Monday, May 19, 2014

Daily Blog #330: Sunday Funday 5/18/14 Winner!

Hello Reader,
   Another Sunday Funday come and gone and I am now only 35 blog posts away from my year! This week I am happy to reveal our winning answer as I believe the answer really presents the itself in a well organized fashion that will help many people get a handle on the killchain as it is.

The Challenge:
Explain the 'Kill Chain' we specific DFIR examples of artifacts you would look for and remediation steps for each part of the process.

The Winning Answer:

The cyber kill chain was first coined by Lockheed Martin’s Eric Hutchins, Michael Cloppert, and Rohan Amin in 2011. Their paper, “Intelligence-Drive Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” has a wonderfully long title, and is an informative look into cyber threats. More information on this paper can be found in the ‘Further Information’ section, located at the bottom of this submission.
When examining where digital forensics and the cyber kill chain intersect, it’s important to understand each step of the kill chain and the forensic artifacts that may be applicable. Let’s take a walk through the kill chain, some relevant DFIR artifacts, and potential remediation/prevention steps:
1)    Reconnaissance
a.    Step Overview
The first step of the cyber kill chain highlights the research that an adversary may perform either to identify a potential target, or on a specific, pre-selected target. In either matter, reconnaissance may involve profiling an organization’s web presence, searching for employees and pertinent details, and/or gaining insight into other technologies an organization may use.
b.    DFIR Artifacts
·         Network logs would be artifacts of interest here, including firewall and web logs. Other outward-facing (aka DMZ) device logs would be useful as well. Data analytics can assist analysts in identifying suspicious traffic, such as scanning activity or connections from questionable locations. Correlations over time can help determine what is the “hum of the Internet” vs what may be repeated attempts to profile a network.
·         The identification of reconnaissance is also going to depend on the attacker’s objectives or capabilities. If employees are too open about their personal details on LinkedIn/Facebook/Twitter/FourSquare, an adversary may be able to profile an entire C-Suite without ever pinging an organization’s IP block.
c.    Remediation/Prevention Steps
·         Firewall ACLs can be utilized to block traffic from unwanted locations, or reaching sensitive areas.
·         To address reconnaissance using social networking sites, employee training can go a long way to help preventing too much information being released.
2)    Weaponize
a.    Step Overview
The second step of the cyber kill chain is an action of the attacker to take a payload, such as a Trojan or backdoor, and craft it into “weapon form”. By weapon form, the attacker needs a method with which to deliver the payload. These methods may include malicious document files, such as PDFs or MS Office documents, or malicious web sites set to execute code upon page loads.
b.    DFIR Artifacts
·   Artifacts of interest from step 2 would be the weaponized payloads that may be left on a compromised host. Artifacts of this type may include malicious PDFs, Office documents, compressed files, or actual executables delivered via step 3’s mechanism. Granted, Step 3 will be required to get these artifacts on the machine, but once on there, may provide a wealth of information. These artifacts will be utilized in subsequent steps as well.
c.    Remediation/Prevention Steps
·   As step 2 covers the weaponizing of a payload, remediation would be best efforts to prevent the execution of said weapon. This is more in line with step 4.
·   In an effort to catch weaponized malware, NIDS or NIPS tools may be used.

