Saturday, March 31, 2018

DFIR Analysis and EDR/MDR Solutions

There is only so much the DFIR analysis can do.

There it is, I said it.  And it's especially true when the DFIR analysis is the result of external third party incident notification, which we ultimately determine to come months after the incident originally occurred.

Some artifacts exist forever.  Until they don't.  Some artifacts are recorded and exist for an unspecified and indeterminate period of time...nanoseconds, microseconds, weeks, or months.  Processes execute, finish, and the memory they used is freed for use by another process.  Text files exist until they are deleted, and the last modification times on the files remain the same until the next time they're modified.  Windows Event Logs record events, but some event logs "roll over" more quickly than others; events in some may exist for only a few days, while events in others may exist for weeks or even months.  As time passes, artifact clusters corrode to the point where, by the time DFIR analysts get the data for analysis, their ability to definitively answer questions is severely hampered.

The 2017 Ponemon Institute Data Breach Report indicates an average "dwell time" (the time between initial breach and discovery of the breach) of 191 days.  The Nuix 2018 Black Report findings indicate that professional red teamers/pen testers report that they can target, compromise, and exfil data within 15 hrs.  Hardly seems fair, particularly when you consider that if legitimate, scheduled pen tests go undetected, what chance do we have of detecting an unscheduled, uninvited intruder?

Some artifacts are created, are extremely transient (although they do exist), but are never recorded.  An example of this is process command lines; if an adversary runs the "whoami" command as part of their initial attempts to orient themselves, that process exists for a very short time, and then the memory used gets freed for later use.  By default, this is not recorded, so it ceases to exist very quickly, and the ceases to be available a short time later.   The same is true when an intruder runs the command "net user /add" to create a user account on the system; the command runs, and the command line no longer exists.  Yes, the user account is created, so the results of the command persist...but the command line itself, which likely included the password for the account, is no longer available.  Finally, when the adversary stages files or data for exfiltration, many times they'll use rar.exe (often renamed) to archive the collected data with a password...the command line for the process will include the password, but once the command has completed, the plain text password issued at the command line is no longer available.

Several years ago, I was working a targeted threat response engagement, and we'd observed the adversary staging data for exfiltration.  We alerted on the command line used...it was rar.exe, although the executable had been renamed.  The full command line included the password that the adversary used, and was recorded by the EDR/MDR solution.  We acquired an image of the system, and through analysis determined that the archive files were no longer visible within the "active" file system.  As such, we carved unallocated space for RAR archives and were able to open the twelve archives we retrieved, using the password recorded in the command line used to archive the files.  The web server logs definitively illustrated that the files had been exfiltrated (the IIS logs included the requested file name, number of bytes transferred, and the success code of "200"), and we had several of the archives themselves; other deleted archives have enough sectors overwritten that we were not able to successful recover the entire files.

That's a great example of how an EDR/MDR solution can be so powerful in today's world.  Also, consider this recent Tanium blog post regarding the Samsam ransomware, the same ransomware family that recently hit the City of Atlanta...using the EDR/MDR solution to detect malicious actor activity prior to them deploying the ransomware, such as during their initial orientation and recon phase, means that you have a better chance of inhibiting, hampering, or completely obviating their end goal.

Finally, EDR/MDR solutions become budget items; I'm pretty sure that Equifax never budgeted for their breach, or budgeted enough.  So, not only do you detect breaches early in the attack cycle, but with an IR plan, you can also respond in such a way as to prevent the adversary from accessing whatever it is they're after, obviating compliance and regulatory issues, notification, and keeping costs down.

No comments: