← All talks

DFIR - Are We There Yet? - James Phillips

BSides Exeter39:1934 viewsPublished 2024-10Watch on YouTube ↗
Speakers
James Phillips
Show transcript [en]

all right good morning everybody that was a great ke really good the good news is we're gonna start with a light not going to start super technical this talk today is a conversation I have with my colleagues all the time so I wanted to broaden the discussion bring it to B sides and see you know show some of the the newer people to the industry what we've been dealing with where we come from maybe some of the uh experienced people here you know you're not alone other people are going through the same things you're going through so I'm James Phillips and as you can hear I'm Canadian so as of May I moved to the

UK and as of July I'm still homeless it takes forever to purchase a house in the UK here but uh you know over 20 years experience in the response digital forensics security AR ecture uh I apologize in advance if you do see any errors because like I said I'm currently living at a hotel so a lot of this is done on the run and with Spotty Wi-Fi but thoroughly enjoying my time in the UK so far so I always start off with whyb science and the first part is it Fosters learning and sharing ideas there's no marketing pitch I'm not giving you a marketing pitch nobody here will give you a marketing pitch vendors are clearly outlined over there so it

encourage you to participate and learn I love that I go to a lot of conferences a lot of the big big conferences don't really like them and for me personally why bids because it's about lifelong commitment to learning even though I've been in the industry over 20 years I will take something away from bides guarantee whether it's networking whether it's a new way of doing something a new way of thinking about something that is something you can get from a Grassroots conference like this so it's important to realize why are we here and why do we need to keep this going so the goal of the presentation is to provide my own experiences as a

handson incident responder forensic analyst that person who Friday night at 5:00 guaranteed is getting a call which is now going to ruin the weekend so I decided to look at this from the past 10 years because really the last 10 years has seen a lot of changes way more than the previous 10 years so if we look at 2013 maybe down to 2003 2000s not so many changes in that but if you look at 2013 to 2024 where we are today seismic shifts in the industry and how we operate the tools and the attacks and the attack factors the caveat is these are my experiences from where I work what I do so yes there's many other tools there's

many other teams how they operate this is I'm talking about my experience and it's a very very wide selection of experience from government various governments Finance manufacturing utilities so 2013 Thrift Shop is on the radio Miley Cyrus is coming in like a wrecking ball Wolf of Wall Street it's a time now 2013 to some of us wasn't that long ago especially those of us who said we've been in the industry over 20 years wasn't that long if you're new to the industry you have no idea what was going on at that time uh 2013 I had just re-entered the field after teaching at a public College in Canada for over eight years and primarily teaching government so police

officers correctional officers border officers and fr and investigation techniques I got a job as a senior Alice that's why I came out of teaching I said they offer me a job Canadian Telo with at the time was a very busy practice because I was very tuned into what the big fours were doing and what a lot of other Banks and things were doing so this practice here was seven to eight full-time analysts with a case load of four to six cases each at during stages because as you can imagine there's downtime in forensics as you all know there's Imaging and then there's analysis and there's searching there's all kinds so as one thing's happening over here you hop on another case you

start some things over so you have four to six cases on the go just have a little picture here of what it looks like for what we call analyst Ro so we all sat along there and then behind us were the managers or three managers that sat behind us at the case review and things like that so the type of cases we are working on at that time municipalities hacked by exploiting Cold Fusion so cold fusion was a middleware package that a lot of uh townships municipalities used for their uh online system for paying a tax and once this exploit kind of got noticed and there was this one part in Canada where uh in particular five

municipalities used exactly the same package and got hit in exactly the same way so we were called in I did that investigation had five because once I did one and the other four municipalities caught on that I did the investigation knew what was going on then it was like help help help help help help and from there it was quite busy so we managed to track down exactly how it happened what they took and kind of pointed to who was behind and oddly enough it was actually not somebody from another country somebody local provincial government sensitive information Le now this was an interesting one there was a a floor in a province in Canada of uh you know

provincial workers and some very sensitive information I hit the paper and the minister for that area knew it could only come from one place one floor now keep in mind there was a bit of theatrics here that was part of the investigation so imagine two long tables set up and we had our Imaging devices the logic cubes we had eight logic cubes on each table and we had a bunch of analysts go out and sees every single computer on the floor which was about 200 computers so that was kind of the theatrics part is we just went through we create carts computers catalog pull the hard drives start Imaging and the theatrics part was is that by the time

we were done there was a person on the floor who actually confessed it was me because they knew we were going to find it we took every computer on that floor oh am I changing things [Music] here uh University hacked by an insecure remote connection so basically their information was leaked we have no idea how it got leaked we did the investigation I can't tell you what country but I can tell you there was a country in particular and it was just a insecure toet Channel they got on downloaded everything and it was it was a pretty important project between a college and a university and then disgruntled employee corrupts database of government agency this one here falls under

criminals aren't smart right so we do the investigation we find out through the investigation looking through the database what credentials were used and we started thinking well how could they be used and we track down to the IP address and then in Canada you can get a production order to find out who where that is got the IP geez the credentials that were used match where this guy lives so I basically boil down to you do the investigation just to disg employe but that gives you an idea what we were dealing with at that time the cases I was working on I always like to put this one on here this this goes back before

