DFIR — Don't Forget Your Roots!

yeah perfect okay so hi all uh cyberstephaig uh my talk's called dfir don't forget your roots um if you thought you were coming to a talk about how to detect sort of pivot professor on linux they've been catfished it's not about that so i apologize if that is the case so what i'm covering today is my sort of first few years of it experience at a cis admin um probably a very distinctly average one at best um and how these skills in essence help me drove forward into where i am as a digital forensics and insta responder at the minute um the talk go into the skills i used from lab building to network redesign

and how that in essence helps me in instance on the fly um from an end-to-end process rather than just sticking them to recommendations and leaving the client be okay so the agenda so i'm going to cover today is who am i um obviously i know if you've met me before my path so how i got to where i am today um any skills gained and this in particular skills gained outside of digital forensics there's a skills gained prior i got into this specific field within it um and they're going to go through a sort of mock-up scenario just give it a bit of context into a pretend incident that we can cover today um and then i'm going to cover how

previous skill sets that i've utilized and learned prior to my time within digital forensics has helped me in a various amounts of incidents um and will then go on to any questions that you have and hopefully it will be nice and i can get a beer after this um anyway so who am i um so i'm currently a deeper consultant within trustworthy spadlabs team i'm also the blue team level 2 advanced team author the blue team level 1 exam developer i love all things infosec and system engineering and if you do see me in the pub later and did enjoy the talk i'll take a double spice from pepsi max where the slice of orange please if that's

okay okay quick disclaimer um so general lawyer stuff so everything i do say within this represent is my opinion in my opinion no later doesn't represent the organization i work for which is trustwave okay so my path uh so where i started what seems like quite a long time ago now when yeah i was a bit younger and so in 2013 i joined the royal air force um as a cyber space communications specialist which is a really long word for it admin pretty much a few years after that i moved over into a senior security analyst and that role was probably quite vague that involved the system engineering ideas configuration cm architecture in essence it was very much

jack of all i then left the royal air force and joined a vodafone cert team where i enjoyed just less than a year and came where i am now in trust based by the labs so the key bit about this our skills gained in my time prior to me coming into digital forensics and instant response so the key skills i did gain during that time period were windows and unix administration network configuration and design lab development and building and the big bit i just want to highlight this again and again problem solving i find it something that's quite often lost in my opinion with a lot of digital forensics now you get a problem you

can't run a tool over it how do you get around that um core first is something background problem solving is very much a day in day out job um especially dealing with users um and there's for other generic sysadmin stuff so sort of a d configuration um in addition to a variety of others um okay so what i'm going to do now just to give a bit of context is cover company xyz and this is almost like a mock instant that i'm trying to highlight in this sort of in this brief at the minute um so company xyz have been affected by domain wide compromise we've seen vast amount of command and control beaconing leaving the network

we found out that they built a flat network so there's in essence no segregation the layer 3 devices have weak passwords and don't lock out and unfortunately all this admins are off work um and they also have insecure rest apis connecting to a database that contains pii data uh that's a bit of context and instant that i believe you could come into day-to-day um i quite often find that flat networks are in place there's a lot of control beaconing and domain why compromise is obviously the end goal for most threat actors nowadays so channeling my inner cis admin uh there's a few skills that can help me within this instance so i'm going to cover first is the sort

of generic overview of hand and instant um so number one is is level the playing field you have to think like an admin i can guarantee the attackers are always thinking like admins if anything they're probably better than the admins quite often um so to keep current so instead of forgetting your skill sets and not reverting back to them and only focusing on forensics go back and build systems build applications learn about them learn about the logs they develop and what that does mean is that when you're in course with clients or you're in course with your internal team you can find faster recommendations it's time to drop off the call and speak to them two

hours later you can find an instant recommendation and obviously time is of the essence when you're dealing with instance um quite often when handling an instant like i said there's a flat network and if you come from a background where you have the network admin and understand how to segregate that's something you do very much on the fly so it's almost network architecture at speed for a client quite often um and i do say it's almost a it's quite a tough one because i know a lot of the time a lot of responders say that oh that's never architects job but within large organizations quite often architects don't have the time to deal with a sub organization or a small

portion of the network that's something as an instant responder you can deal with on the fly during an instant and the next one and where skill steps help me is forensic collection so imagine a windows domain and you've got i don't know 250 assets that you want to collect data from and there's no edr tooling which is something that you can come across quite often and the last thing you want to do is run a phase one collection tool such as kate for instance on all 250 assets and then manually upload all of those up to a file server so instead you can work with this admins work with the teams and put together an automate automated way to do