3)    Deliver
a.    Step Overview: While step 2 focused on the weaponization of a payload, step 3 is the actual delivery of said weapon. Methods of delivery may include an email with an attachment from step 2, a maliciously crafted website, or a strategically placed USB drive.
b.    DFIR Artifacts
·         The artifacts an analyst might be interested in from Step 3 will be dependent on the method of delivery. For a spear phishing email, analysts will want to analyze the email messages, including headers, attachments, source, etc. For malicious websites, collecting internet history artifacts, including cached HTML files, scripts, cookies, etc. will be important. If the delivery mechanism is something physical, such as a USB drive with AutoRun malware, then forensically preserving the drive becomes an artifact itself.
c.    Remediation/Prevention Steps
·         Employee training is a valuable step in preventing delivery of malware. While this is a pipe dream for some organizations, educating employees to be cautious of emails containing suspicious attachments or originating from unknown sources. Users should also be cautious when browsing the web, although sometimes even mainstream sites can be hit with vulnerabilities
·         Depending on the delivery vector, there are a multitude of technologies that can help. Endpoint USB protection can help prevent executables from running, and/or disabling Windows features such as AutoRun.
·         Email traffic monitoring, either via inline malware detection or endpoint detection, may help to find malicious files within emails. Also, these tools may be used to
·         Utilizing web proxies may help prevent users from visiting malicious sites. Proxies that ingest data sources like trusted sites and blacklisted IPs are a step closer to prevention.
4)    Exploit
a.    Step Overview: Steps 2 and 3 weaponized and delivered malicious code: Step 4 is the exploitation that allows the malicious code to run. If the delivery mechanism was a PDF, the exploitation may be a vulnerability that allows for JavaScript files to be run and subsequently download a Trojan.
b.    DFIR Artifacts
·         Artifacts of forensic interest for step 4 are going to be similar to step 2 and 3, and will involve the actual weaponized payload itself. Whether it’s a Java, Windows, Internet Explorer, Office, or Adobe exploit (to name some amongst many, many others), performing analysis on the malware may help determine information about the specific exploit(s) used.
·         Step 4 is also where an analyst may want to begin looking at system artifacts. While step 4 does not yet cover a full installation of the malware, system artifacts may yield information such as time of infection or steps that the user took to get infected (unknowingly, we hope). A timeline using a wide range of Windows artifacts (MFT, registry, internet histories, etc.) would be able to identify the time when the email arrived or USB drive was plugged in, and actions that occurred within the seconds (or milliseconds) afterwards.
·         Specific browser artifacts, including pages visited and/or downloads, may also yield information about the exploit.
·         The Windows registry hives (system, sam, software, security, ntuser, and usrclass files) may also provide unique information, such as data on removable drives, recent executables/files.
·         Link (lnk) and prefetch files may provide more information about executables around the time of exploit.
·         A forensic analyst may also, at this point, find themselves accessing logs on various servers – again, dependent on the method of delivery. Web-based exploits would have valuable information in web logs, proxy logs, and/or firewall logs. If the delivery method was email, the analyst may want to pull email information from the central mail server(s) to trace the source of the delivery.
c.    Remediation/Prevention Steps
·         A myriad of steps can help prevent against weapons successfully exploiting on a target host. Keeping software up to date, for example, is important given the number of vulnerabilities that exist in third-party software tools or document…readers.
·         Utilizing host-based intrusion detection and prevention tools, such as HIDS, HIPS, and/or anti-virus can help to protect against exploitation. These tools will also help remediate Step 5, which is the installation of the malware. Note that keeping these endpoint solutions up to date is also extremely important – anti-virus is only as useful as the signatures it knows!
5)    Install
a.    Step Overview: Step 5 focuses on the installation of the weapon from Step 2 via the exploit in Step 4.
b.    DFIR Artifacts
·         Now that the weaponized payload has been installed on the host, the file(s) discussed in steps 2-4 will now certainly be of importance. The analyst should try to capture any remnants of the malware, including executables and other dropped files. Sandboxing or reversing the malware can help analysts determine other artifacts to look for, as well as begin crafting countermeasures for Step 6.
·         More so than step 4, system- and disk-level artifacts are going to be valuable at this point in time.
o   The MFT can help paint when the malware was installed, and other artifacts that may have been Modified/Accessed/Changed/Born. The USN journal will also yield information about changes made to the volume.
o   Windows Event Logs may provide information about the install, and any Windows events that may have been triggered.