2013 uh I was actually a contractor investigator for the province of Ontario had my little mobile kit here and they would just basically send me to the most remote places you could imagine and you know at that time most of the cases we were working on were uh employee based you probably all remember right there's tons of harassment tons of inappropriate internet oh it was constantly inappropriate so and so was surfing this on the web soone so we had a little case we were to show up P the hard drive do the report but at that time we were dealing with distributed Deni service web defacement Data Theft web scraping was a big one web scraping was was huge there

were lots of companies out there that had some uh pretty intricate code like Airlines and things like that and the Loyalty websites and we were constantly uh doing investigations for people that were scraping content off and then creating their own website and similar routines corporate Espionage I already mentioned about academic research and at this time mobile forensics was very popular celebrate magnet forensics we were doing lots of Foams at this time it's fairly easy we could do a phone very very quickly pump out an easy report so dealing with colleges universities government large the emphasis at this time was forensics that was the emphasis the tools of the time now these are the tools I

use lots more anybody recognize these pictures yeah so good old Tableau device the logicube Falcon Imaging lots and lots of hard drive forensic copying so end case is probably the biggest forensic tool Access Data was great because it was more forensic meets ecovery email paring really really good magnet forensics same sort of thing that a push button forensics do a case really really quick with magnet forensics x-ways now was the tool that forensic people love to do to get deep that's the tool we used to use to get really really deep I was doing memory forensics I use x for sure inella again great for email and then so you probably what I'm showing here

is at this time a forensic analyst was a Swiss Army I did everything I a probe right so unpack portable ex executables tenable you know I was doing a attack surface scanning open by same thing looking for it at this time it was me I did everything a lot of times when the customer call and said hey we have an issue they didn't have a clue what the issue was they just knew they had an issue they didn't know how they got in they didn't know they couldn't provide us information so I'd have to kind of back up and say okay why don't I scan you first and see where they possibly could have got in and then I'll go from

there instead of going from the inside out so the Swiss army knife of a forensic herb Suite so same thing doing some web forensics we did have some EDR at the time tum carbon black was probably the biggest one at the time and then firey with their firey HX endpoint was really coming on Steam at the time so what was the state of the it teams at that time very few customers had cyber analysts okay many of them had a it manager many had a cyber security manager but that cyber security manager was not Hands-On they were pretty much to direct and point and to me and and I'm not even talking about small companies I'm talking about Banks

I was dealing with Canadian banks at this point that only had a cyber security manager and when they had an issue we had to work together to figure out where could those logs possibly be in your Enterprise the it teams it teams at the time were siloed very very siloed the person that looked after the firewall only knew that firewall do nothing else about D nothing penetration testing vulnerability management risk management they were not a priority because there was nothing driving and it cost money and it cost resources most companies didn't do it time to deploy was very very long we always found that customers tried to look into it on their own to save

money in doing so they lost data they corrupted data by the time I got the data most of the time it was useless overwritten tampered with so now let's Zoom forward a bit so that was 2013 as we start to move so say Midway you start to see the seismic shift starting to happen already so insurance companies now are starting to drive cyber security they are starting to say hey we are paying out a lot of money so we are not going to do this anymore you now have to put in the proper things the proper tools and people and things like that so this is where insurance companies really started to drive the need for cyber security they were asking

for audience they we're asking for proof we're not just going to pay the 250,000 anymore small and medium size companies have access finally 10p Point protection now they did before but not nearly at the level of what Enterprise had do you remember like when you're looking at maffy and Seed there was always a huge difference between what a a small accounting company got and what a bank got which is kind of ridiculous because it's the same financial information as financial information doesn't matter if it's a small accountant or a bank it's your financial information so finally we start to see things like hey Trend Micro had a really really good offering for small Sentinel one was coming out so