that okay so the next one so we know that company xyz we've got in essence c2 beacons all over the shop um they're consistently used by threat actors and i found a few years ago i didn't fully understand c2 the infrastructure and how it works um i didn't understand what's within the art of the possible when utilizing that and how easy they are to use so instead of just not understanding that i find the best way to understand it is to build it uh so you go away you build the post youtube server you build a cobalt strike with a genuine license um and then you understand how easy that is to use and how easy threat apps i can

dump passwords naturally move set up a proxy okay the next one i think this is almost an ongoing task as a forensic investigator that it should be doing all the time and it's understanding applications within large organizations you quite often come across bespoke and unusual applications and quite often the foundation is still the same so instead of just dealing with that at the time if you have spare time build applications look at the logs they develop look at how they communicate look at the apis they utilize and once you understand that when you come into an incident it actually gives you a foundation to understand the instant more and react to it quickly next one

so apis are sort of put wtf um i really didn't get these when i first heard about them they they bothered my mind um i know they're used widely and i think they're hard to understand how they're used properly if in my opinion if you haven't utilized them widely or built them and they're often misconfigured a lot of instances you see now out in the wide are public-facing ipas which threats have to sort of compromise or they'll find and then they'll they might be connected into into a database somewhere um so what i did to get around that um i i had a big instant on i can't go into the details of that but i was very confused

as to how it worked uh so instead of just sitting there and trying to understand the logs and what i did was i set up a web server and i set up a microscope database and actually configure the rest api service um to pull data from the from the database um and that helps me understand much more how apis can work and how they can be misconfigured because mine was very badly misconfigured um and yes that's in essence the four big stages covered for me um so the next bit um and this is that quote that i'd like to sort of end my brief on i apologize it's probably a bit shorter than expected um but in essence you've

got to see it to be it um so what i'm saying there is instead of just looking at stuff and not understanding it build it design it test it break it as a forensic investigator that helps you understand that environment much more this is admin wood okay i apologize that's probably a bit shorter than expected but are there any questions

um so the question there was how often do responders get training on application security so i personally haven't had much training application security anything i do know about it has been self-taught um i know with inspire the labs they're big advocates for learning consistently and and we do have a very good pen test team who we can go to for that um i'm quite new to the team so i haven't done much of that just yet um but i personally have had more training around that are there any other questions

um so i know within a previous organization they came up with a quite a smart solution and i won't go into the details of that but in essence what it did was if you were to do it with native rest for instance um they went via proxies and utilized their three buckets um in essence just put objects into s3 buckets oh i can okay so within the organization and how it actually worked is so there was wide use of the azure blob storage um and across the entire organization all the proxies allowed all traffic to in essence this organization's your cloud so the way to get around that within deep within the organization uh was a

very very good admin who unfortunately is in the room today and put together a powershell script in essence what i did was just use the http port to place artifacts um open up into the cloud and from there what we did was we actually mounted that storage within virtual machines in his euro and what that meant for us at the time was in essence half the time it took us to analyze instance because what we could do instead of uploading the data to an sftp server and then downloading it what we could do is upload it mount that storage and begin analysis right away and then only download the artifacts that are really relevant

[Music]

um so i'm gonna be completely honest with you i actually almost fell into my team security within the royal air force and in essence so my old boss came to me one day and he said oh seb can you can you use linux i was like yes those are all perfect you're perfect for this job and it turns out i enjoyed it it's where i am today and bought my first actual exposure within the it's security and my first day in work and then essence gave us a big service stack a lot of licenses fired power splunk and told us to just build a sock um so i was very much baptized in fire and that was split between two of us and

so what we did was we built a sock and i broke a sock and then i fixed it and broke it again and i found the steep learning curve helped me get where i am today and it's that problem solving and for instance during instance quite often like the fact i can utilize seem i can speak to clients about their scene architecture and network architecture as well as doing the forensics is invaluable in my opinion

so i think it's all dependent how you learn like i personally learned by doing um so i'm a big advocate for a friend of mine josh beeman runs blue team labs online um and that platform in my opinion is basically hack the box for blue teaming and it's gamified uh so that's potentially the first place i'd go i know immersive labs i i personally just learn by doing and i think a lot of instant response is communications and in my opinion if you're good with people and i mean you update a client like you're doing that right so the rest of it is getting the technical facts back to the client as fast as possible um so

gamifier i guess is the answer any other questions okay thank you very much [Applause]