records would have a ‘Y’ in the ADS column to indicate that either they are an ADS file or they have an ADS file attached.

As always, please let me know if I broke anything….

Categories: Uncategorized

Adventures in Powershell for IR

July 18, 2013 1 comment

So, I wanted to access locked registry hives. Simple enough using F-Response, but it devolves into various solutions that are not well supported after that. I came across one solution that was of particular interest from a response side but also from an attack side: 

Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks

In short, it opens a read handle to the C volume, parses the NTFS structures, and reads the files directly thus bypassing all access controls and locks. You do need to be local admin to run it.

This is great for getting locked registry hives, or for remotely copying NTDS.dit without deploying hacker tools on the remote system. Bear in mind that the remote system needs to be running the WS-Management service. This is not running by default on our Windows 7 desktops, but the author mentioned that it is running by default on Windows Server 2012.

There are a number of niggling issues with getting PowerShell scripts to run. This article covers almost all of them nicely: Execution Policy

However, it didn’t cover one issue – what happens when you try to do:

Set-ExecutionPolicy RemoteSigned

and get a registry access error?

This post explains how to edit the registry directly.

Once you’ve worked your way through those issues, you can grab local and remote files to your heart’s content.

 

Categories: Uncategorized Tags:

Using analyzeMFT from other programs


Now that analyzeMFT is a package, it is much easier to use from other programs. Here’s a quick example.


from analyzemft import mft
input_file = open(‘MFT-short’, ‘rb’)
options = mft.set_default_options()
raw_record = input_file.read(1024)
mft_record = {}
mft_record = mft.parse_record(raw_record, options)
print “\nRaw MFT record in analyzeMFT format”
print mft_record
csv_record = mft.mft_to_csv(mft_record, False)
print “\nMFT record in CSV format”
print csv_record
l2t_record = mft.mft_to_l2t(mft_record)
print “\nMFT record in L2T format”
print l2t_record
body_record = mft.mft_to_body(mft_record, options.bodyfull, options.bodystd)
print “\nMFT record in bodyfile format”
print body_record

This will produce:


Raw MFT record in analyzeMFT format

{‘f1′: ‘\x00\x00′, ‘seq': 1, ‘lsn': 4.365328012e-314, ‘attr_off': 56, ‘bitmap': True, ‘alloc_sizef': 1024, ‘recordnum': 0, ‘size': 424, ‘upd_off': 48, ‘filename': ”, ‘upd_cnt': 3, ‘base_seq': 0, ‘fncnt': 1, ‘link': 1, ‘next_attrid': 6, ‘data': True, ‘base_ref': 0, ‘magic': 1162627398, (‘fn’, 0): {‘par_ref': 5, ‘ctime': <analyzemft.mftutils.WindowsTime instance at 0x107864d40>, ‘par_seq': 5, ‘nlen': 4, ‘flags': 3e-323, ‘real_fsize': 32686080, ‘mtime': <analyzemft.mftutils.WindowsTime instance at 0x107864830>, ‘alloc_fsize': 32686080, ‘nspace': 3, ‘atime': <analyzemft.mftutils.WindowsTime instance at 0x1078649e0>, ‘crtime': <analyzemft.mftutils.WindowsTime instance at 0x107864368>, ‘name': ‘$MFT’}, ‘notes': ”, ‘si': {‘maxver': 0, ‘ver': 0, ‘ctime': <analyzemft.mftutils.WindowsTime instance at 0x1078648c0>, ‘class_id': 0, ‘usn': 0.0, ‘sec_id': 256, ‘quota': 0.0, ‘own_id': 0, ‘mtime': <analyzemft.mftutils.WindowsTime instance at 0x1078647e8>, ‘dos': 6, ‘atime': <analyzemft.mftutils.WindowsTime instance at 0x1078645a8>, ‘crtime': <analyzemft.mftutils.WindowsTime instance at 0x10777ac20>}, ‘flags': 1}

MFT record in CSV format

[0, 'Good', 'Active', 'File', '1', '5', '5', '', '2007-08-15 15:32:29.656248', '2007-08-15 15:32:29.656248', '2007-08-15 15:32:29.656248', '2007-08-15 15:32:29.656248', '2007-08-15 15:32:29.656248', '2007-08-15 15:32:29.656248', '2007-08-15 15:32:29.656248', '2007-08-15 15:32:29.656248', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', 'True', 'False', 'True', 'False', 'False', 'False', 'True', 'False', 'False', 'True', 'False', 'False', 'False', 'False', 'False', '', 'N', 'N']

MFT record in L2T format

2007-08-15|15:32:29.656248|TZ|…B|FILE|NTFS $MFT|$FN [...B] time|user|host||desc|version||1||format|extra

MFT record in bodyfile format

0|$MFT|0|0|0|0|32686080|1187191949|1187191949|1187191949|1187191949

 


Simple. Hand it a raw MFT record and then ask for the results to be produced in a string in one of three formats. (Hmm, I suppose I should support JSON, too.)

Categories: analyzeMFT
Follow

Get every new post delivered to your Inbox.

Join 41 other followers