things are starting to move in a good way for small mediumsized companies however MFA is still not adop it's out it's readily available very few companies are using it and because of that business email compromise becc takes off like a Vengeance we I'm not even kidding we could get 10 calls a day for companies who had a business email compromise on either their uh Google workspace their Microsoft backups are consistently performed they're never tested so when they do need them or they happen to get ransomware doesn't work because they never tested large Enterprises are starting to adopt Network forensics so at this time in a year before 2016 2015 I was working at blueco and I was in their Advanced

threat uh Team uh working specifically with security analytics Network forensics now this was really interesting so see we're at endpoint protection and we're at Network forensics and the reason is is because Network forensics we didn't have to deploy anything other than Appliance we didn't have ask anybody to push anything we didn't need certificates I could go in with my security and alerts SP literally go to a span port and see everything that was happening on that Network every IP everything in a session State aware way emphasis now un responding forensics EMP un responding what were our roadblocks lack of customer knowledge of their own environment so I sat in on a very very large customer had a PowerPoint up of their

environment Network left hand side beautiful stuff everything you'd want to see new stack everything right hand side of the screen said Legacy I was like well what's over there clue like but it's connected to that yeah okay great I'm trying to build an incident response plan for them on a network they don't know but they expect me to know locket deploy tools so again customers are not having tools on site I'm having to come with tools I'm having to come with my network forensic stuff and and when I do try and deploy a sentinel wonder it takes forever with there because I can't deploy it I basically have to provide a package their it team and say can you deploy

this and then I can start to do what I need to do there's a lack of cyber regulations at this time so insurance is driving good security practices but nothing else still time to respond from the customer's point of view it's still dreadfully slow they're waiting way too long I mean ideally I want no more than 48 hours after an incident to get me handson looking at LS there's a lack of policies and procedures they just don't exist and again not talking about small companies right 2020 I went into a midsized government contractor so midsize means everybody three to 5,000 employees it's a pretty heavy contracts no cyber security department whatsoever no policies no governance it

team just throws you know semantic out on all the end points we got lack of understanding of how much budget to allocate and where to allocate how much should we spend what do I spend it on there's understandably a lot of vendor fatigue with customers as they're just bombarded what do I spend it on I have to make the right decision or I'll get

fired now I go back and say lack of policies and procedures and then we're having a good discussion about this this morning policies and procedures it it doesn't mean that it has to be a weight that doesn't mean a good policy and procedure it means understandable having nothing is negligent you have to have something so here I mean I'm very familiar with interet response Consortium I spoke there in in Arlington Virginia but the most simple web search in the world would provide you a flow diagram on how to work through an incident which any one of you in here right now could take this and put it into a document and say okay we haven't had the resources of

time to really flush it out but in the meantime we are adopting this so you've gone from nothing to something and that's what we have to do that's what we have to encourage people to do is to go from nothing to something and something that'll work through a method through a process that will get you through that incident simple flow diagram they're all freely available and actually there's actually tons of stuff on the web now that you can actually just take so now we've got to analysis right where are the log sources what are we going to do what are the questions we're going to have you could literally take this flow diagram and any it person can

work through an incident so my point here is there is no reason to have nothing

mandatory breach reporting look at the dates here 2018 well the US on the federal side for some reason they just do not want it they have they have been fighting they've had several come before for vote they've all failed now most state level has mandatory breach reporting but Federal level gdpr 2016 UK 2018 this is all relatively new right remember I was talking about seismic shifts this is actually like halfway through close to the end of the date time I'm talking about that we're only just starting to get to the point where we go H yeah we really should start to really get a handle on these breaches for having

2018 so we have a shifting Dynamic if you remember before I talked about hackings versus ransomware now all of a sudden ransomware is sweeping that's all we ever here hardly get any calls for hackings Espionage employee stuff it's ransomware is just wiping companies out and that's what we're responding to and that's kind of the point that I'm talking here so many things were happening and in play but what was taking over at the time and ransomware was the big one supply chain attacks on the rise the thing about the supply chain attacks is we were waking up to problems we didn't know we had okay so with a supply chain attack here's the funny thing and and I list

out a couple but I I'll just mention it now um what was it 3 CX on the polycom and all the so here's the thing companies were calling us because they didn't know if they had it knew there's a massive problem happening in the world right now they didn't even know if they were affected by it so the first thing we had to do is we had to get on site and we first of all had to do a wide scan look at packets look at everything application type and say okay you do or don't have 3cx in your environment and then when we do find it then we have to track back find the device find the

firmware and then tell them if they're affected by it and then if they're affected by it then we have to do forensic so you see and that's largely because of poor practices because they don't have the proper cmbb they don't have a sanctioned application list they don't have everything that would have told them in the first place if they had the device and could have just pointed to it and we could have so we had to take this long road to tell them are you even affected by this thing that you woke up to that's sweeping the world right now same thing with solar winds and all these different things Cloud attacks are on the

