From Panic To Protocol: Digital Forensics & Incident Response

I'm uh just going to get started now um thank you for coming up here to the uh um dening room the one1 truck which is um for people who are kind of explaining things in a more simplistic um approach to make it more accessible as all explained earlier um and something I like to do I work in uh security um is I really enjoy doing social engineering and so what I've done for all the speakers this afternoon is I've done a little bit hunting on them online and I found out an interesting fact about every single person um on this as well um I also set someone else to do this for me so I don't know what facts they

found out of me so I'm just going to start reading them they've told me you've got three so my first interesting fact is I have an irrational fear of Greg's vegan sausage rolls after an unfortunate slip caused by ignoring a wet Flo side I am also the chairman of the Mich Michael Bolton fan club there you go and um I would try to legally change my surname to DS cuz my first name is Lee and I'm that proud of being from leads um so first up we have got um Rory Wagner um and his fun fact is he is distantly related to Wagner from X Factor 2010 who knew so there you go I'll pass it over to you now Rory enjoy

I mean news to me as well um perfect uh cool well thanks so much for coming along guys um look I just want to preface that the schedule info which is on the nice booklets that you have is wildly inaccurate to what we're actually talking about here so I appreciate this is a very full room but um hopefully I can still impress you with some stuff so um also it's my first conference presentation I've done a bit of University lecturing before but um this is the first time I've done it in such uh a conference kind of style way what I'm really wanted you guys to do is uh look we're going to talk about some key

Concepts and topics and um take some notes or write them down on your phone and just take them way and and kind of dig into them this is the info 101 rookie track so the idea is that we try to keep it reasonably high level and we don't go too deep into the weeds so that you can kind of go and build on those um high level topics and go a bit deeper in your own time uh also just want to shout out Chris lead is going to be doing a really good talk on ransomware today as well so uh that's part of the 10 101 track um so suggest getting along to that as well so introductions good day

uh my name is R wag I'm a senior investigator at Cyber CX part of the digital forensic and and response team uh typically yeah perus are a forensic artifacts and putting out fires uh background in consultancies and law enforcement law enforcement is where I cut my teeth New Zealand Police um little bit of yeah I have got a degree um it's not necessarily needed but there you go and certifications um Sans and iasis if you're familiar um yeah I'm from from Wellington New Zealand I'm also half English so there's like a bit of a question mark there because I've only just got back into the UK in January so I'm reasonably fresh off the boat so you

have to be nice to me um also it's my 30th today so that's uh something so that kind of plays into you like what's grou and Yoda doing on the screen well that's how I felt yesterday and this is how I feel today that's not just down to the alcohol that is the age sweet so let's um have a look at a little bit at the agenda so what we're going to be talking about today is the Panic kind of stage when an incident kicks off um and how we as instant responders kind of deal with clients take them hold their hands through a protocol to get them to the other side a little bit at the end we'll

talk about some observations that I've just seen from cases that I deal with um and also just some key takeaways so let's look at the whole ecos system to start with so DFI sits in the middle but it's actually got a lot of other um practices or um different functions that sit around it so obviously instant response is that kind of um phase of how do we go from identifying an incident all the way through the end to end process of um investigating uh containing eradicating Etc and we'll look at the IR life cycle later on um but there's also obviously digital forensics which is more of the technical kind of Science of looking at

computer artifacts and understanding what's happened on a system but there are all these other things that kind of revolve around it so you've got consulting which um you know that could be preparation before the um attack or um sorry just reading my slides here um essentially dealing with stakeholders Etc so you know we are DFI Consultants we consult and we help our um you know our clients with dealing with these pretty shitty situations to be honest privacy there's always a privacy impact that's the whole point of information security right we're protecting data we want to uphold that CIA Triad and so if no one knows confidentiality Integrity availability crisis Communications how are we talking externally how are we

talking internally making sure that we're able to narrate the um you know what's happened and be able to either give us time or make sure that our clients um uh are able to talk to their external stakeholders in in the correct manner and then cyber intelligence so every incident there are in uh indicators of compromise um there's information ttps that we want to suck up and be able to take that in and pass it on to you know future clients so that we can track things um and be able to mitigate things before they happen so that's the whole ecosystem um essentially they can all stand alone in isolation in isolation but where it's really cool is when they

all come together on a big incident and um essentially they all come together very quickly quicker than you can say I've been heck and hecked which is how I say it in kiwi so Panic let's start off with what happens and let's go into a major cause of panic so ransomware you're reasonably probably familiar with this it's um we've seen a lot of it across the news um but what I like to think of ransomware is the three e so you've got encryption of data not very good and typically the first thing that you see apart from the the uh uh yeah probably the screen saver on the side there lock bit pretty prevalent at the moment um X

filtration so that means taking the data out of the environment so our client's data and taking it off to thread actor infrastructure and then extortion and that's probably what people are most familiar with is like give us Bitcoin we give data um and that that's usually what it comes down to but with the exfiltration is okay well you can decrypt your files but they've still got your data there's no real honor among Thieves um who knows what's going to happen with that um and honestly if that doesn't get you panck and come talk to me afterwards you should get DFI it's uh you need to stay chill uh but as you can imagine clients are kind of like shoot

