Monday, July 2, 2012

DFIR SUMMIT - Through the Eyes of a Summit Noob

What Did I Learn?
When asked about our experience of the SANS DFIR Summit, (Slides are here) we all have different opinions and views on what we learned and what we experienced. We digest the material differently and come to different conclusions on what was taught and what happened. For me this is no different, I walked away from this conference with a lot of knowledge from different aspects of the Summit itself. The Summit also showed that the Community has a Strong representation of Women Forensic Specialist.

Technological Knowledge

This Summit appeared to focus heavily on Forensics Research with a heavy emphasis on Mac, Cloud and Registry Research. There were a few presentations that seemed to step slightly out of that scope which tied with personal development and relationship building.

The first morning keynote was presented by Detective Cindy Murphy, and it was a discussion on how the field is changing, there are different perceptions and how to bring them together to form a more complete vision of our future. She talked about having 6 “Monks” that lead her abilities to understand different aspects of the field, and how to keep key things in perspective. This allows me to also consider my “Monks” and how they impact my development and interests as I become more specialized in my career focus.

I next attended Alissa Torres presentation on Reasons Not to “Stay in Your Lane” which discussed that as forensic investigators we need to understand offensive and anti-forensics techniques so we can understand better what happened during a compromise. Alissa made good points on how different offensive techniques can be masked to appear like they were done by legitimate users and we need to be trained to understand how these tools can be used. From her session I realized that in order to analyze a breach or malware infection, it would be beneficial if I understood the tools and techniques used to cause the breach or the behavior of the malware. She also showed how different incident response tools could be used maliciously and how their use might be missed as a false positive.

I sat in the Panel Discussion on how to Build and Maintain a Digital Forensic Lab. This discussion jumped into the experience of different professionals that have faced the challenges of building out a lab in different environments and how they proceeded. It talked about the Capabilities and uniqueness that each lab could have as well as some concerns with them. Walking out of this presentation I had a few pages of notes on what it takes to get the conversation started with management to get a lab looked at, that the process of getting to the capabilities of a fully functional high end lab took time. You need to understand the business need for it, and show the company that the cost involved in the lab is a good investment. Until you can start showing the ROI value the needs within the lab will be limited and you will need to work diligently in building out your practice.

I also sat in Christopher Pogue’s Sniper Forensics v3: Hunt, this year. I was lucky to catch v2 last year at GFirst, and Chris did an excellent job building off of it. The high overview of this presentation is that with the amount of Data we look at in an investigation can be over burdening and time consuming. We need to learn to define a scope and focus on it. As we find other outlying information we can add that to our investigation and then expand the scope. Once we have found our primary targets in our scope we can then spread out and remove other machines that show the same indicators. This allows us to find infections that are not traditionally being picked up by known “malware detection” options.

The end of the first day there was the SANS 360 talks, there was a lot of good 6 minutes presentations in there that talked about different tools and resources for DFIR analysis. Corey Harrell gave a brief overview on different metadata behavior artifacts for finding fraudulent word documents. Cindy Murphy showed how to understand and use Child Victim Age Estimation based on proven training. Harlan Carvey and Alissa Torres both talked about the numerous artifacts that can be found in Windows 7 and the value of Registry, UserAssists, VSC and Shellbags.

Harlan Carvey started the second day of the event off with Windows 7 Forensics, and showing what has changed from previous versions and how this information can be used during investigations. The artifacts that he brought up in his talk are the same artifacts that analysts and investigators should be looking at and understanding during investigations. These artifacts go to show what the user did and the impact on the system. Harlan also touched on some artifacts in Windows 8 that I have also been researching.

I also attended Nick Harbour’s presentation on Anti-Incident Response techniques which showed how different techniques can be used to appear like normal behavior on a machine. Overall some of the same techniques as Alissa described, but Nick’s presentation covered a lot more in depth anti-incident techniques that he has encountered. Some of these techniques include Hiding from running process lists, hiding network connections, process injections and thread hijacking. Nick did an outstanding job presenting actionable anti-Incident Response techniques that we should be aware of.

My final presentation that I sat in was by Mike Viscuso, and it was a discussion on how the current Incident Response model is quickly moving to the state of not being maintainable. It is important at this time to understand that Mike is the CEO of CarbonBlack, an application that allows a more focused approach to this. Mike did a very good job of keeping CarbonBlack out of the presentation and I think he took a beating in doing so. According to NetDiligence, the average cost of Forensics analysis during a breach is around $200,000. An example that he used was the Citadel Package and the deployment cost.  For 5 breaches it would cost an attacker $3,500 but it would cost the Defender over $1,000,000. An attacker is able to do almost 1409 attacks with the Citadel Package before he would be at the $200,000 price tag our first breach cost to respond. It becomes a game of can we continue to afford to spend so much on Forensics, when there are options available to decrease the investigation. Mike talked about how we use Security Camera’s in the retail world to help isolate and detect points of interest to analyze. By adopting more of a Traditional approach with the correct tooling we can decrease the impact of the forensic cost.

Personal Knowledge:

What I learned personally from the conference is that being with like-minded people can help foster personal growth and understanding on a topic.

As a presenter I learned that being asked to speak is a great opportunity to share your knowledge, and at that point in time, your audience is there to hear you. As a presenter you need to remain calm, and collected. You need to make sure that you have the slides in your presentation to go longer on a talk, because until you get used to presenting that you will speed up, and end your talk earlier. I also realized that we are the hardest critics on our selves, but the support of the staff and fellow presenters are incredible.

I learned that I could go outside my comfort bubble, meet people that I admire and look up to as professionals and could carry on a conversation. I learned that my research is valuable, and at times I shoot for the moon in what I offer, for example when I presented a few weeks back on FileHistory, not only did I do a Webcast, I released a RegRipper tool to extract the data, and I released my research. I have learned that it is ok to have a core group of trusted individuals to share data, and that open communication is important.

The personal growth that I was able to achieve at this conference will help me in both my professional and educational growth because it has strengthen my convictions that this is where I want to be. This is the career I want, this is the community I want to be active in. 

A special Thank You to Rob Lee and the entire SANS staff for putting this together. It was an incredible event and one that I plan on coming back to.

** This was originally written for school. I was going to do something else for the blog, but thought it expressed what I was thinking very well. **

No comments:

Post a Comment