o   The components of the Windows registry are going to provide information about application install, keys created/changed/deleted, and persistence mechanisms. UserAssist, ShimCache, and MRU may also be valuable here, although not all will be affected by every malware.
o   Similar to Step 4, link and prefetch files may yield information about the executable(s) run to support the installation.
o   File (file://) entries in the index.dat will also provide local and remote file access.
·         A memory capture of an infected host may yield more information about the malware. Of course, it’s difficult to trigger a memory capture as soon as malware is installed on a host, however there is valuable data in the memory of an infected host.
c.    Remediation/Prevention Steps
·         By this point in time, the malware has successfully been executed on a host and has successfully “passed through” the intended exploit. HIDS/HIPS may be useful in prevention/detection, allowing the malware to get as far as attempting to install on the disk or make registry changes before it’s blocked.
·         If the malware is known, anti-virus software may succeed in stopping the infection at this point. It’s also possible that the malware went undetected up to this point, but a dropped executable or DLL file triggered a Quarantine.
·         Application whitelisting may also be useful at this level, preventing untrusted executables from running.
6)    Command and Control (C2)
a.    Step Overview: Perhaps the sign that many DFIR analysts are familiar with, Step 6 focuses on the beaconing of a compromised host to a C2 server. Once Steps 1-5 have been executed, the host is now likely compromised, and relays back to its C2 infrastructure for next steps.
b.    DFIR Artifacts
·         Artifacts from Step 5 are still going to be useful in this stage, especially if a host is actively beaconing the source of that beaconing has yet to be identified. Finding what is causing the beaconing should be a top priority.
·         If identified, the source of the beaconing should be captured and analyzed. Malware may have multiple C2 servers embedded and MD5 hash values may allude to other intel.
c.    Remediation/Prevention Steps
·         As with other steps, NIDS/NIPS solutions installed in an environment may be able to alert and detect or prevent against suspicious traffic. Other steps in the kill chain may have been successful thus far, however NIDS/NIPS may prevent C2 communications from reaching outbound.
·         If intel is gathered about C2 domains/IPs, firewall ACLs can be put into place to prevent outbound or inbound communication.
7)    Act on Objectives
a.    Step Overview
The final step of the cyber kill chain identifies that once an attacker has gained a foothold into an organization, their true objectives come to light. If an attacker compromised the laptop of a CFO, and the original target was next quarter’s financials, then this step represents the exfiltration of said data. Another type of objective may have been to infiltrate an entry point, and then move laterally throughout a network.
b.    DFIR Artifacts
·         Step 7 is not a fun place to be in the cyber kill chain, however from a forensic analyst’s point of view, it is sometimes the most fruitful. It may also be the most common. A large majority of artifacts discussed in previous steps can be useful at this step. Of course, understanding the motives of the attackers will denote how useful each one will be.
·         If the attacker was hoping to compromise an initial host and move throughout an environment, lateral movement artifacts will be useful at this step. This may include:
o   Remote Desktop Protocol (RDP) history
o   Windows Event Logs to identify failed/successful logins, logon types (remote, local, etc.), and other events
o   Windows Registry Hives to check for new Windows user accounts, user activity. Shellbags may also highlight lateral movement.
·         If the attacker was seeking to exfiltrate data, then a forensic analyst will want to look for evidence of files being removed from the system, or creation of new compressed files.
o   Newly-created, and oddly named compressed files such as RARs or ZIPs may differ from user behavior and resemble attacker exfiltration.
o   MFT entries may show new compressed files created
o   Prefetch and/or LNK files may show compression tools being utilized
·         An analyst will also want to again consult network logs available to detect outbound information. Network device logs may allude to exfiltration IPs/hosts, or even provide bytes out to determine how much data left the environment.
c.    Remediation/Prevention Steps
·         Again, remediation/prevention is going to depend on the attacker’s objectives. An unprotected system in a poorly-maintained environment is going to leak data without detection. That being said, maintaining proper network intrusion prevention/detection, host-based intrusion prevention/detection, anti-virus, and a responsive DFIR team will be useful.
·         More specifically, to block outbound communications, firewall ACLs can again be utilized to block communication.
·         User access controls and permissions can be useful in preventing damaging lateral movement.
Note that the preceding is, by no means, an exhaustive list. To pretend that infosec is the same as it was five minutes ago is a dream, and analysts should be prepared to be nimble. There is no single “do it all” tool that offers “push button” forensics and information security. But the right tools, when combined in the right environment, and with the right people, can go a long way in helping an organization keep its data where it should be.
Further Information: