Defending the Gibson in 2015

Similar documents
The story of Greendale. Turbinia: Automation of forensic processing in the cloud

GRR Rapid Response. An exercise in failing to replace yourself with a small script.

The story of Greendale. FOSS tools to automate your DFIR process

The story of Greendale. Turbinia: Automation of forensic processing in the cloud

GRR Rapid Response. GRR ICDF2C Prague Mikhail Bushkov, Ben Galehouse

GRR Rapid Response. Practical IR with GRR OSDF Darren Bilby, Joachim Metz - Google

These views are mine alone and don t reflect those of my employer

GRR Rapid Response. GRR CERN Mikhail Bushkov, Ben Galehouse, Miłosz Łakomy, Andreas Moser

Greg

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

Novetta Cyber Analytics

RAPID INCIDENT RESPONSE

Important DevOps Technologies (3+2+3days) for Deployment

Rekall. Rekall Agent - OSDFCon Forensics. We will remember it for you wholesale! Michael Cohen

Fast Incident Investigation and Response with CylanceOPTICS

Rekall Forensic. We can remember it for you wholesale! Michael Cohen Google Inc.

Symantec Advanced Threat Protection: Endpoint

Free and Easy DFIR Triage for Everyone: From Collection to Analysis. Presented by Alan Orlikoski & Dan Moor

NIST Standards. October 14, 2016 Steve Konecny

Manage shots with a scriptable timeline for a collaborative VFX workflow.

esendpoint Next-gen endpoint threat detection and response

Free and Easy DFIR Triage for Everyone: From Collection to Analysis. Presented by Alan Orlikoski & Dan Moor

SandBlast Agent FAQ Check Point Software Technologies Ltd. All rights reserved P. 1. [Internal Use] for Check Point employees

Hunting Adversaries with "rastrea2r" and Machine Learning

CYBER ANALYTICS. An Advanced Network- Traffic Analytics Solution

Resolving Security s Biggest Productivity Killer

9 Reasons To Use a Binary Repository for Front-End Development with Bower

Building a Threat-Based Cyber Team

LOGSTASH: BFD* Security Weekly: December 4, Phil Hagen. / +PhilHagen. *Big Forensic Data

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

RadiantBlue Technologies, Inc. Page 1

Developing and Testing Java Microservices on Docker. Todd Fasullo Dir. Engineering

Securing the Modern Data Center with Trend Micro Deep Security

Struggling to Integrate Selenium into Your Ice Age Test Management Tools?

Managed Endpoint Defense

Reducing the Cost of Incident Response

Building Scalable and Extendable Data Pipeline for Call of Duty Games: Lessons Learned. Yaroslav Tkachenko Senior Data Engineer at Activision

SentinelOne Technical Brief

Seven Habits of Highly Effective Jenkins Users

Sharing is Caring: Improving Detection with Sigma

He s Making a List We re Checking it Twice. Santa for Forensic Analysis

Machine Learning & Google Big Query. Data collection and exploration notes from the field

Contact Details and Technical Information

Cloud Help for Community Managers...3. Release Notes System Requirements Administering Jive for Office... 6

A New Model for Image Distribution

CNIT 121: Computer Forensics. 9 Network Evidence

Making Immutable Infrastructure simpler with LinuxKit. Justin Cormack

Installation and setup guide of 1.1 demonstrator

The paper shows how to realize write-once-run-anywhere for such apps, and what are important lessons learned from our experience.

VMware s (Open Source) Way of Container. Dr. Udo Seidel

Plug Me In Renzik, Autopsy Plugins Now And In The Future. Mark McKinnon

Forensic and Log Analysis GUI

what is cloud computing?

Our Turbine got Hacked! Performing Forensic Investigations of Industrial Control Systems

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

The tools used in the development of Life Is Strange

Qualys Cloud Platform

AccessData AD Enterprise Release Notes

What are we going to talk about today?

Tanium Incident Response User Guide

Enabling Distributed Event Management: Interoperability for Automated Response and Prevention. Sean Barnum George Saylor Aug 2011

Blackberry Error Message File System Out Of

Microservices. Chaos Kontrolle mit Kubernetes. Robert Kubis - Developer Advocate,

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Multi-Arch Layered Image Build System

ovirt and Docker Integration

Most of the class will focus on if/else statements and the logical statements ("conditionals") that are used to build them. Then I'll go over a few

FROM CTI TO DFIR & BACK

KODO for Samsung Knox Enterprise Data Protection & Secure Collaboration Platform

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Migration and Building of Data Centers in IBM SoftLayer

Website Design and Development CSCI 311

Containers, Serverless and Functions in a nutshell. Eugene Fedorenko

Defeating Forensic Analysis

I'm Andy Glover and this is the Java Technical Series of. the developerworks podcasts. My guest is Brian Jakovich. He is the

SentinelOne Technical Brief

THEHIVE, CORTEX & MISP

AccessData ediscovery 6.3 and Patches Release Notes

Privacy and Security in Online Social Networks Department of Computer Science and Engineering Indian Institute of Technology, Madras

JenkinsPipelineUnit. Test your Continuous Delivery Pipeline. Ozan Gunalp - Emmanuel Quincerot

Burning Down the Haystack. Tim Frazier Senior Security Engineer

Knative: Building serverless platforms on top of Kubernetes

AccessData ediscovery 6.3 and Patches Release Notes

How can you manage what you can t see?

DevOps Course Content

Welcome to Docker Birthday # Docker Birthday events (list available at Docker.Party) RSVPs 600 mentors Big thanks to our global partners:

CONTINUOUS INTEGRATION; TIPS & TRICKS

Zadara Enterprise Storage in

Notes: Describe the architecture of your product. Please provide also which Database technology is used for case management and evidence management.