rise they just same thing you know like so many times I can't tell you how many investigations I've done for credentials and S3 buckets right we all hear about it we all know about it and yet even today probably sometime next week we'll hear about well the credentials are found at [Music] as3 now the customer has more tools now because insurance is driving it and there's different things really you know as drivers with the governance framework so they do have endpoint protection like we talked about they do have proxies on their web they have some form of analytics they have some form of firewall they're just not working together in any way shape or form they

just here's our firewall here's our proxy proxy guy knows nothing about firewall firewall guy knows nothing about proxy you know uh firewall is not sending X originating IP proxy is not for ex originating IP so now poor incident responder here is trying to get a log that came from a firewall through a proxy and then back out and nothing's passing information in any which way all I end up getting is the Border router IP cyber analysts are becoming standard so great we now have a level below cyber analyst who's kind of looking after some testing some analysis and hoping to bring those teams together now there is a shift now from endpoint EDR endpoint detection MDR manage detection we're

starting to see some sock scene starting walked into a company walked into their it operations room they have and they have logarithm I have no problem L I actually I love logarithms great incident responder forensic guy they've got the two screens up there and I walk in I'm like take a look at it take a look at the it analyst what's that say hasn't got the foggiest has not got the absolute foggiest what scrolling through that screen and then I turned to them and said I'm a 20year forensic analyst instant respondent I haven't got a clue what that says and it's not because I don't know it's because it's not meaningful data in any way shape or form they are

literally just taking raw logs firing at the logarithm and saying look we have sock what's important to what should we be finding here what should if an analist looks at that screen what should we be looking for half the time I find that most of those things are pointing out systemar right that there's a system error here or you know things that are going on with the logarithm but not meaningful things about access and you know IPS and ioc's and things like that it should be very clear to anybody looking at that screen what should we respond to advanced persistent threat a becomes word of the day don't we love that in there's almost word of the day

right EDR MDR at I remember I think it was 2014 that the government of Canada actually put out a a job posting for somebody to specifically research what is a now a as you probably know is a term coined by the US Army right for advanced persistent threats now the interesting thing though is that the focus at at this time shifts away from the Army to corporations because corporations are now being hit hard hard by these AP groups AP groups are sanctioned by their governments they are employees of their government now I just listed a couple of supply chain hacks here just to remind your head right what were the things we were dealing with the move it the 3cx

and solar winds and CA Lum now brsh sh with geez that's a that's a case there where it had really nothing to do with ba but the uh maage right same thing with ala really had nothing to do with their customers was the fact that they were it that affected all their customers now looking at the apts again right so here's just a couple groups to look at that really affected Enterprise and not so much government Lazarus group the Sony hack fancy bear which is just still around today right uh but Hillary Clinton 2016 so look at these dates right 2014 2016 seismic shift and attackers and techniques and what we responding to do we have the tools at the time to respond

to something like this the alant tee midnight blizzard it is extremely ironic in a game you know I'm not poing fun at anybody but Microsoft was tracking midnight blizzard as an HT group that was specifically targeting Microsoft resources well they weren't just targeting Microsoft resources they were targeting Microsoft they're the ones that broke in and got Source book right so put it in perspective again us the people in this room are trying to protect our corporations with the limited budget resources lack of policy procedure governance against any one of

these so current tools interesting on the forensic side much has changed n case is still a leader right there x-ways is still I go to to this day I still love X delasoft is kind of a a new entrance it's got some interesting things I don't really use it but it's interesting magnet forensics is still around they've now got instant response to Trion Shi and things like that it's kind of cool but now we have Cloud native tools so both Google Microsoft provide tools to do those investigations on their site Vector has anybody heard of vector this not I don't work for them it's to I Love Tack breach simulation remember way back one I said I had to be a Swiss Army

night so well Tac breach simulation lets you test to see geez are are we open to this could could we be based on the ioc could we be exploited compromised by fancy bear really cool stuff and then of course so we're seeing more EDR Sentinel one widely deployed uh I'm not sorry I'm not going to I don't want any me let's just switch to tum tanium still out there quite a lot and then sand sift I mean they just keep updating it's great it's it's a nice little distribution that I think any Hands-On fic person probably loves so current cyber incident landscape hey we do have cyber teams including inent responders cyber threat out I'm seeing more integrated teams now

