June 20, 2006 - Forensics

by Dominique Brezinski

I am so relieved. It has finally happened: the forensic field is transitioning from techniques that satisfy the needs of law enforcement to techniques that satisfy the needs of everyone else. We are now seeing a focus on post-intrusion incident response versus seizure and disk analysis. The two areas are very different, and post-intrusion incident response actually has many more difficult technical problems by a large margin.

"post-intrusion incident response actually has many more difficult technical problems by a large margin."

The forensic track this year is pretty exciting. We have everything from a sophisticated overview of where incident response is going, advances in memory analysis, and incident response for web-based application compromises; non-traditional ways of digitally identifying people; and Johnny Long’s whimsical Death by a 1000 cuts look at all the places evidence can reside.

There are a lot of really cool and hard problems to be solved in the space of incident response and adversary identification. The presentations this year cover some important ones, and we hope a few of you walk away inspired to take a crack at few others.

  Web Application Incident Response and Forensics- A Whole New Ball Game

by Chuck Willis

In almost every attack that we have responded to in the last year, the attacker’s modus operandi involved web application compromises. Security teams are normally well-versed in network and host-based forensics but application level attacks—not too sure about that! In fact, most application attacks go undetected and are uncovered due to some other activity such as maintenance or upgrades. We have tried to put together guidelines and techniques for developers to incorporate in their code to help detect such attacks and security folks to respond to such attacks when detected.

  You are What You Type: No Classical Computer Forensics

by Dr. Neal Krawetz

My talk, "You Are What You Type", covers some of my research on anti-anonymity technologies. I'll show you techniques for telling if two documents are likely written by the same person, how to better guess gender and nationality, and even how to determine physical attributes like left/right handed, if someone is sitting too close to the monitor, and where their mouse is located. I'm including many real examples that cover the gambit from spammers and phishers to computer viruses and online dating.

  Death By 1000 Cuts

by Johnny Long

In this day and age, forensics evidence lurks everywhere. The task presented to modern forensics investigators is a daunting one. During this talk, you'll slip into the shoes of an uber-agent hot on the trail of the illustrious Knuth from the Stealing the Network series. Haven't read the latest installation? You should. How would YOU catch a guy that MELTED his hard drive platters and sanded down all his CDs? Where's the evidence? That's the question of the hour. Answer it correctly and you could win any number of cool prizes.

Now that the talk description you can show you boss is out of the way, what's this really about? Think of it as the hacker's version of "Where's Waldo?". You'll laugh. You'll learn. You'll cry when you realize the answer was staring you right in the face. You'll scream when you're caught in the mosh pit of the full-on frenzy of the bonus prize rounds. Forget Waldo. This is HALO 2 meets hacking. Get your game on. Got no coordination, no reflexes, no skillz, and no eye for detail? Come anyway.

Come have some fun, and learn how the feds put the smack down on even the most paranoid among us.

  The State of Incidence Response

by Kevin Mandia

If Bruce Springsteen did computer security, he would definitely excel at performing Incident Response. Choicepoint, Lexis-Nexis, Bank of America, and then several thousand unnamed victims. I am curious, how many companies in the Fortune 500 are currently hosting a digital cocktail party for foreign intruders?

They say:
Every major financial institution has been exploited by attackers. All outsourced software is being made with backdoors. Every developed nation is creating cyber-warfare capabilities. Firewalls, IDS, and anti-virus are not as effective as consumers thought. There are hundreds of non-publicly available exploits in use right now. 5% of all people are innately evil. Hmmm.

How do we confirm any of these if our incident response skills are not as advanced as the adversary?

There are too many safe harbors for attackers to launch attacks without regards to their own well-being. As long as these safe harbors exist, bad things will happen. Paying for remediation is like buying a very expensive candle. You light it, it looks pretty, you are glad you have it. But when it burns out, you have nothing. At the end of 90% of the remediation efforts companies implement, the attackers regain their foothold.

Hey Uncle Sam—please spend less brain power trying to legislate and regulate information security, and more time using diplomatic channels to alleviate the onslaught of the attacks coming from the safe harbors of the world. Could you at least send an official "time out" request to attackers in Russia and China during Christmas and Easter?

Attribution for online incidents is getting more difficult. We are having more difficulty determining who is perpetrating intrusions into US firms, primarily because of self propagating intrusions.

We need international cooperation to solve international problems. Russia, Romania, China - feel like pitching in?

Recently, I saw a situation where a company had outsourced their customer service application at a web-hosting facility and it was compromised by the W32.Spybot.Worm. Disaster ensued. I am witnessing very costly responses, with the loss of client data being of critical concern.

I have responded to over 50 computer intrusions in the last 4 years. Anti-virus warned of eight of these events. I think the technology that tries to protect us from an infinite amount of signatures may have to change its marketing to "We do the best we can, and protect you from being low-hanging fruit." I cannot wait to hear the AV companies say they have functional flow signatures as well. Then we will not be able to remotely administer our systems.

In September of 2005, an attacker had 11 portable executable files in his grab bag arsenal. Guess how well anti-virus did detecting this malicious code. 0-11. Why? Well, it will be a long time before AV products flag Microsoft tools as viruses or malware.

After review of the system time/date stamps, we noticed anomalous activity potentially accessing 50 credit card files. The indicators of compromise were all originating from foreign domains. Are we storing anything encrypted nowadays? And if so, in how many locations is the encrypted data stored on the same media in an unencrypted manner?

I think it's time for companies to continue their proactive stance on security, but couple it with a reactive approach and even be "proactively reactive" (some strange way, that makes sense to me)

I've witnessed a number of panicked customers when they find out they've been compromised. Plan first, to include planning your reaction to incidents.

Wouldn't it be cool to develop an automated technique for companies to capture necessary data immediately following an incident before the audit trail is unintentionally/intentionally corrupted by poor incident response techniques?