Monday, October 20, 2008

Thoughts on 2008 SANS Forensics and IR Summit

Last week I attended at spoke at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2008 SANS WhatWorks in Incident Response and Forensic Solutions Summit organized by Rob Lee. The last SANS event I attended was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2006 SANS Log Management Summit. I found this IR and forensics event much more valuable, and I'll share a few key points from several of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talks.

  • Steve Shirley from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DoD Cyber Crime Center (DC3) said "Security dollars are not fun dollars." In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, what CIO/CTO wants to spend money on security when he/she could buy iPhones?

  • Rob Lee noted than an Incident Response Team (IRT) needs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 independence to take actions during an emergency. I've called this authority cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to declare a "Network State of Emergency" (NSOE). When certain preconditions are met, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IRT can ask a business owner to declare a NSOE, just like a state governor can declare a state of emergency during a forest fire or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r natural disaster. The IRT can cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n exercise predefined powers (like host containment, memory acquisition, live response, etc.), acting under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business owner's authority without coordinating in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 moment with IT or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r parties. Rob also mentioned that SleuthKit 3 would arrive soon; it was released yesterday. Rob shared cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea that sharing IR information resembles cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full disclosure debate.

  • Mike Poor from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newly renamed InGuardians provided cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following advice when asked "what logs should we collect?" He responded: "Collect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 logs to tell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story you want to tell." I thought this was a great response. Some enterprises don't want to tell a story. Some only know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 middle, by virtue of being in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 midst of an intrusion. Those who collect data that validates a successful resolution of an intrusion can tell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story. Those with mature visibility and detection initiatives can tell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 beginning of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story as well. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, during lunch Mike suggested I read Ed Skoudis' WMIC articles to understand Windows Management Instrumentation Commands.

  • Aaron Walters from Volatile Systems and Matt Shannon from F-Response announced that F-Response 2.0.3 can remotely acquire memory on target systems. Aaron mentioned that intruders have dynamically injected malicious code into processes, like Web servers, to offer one-time-use URLs that don't exist on disk. Aaron also noted cases where a system reports it is patched, but because of a driver conflict cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system is really running vulnerable software. Aaron provided a short demo of Voltage, a commercial enterprise product for investigations. Aaron used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MIT Simile Timeline application to outline time series data visually.

  • Harlan Carvey cited Nick Petroni while defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 collection of memory on targets: "collecting memory now lets us answer new questions later." He said he sometimes arrives at a client site where all victim systems have been reinstalled and no logs are kept, yet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer wants to know what happened.

  • Ovie Carroll, now Director of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cybercrime Lab at U.S. Department of Justice Computer Crime and Intellectual Property Section, said he has been briefing judges on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need to collect volatile data during investigations. He said DoJ has to be ready to answer a defense attorney who says "by pulling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plug on my client's computer, you destroyed exculpatory evidence!" Ovie emphasized cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 importance of developing an investigative mindset in analysts, not simply concentrating on "data extraction." After his presentations we discussed how future investigations may have very little to do with individual PCs, since most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interesting evidence might reside on provider applications and networks.

  • Mike Cloppert ruffled a few feacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs (justifiably so) by stating "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 advanced persistent threat has rendered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 classical IR model obsolete." In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, persistent threats make it difficult to start over when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no end. Mike emphasized cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for "indicator management" and that "intelligence drives response." I agree; without having investigative leads, identifying intruders can be very difficult.

  • Eoghan Casey and Chris Daywalt warned of early containment and remediation during an incident. Do we want to disrupt an intruder or eject him?

I believe my keynote on day 2 went well. Rob stated he plans to hold a second conference in July near Washington, DC next year, so I look forward to attending it.

7 comments:

H. Carvey said...

...could have sworn someone said something about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows Registry... ;-)

Unknown said...

"Security dollars are not fun dollars."

I simply have to grin at that, since those sound like fun dollars to me!

I like Rob Lee's (and your) idea of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IRT having some ability to act on behalf of a businessowner. However, I wonder just how dire cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation would need to be before a businessowner approves potentially taking down critical services even for a short time? Or how many times cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IRT might have overstated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concern. Or, god forbid, whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 businessowner has any impending doom (jail, fines) hanging over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir head as incentive to err on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 side of security. Or possibly how many mistakes are made because of lack of coordinating with IT (whoa whoa, you didn't know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 implications of taking down that database server dirty?!).

Still, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea does feel good.

davehull said...

Thanks for posting this. I wanted to attend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event, but scheduling prevented it.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.