Harbor Registry. VMware VMware Inc. All rights reserved.

Disk Drill by LaWanda Warren

DevOps Technologies. for Deployment

ForeScout Extended Module for Carbon Black

CYBER THREAT HUNTING DETECT ADVANCED THREATS HIDING IN YOUR NETWORK. A guide to the most effective methods.

What is NovelTorpedo?

Code42 Defines its Critical Capabilities Methodology

Empire Your best Friend to Secure

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

Introduction to K2View Fabric

THE CPU SPENDS ALMOST ALL of its time fetching instructions from memory

Transcription:

Incident Response: Defending the Gibson in 2015 Darren Bilby - Digital Janitor dbilby@google.com ACSC 2015, Canberra

Incidents are Messy If it were business as usual you would have stopped it Attacker has a plan and they are trying to execute on it Need to track, find, and disrupt faster than they can move What did they do, why are they doing it, what are they going to do next? You probably don't have what you need centralized

Lessons Gone in 60 seconds Every second matters Every context switch hurts Every handoff to another operator reduces your chance of success Empower a small group of people with powerful customizable tools Hunch to confirmation in < 30 minutes

Lessons Flexible, failsafe tools Every handoff to another operator hurts

The Plan 1. 2. 3. 4. 5. 6. Artifact -> Hunt -> Fuse Create an artifact that includes all the logs and files we care about Hunt across our "fleet" for them using GRR Mount the results data using GRR Fuse Process the logs and files using Plaso Put them into a Timesketch visual timeline In <15 minutes Process Log Files Visualize Global Timeline

Open Source and IR at Google Forensics and Response Software Enterprise IR Small market, extremely complex software Google is a strange customer - scale, security, platform diversity All tools are broken. We can't wait for fixes Heavy investment over 5 years Everyone needs to level up Plaso - Forensic Log Parsing / Timelines Memory Forensics Framework Timeline Visualization Libyal - Forensic File Format Parsers, Disk Encryption etc

GRR Rapid Response Agent Based Distributed Forensics and Response Built because nothing else worked how we do: 30 analysts at once Scales to 200K + agents Stable, Customizable Mac, Linux, Windows agents Google sponsors 4+ full-time staff, other organizations also contribute full-time devs Sometimes compared to MIR, Encase Enterprise Python, C++, Protobufs https://github.com/google/grr

Console Web UI Workers Workers Workers Frontend Frontend Servers Frontend GRR Datastore Internet Agents Big Data Search Datastore

GRR Rapid Response Some Lesser Known Facts File and block based deduplication Collecting everything is cheap Artifacts are the new IOC (not really) Everything is scriptable Break-glass method to push custom code We have a FUSE layer

Data Flow Collect Logs & Binaries GRR Agents Mount from Datastore GRR Datastore Extract timestamps Fuse Mount Plaso Processing Ingest to Elastic View Results Elastic Search TimeSketch

Data Flow Collect Logs & Binaries GRR Agents GRR Datastore Mount from Datastore Extract timestamps Fuse Mount Plaso Processing Ingest to Elastic View Results Elastic Search TimeSketch

GRR Demo Time Hunting with Custom Artifacts http://goo.gl/bctwtm (https://www.youtube.com/watch?v=jciap0ub7ay) Full Demo, which covers the rest of the presentation.

Plaso Forensic Timeline Extraction for Everything Take a file or filesystem, or set of files and extract all time related information Protobuf, Python, C++ libraries Easy to customize input, output and parsers Lots of external contributors over 5 years (log2timeline) http://plaso.kiddaland.net/

Plaso Forensic Timeline Extraction for Everything Allows for bulk processing Goto tool for best forensic analysts Massive library of parsers Mac, Linux, Windows parsers Handles encrypted images Disks, Registry, Event Logs Browser history, Cache files System restore points.

Raw Source Files Plaso log2timeline Processing Protobuf Files Plaso psort Processing Output Plugin

Data Flow Collect Logs & Binaries GRR Agents GRR Datastore Mount from Datastore Extract timestamps Fuse Mount Plaso Processing Ingest to Elastic View Results Elastic Search TimeSketch

Plaso Processing Demo

Timesketch Collaborative Timeline Visualization/Filtering/Editing New visualization tool for Timeline data Fast filtering, annotation Collaboration on timeline Python + Elasticsearch http://www.timesketch.org/ https://github.com/google/timesketch

Data Flow Collect Logs & Binaries GRR Agents GRR Datastore Mount from Datastore Extract timestamps Fuse Mount Plaso Processing Ingest to Elastic View Results Elastic Search TimeSketch

Everything Else Trigger memory collection on NIDS alert flow.grrflow.startflow(client_id=client_id, flow_name="memorycollector", rdfvalue.memorycollectoraction(action_type='download') ) Push script for quarantining hosts flow.grrflow.startflow(client_id=client_id, flow_name="executepythonhack", hack_name='halt_network_hack.py') Search Memory for Signature flow.grrflow.startflow(client_id=client_id, flow_name="scanmemory", grep=rdfvalue.baregrepspec(regex=r'hack_the_g...!')

Summary

Open source tools for IR are extremely capable Liberally licensed with Apache - use what you want how you want Moving fast means having flexible, fast tools

Questions? dbilby@google.com github.com/darrenbilby/grrdemos docker hub: darrenbilby/grrdemo google.com/jobs :) github.com/google/grr github.com/google/timesketch github.com/forensicartifacts github.com/log2timeline/plaso

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback