The Five Point Palm Exploding Heart Technique for Forensics Andrew Hay The 451 Group
The 451 Group 451 Research is focused on the business of enterprise IT innovation. The company s analysts provide critical and timely insight into the competitive dynamics of innovation in emerging technology segments. Tier1 Research is a single-source research and advisory firm covering the multi-tenant datacenter, hosting, IT and cloud-computing sectors, blending the best of industry and financial research. The Uptime Institute is The Global Data Center Authority and a pioneer in the creation and facilitation of end-user knowledge communities to improve reliability and uninterruptible availability in datacenter facilities. TheInfoPro is a leading IT advisory and research firm that provides real-world perspectives on the customer and market dynamics of the enterprise information technology landscape, harnessing the collective knowledge and insight of leading IT organizations worldwide. ChangeWave Research is a research firm that identifies and quantifies change in consumer spending behavior, corporate purchasing, and industry, company and technology trends.
Introductions Andrew Hay Senior Security Analyst, The 451 Group Author, Speaker and Blogger Coverage Areas: ESIM (SIEM & Log Management) IT-GRC Forensics & Incident Response Intrusion Detection/Prevention Macro research areas: [Nation State] Cyber Security & Critical Infrastructure Protection
What is this talk about? Forensics has traditionally been viewed as very system-specific Only recently, has external (off of the target machine) sources of corroborating evidence been considered valuable by investigators Image Source: http://infosecnewbie.blogspot.com/2010/11/open-source-forensics-fundamental.html
Essentially, we need less of this Image Source: http://preview.tinyurl.com/3wtpgre
And more of this Image Source: http://preview.tinyurl.com/3ux8bo6
Idea for this talk The idea for this talk came from Tarantino s Kill Bill two-part epic revenge drama In it, martial arts master Pai Mei teaches The Bride a technique wherein pressure points on the victim's chest are struck leaving them with a few footsteps before their death This technique is referred to as the Five Point Palm Exploding Heart Technique Image Source: http://inatitude.files.wordpress.com/2009/02/pai-mei.jpg
So what are the five points? Data Reduction Network Forensics Corroborators Platform Forensics Orchestration
Point 1 Platform forensics Traditional forensics No one will argue that the artifacts residing on the suspect endpoint hold lots of information Volatile memory, application artifacts and other foot prints One should be cognizant, however, of the other sources of information spread throughout an enterprise environment NOT residing on the target system Image Source: https://cagandoregra.wordpress.com/2010/08/03/the-36th-chamber-of-shaolin-a-camara-36-de-shaolin/
Point 1 Platform forensics: possible tools Platform Forensics
Point 2 Network forensics If a host needs to talk to the world, it needs to leverage the network Likewise, if an attacker interacted with the machine remotely there may be a trail Deep packet inspection (DPI), network flow generation/collection/inspection, packet sniffers and flow analytics engines Image Source: http://www.imdb.com/media/rm2382076160/ch0001814
Point 2 Network forensics: possible tools Network Forensics
Point 3 Data reduction Feeds and sources of third party data that help analysts focus on the bad Why look at what we know we don t need to look at? Get by with a little help from your friends Application whitelisting, threat intelligence feeds, known compromised IP addresses/ranges, etc. Image Source: http://1morefilmblog.com/wordpress/dis-enchanted-female-power-and-authority-in-ella-enchanted-and-kill-billvolume-2/
Point 3 Data reduction: possible sources Data Reduction
Point 4 Corroborators Helpers or sources of additional information Vulnerability & patch management Perimeter detection/protection Endpoint protection Change, configuration and policy management System management DLP, NAC, etc. Image Source: http://1morefilmblog.com/wordpress/dis-enchanted-female-power-and-authority-in-ella-enchanted-and-kill-billvolume-2/
Point 4 Corroborators: possible sources Corroborators
Point 5 Orchestration Tools designed to correlate, normalize and alert on enterprise information (not just security information) Central repositories of information are well central repositories of information! SIEM, log management, IT GRC, compliance management, etc. Image Source: http://celluloidamazing.blogspot.com/2009/11/when-i-woke-up-i-went-on-what-movie.html
Point 5 Orchestration: possible tools Orchestration
What will it look like? Data Reduction Network Forensics Corroborators Platform Forensics Orchestration
The result? Many hands make light work this extremely true with regards to forensics Evidence on a system can almost always be enriched by external sources of corroborating evidence Hindsight is 20/20 deploy now to help later Image Source: http://totallyradicalsportz.wordpress.com/2010/10/11/smackfest/
The result? Vendors must strive to play together for this integration to work Some vendors are starting down this path but primarily to enrich their own data WE need to teach nonforensics vendors the value of forensic data WE need to teach forensics vendors the value of integration Image Source: http://blog.lowpricelessons.com/wp-content/uploads/2011/01/kill-bill-uma-in-car.jpg
The result? Image Source: http://en.wikipedia.org/wiki/file:clenched_human_fist.png
Thank You Questions? Questions? andrew.hay@the451group.com