we now have regulations regulations are now coming in to drive cyber security I mean obviously handy you have Nas nas2 uh you have things like your Crest which really helps companies are working towards cyber security compliance now I'm seeing this all the time with this cmmc most companies do have endpoint uh some Enterprise companies have worked with a lot of them have very skilled teams now instant response is being integrated now into their main it Tools service now solar winds there's more so digital frex hasn't gone anywhere there's been a shift from mobile we do hardly anything phones now like especially if it's an apple just forget about it but we're seeing a huge uptick in drone forensic

uh OT forensics vehicle forensics L on mobile lots of other areas opening up that are exciting what does a modern enhan capability IR team look like forensic analyst Insight response analyst and manager vulnerability specialist so breaking down that Swiss Army capability I had before and now having teams and I've been really really fortunate to work on many enhanced IR teams and it's great we have a common communication platform when I need something I can hop on to it and basically we operate kind of a military form where I can execute actions if I need something done we have a form I execute the action and I say hey defense team vulnerability team I need an attack

surface on boom and I get the report back and I can do what I need to do I don't need to do that anymore can talk right to the red team specialist and so SE anal so it's a specialization on Investigation Incident Management threat intelligence breach attack simulation all together very very powerful that's how it should be so are we there yet wow you know that team I just talked about is primarily at managed service providers there are some really really big comp out there especially in the defense sector that have those teams but in general I find most teams do not have the enhanced IR there have some my good buddy Joe cumins always

told me you can't buy security but you can get security Now that may mean buying some tools here and there but just buying a tool doesn't do anything because it has to be configured properly administered properly all the way through this presentation I've been highlighting in green the things that companies are still not doing I think everybody in this room would agree that if we nailed these oh kind of shifted on me there we have security we've got security we didn't buy security we got security and we got security because we have good practices and that's where the focus needs to be [Music] we're having a problem now that when we finally get a cyber analyst and they get

up to speed they leave it is so hard to keep a cyber analyst in a role for any length of time we lose that knowledge all the time and there's a constant stream of new people coming in misconfiguration deploy tools every single day every single day this is what I'm dealing with time to respond from customers still way too long I mean you can you're all familiar with this right but these are the problems we still face so that's why I say like the problems I faced in 2013 even though we have way better tools and we have way different attack vectors and way more complicated the fundamentals are still at the least case nothing

[Music] done I want to give a special thanks to Mike Kowski that's where I work now I'm the senor advisor in OT security which is a lot of fun because at security architecture I do detection engineering with the sock on OT and I do internet response forensics on OT so it's kind of a fun place to be right now and then my colleagues John PR Joe cumins and John nelli worked with each one of them for over 20 years some weight shape or form and each one of them reviewed this presentation and gave feedback and that's what this industry is about right is that we we maintain those relationships and we constantly bounce ideas we learn from each other that's

besides that's why we're here but that's a shining example right there on colleagues over the years even though we go to different companies we do different things still very very strong and still work together so that's it thanks

everyone we have time for question is there any question or yeah you said there was a rising ter for instance yeah is that from the indust and is that scho or did that yeah that's a really good point so that is being driven right now largely by government we get a lot of calls from Correctional Facilities uh because they're using drones to drop Contraband in the yards and things like that uh Believe It or Not drones are also be used in incorporate Espionage in a big way people have this thought that once they're off the ground floor you can just write whatever you want on a white where and leave it even though a little drone could come up right there

and read everything on the way so there's two sides to drone forensics one is being able to understand the air what is flying around you and the second one is is that let's say that drone then crashes close to the correctional facility being able to pull the information off and glean info as to where did it take off from you know other any other indicators that yeah great question any other yeah it a toing uh what's your opinion on a veloc have you s of seen I I don't use it but yeah I I've heard of it but I don't use it do do you use it or um yeah we put it in place about you

go for a need for so it's like like having an agent that's all the

[Music] s oh that's great so velocity and check it out yeah that's the thing about being a forensic gist is I have a list a mile wide along of tools i' would love to play with there a reality of what will you know my companies bu me and uh if that's great thanks for your input there people will check it in anything else all right well thank you so much and hey feel free to reach out on LinkedIn if you want and keep the chat going

Related talks

42:05
Turning The Tables: Using Cyber Deception To Hunt Phishers At Scale - Ross Bevington
BSides Exeter
40:05
Empowering Junior Testers: Strategies For Uncovering Critical Vulns In Web Applications
BSides Exeter
59:46
Become a better security engineer (by not doing security)
BSides Exeter
36:41
Lessons From The ISOON Leaks - Will Thomas & Morgan Brazier
BSides Exeter
36:41
Cedar, An Open Source Project To Help You Decouple Your Authorisation Logic - Ricardo Sueiras
BSides Exeter
42:00
The (Un)Natural History Of Malware
BSides Exeter