we're we're in a bit of a sticky situation here so which leads me into essentially incidents don't have to just be ransomware they can range from you know uh malware business email compromise um all the way to ransomware which is usually the worst kind of thing that can happen although in business email compromise you might be losing millions of dollars because whoever in the payments department has just sent a million dollar invoice or has received a million dollar invoice and just gone paid it because they were like oh cool and that's now actually gone to the thread actor but let's think about some of the impacts that you have so or the concerns that come up and kind of

increase the level of panic excuse me just one second just going to take some water so obviously there's a business continuity impact right if we've got a ransomware case well how do we continue all of our files are encrypted we're we're pretty much up a creek without a paddle right now and that's probably CEO's number one concern there's client service impact so the clients are understanding so our clients clients sorry it's Inception here um are kind of like what's going on we can't you know with for this service or whatever why why isn't it working the information security part of it is you know the data uh we've lost confidentiality Integrity or availability um in Ransom where well we

we've possibly lost all three of those so it's it's not great a loss of reputation for the business and this is massive right because loss of reputation means uh dollars going to another uh competitor Etc or should should I say pounds my apologies loss of client trust same with reputation right is clients are going to go elsewhere if they can't trust um you know the provider they've paid money to they will that I'd do the same thing I'd be like no my dollars and pounds are going somewhere else and then the legal and the privacy issues right so um there's obviously regulatory bodies there's compliance um the privacy of said clients clients um and yeah just

making sure that those things are pretty you know they're impactful and they can affect people in a lot of different ways if it's their um addresses or their email addresses bank account numbers it it can really start to pile on and um really um that's more the kind of human side of it we look at a lot of like the business side well dollars are losing but there's actually that human impact and there've been a number of high-profile cases um Medi bank for example in Australia um they pretty much lost like their whole user database which just contained phone numbers addresses um etc etc which just yeah obvious people aren't happy with that they put a lot of trust into their um

into the businesses that service them and that's not ideal so uh an old boss of M used to say well everyone wants an answer for a start but he said this isn't incident response Rory this is instant response people want answers like this like super quickly and it's it's crazy if you ever anyone in DFI you'll know what I'm talking about um but if you're not you you'll understand that if you ever involved in an incident because you want answers just straight away so who are the people that want answers well CEO so we're talking about that business continuity before they want to make sure well can we keep making those dollars um the lawyers so

they're looking at that regulatory side and they're like shoot okay how much of a risk profile are we at at at this moment the insurers so if you have an insurance policy um a cyber insurance policy to be specific they've obviously taken on the risk um with you and they want to make sure okay well how much are we going to have to pay Rory to come and fix the situation or everyone else that needs to do that and then of course there's clients um that's reasonably self-explanatory they're like why isn't the surf I paid for working or product or whatever it is and then there's the staff we can't forget that there are actually people within the organization

that may not be at that executive level but there's also um you know am I going to be able to keep my job is this a going concern is business going to keep running which CEO is worrying about to don't worry too much stuff he'll he'll sort something out but um yeah there's just a number of people and look the other thing I wanted to say is is your parents so I just worked over Christmas and my mom and dad were like why aren't you at the dinner table having glasses of wine and I was like I can't be drinking Mom Dad I've got to do this incident um and that was with a healthc

care provider so um something that Holly oh gosh hope I'm not butchering it was it foxc crof this morning can someone yeah she was just saying around you know the spiciness of people that are just persistently wanting to investigate things from an end to end conclusion I thought that was really interesting because that is what we do you're very passionate in DFI um I'm sure Chris can attest to that as well it is it's a real passion project and you sacrifice a lot I mean I'm here presenting to you on my birthday I think last year I was working in ockland New Zealand on my birthday it's you know scre birthdays let's get into the spicy artifacts and see what's

going on um but one of the and my boss currently and he he said this recently was we need to learn to be comfortable with being uncomfortable so and we need to take clients on that Journey so everyone wants these answers Etc but we can't you know fic takes a bit of time you know it's not this thing that in CSI where we click a button and enhance enhance enhance and it's done um so you've really when when we're dealing with clients we need to make sure that they're well secondly setting expectations but yeah just being understanding of you know the situation that they're going through telling them it's going to be okay just chill for the

moment be comfortable with being uncomfortable and we'll try and get these answers together so as you can IM there a lot of chaos so let's get into the protocol so let's go over some high level topics essentially to start with so if anyone's familiar with Sands they do security training Etc they're bloody expensive but it is really good um so this is the sand incident response life cycle so essentially we're in this very steady state at the start of we're preparing we're doing tabletops we're doing incident response plans or playbooks Etc to make sure that everyone's across what happens when an incident happens and we're also identifying and there's obviously there's incidents but there's also

events you know there's constantly someone's you know tried to log in multiple times but it's not uh you know someone trying to brute force it it's just someone's forgotten their password and they're you know just finger bashing trying to get in so but once we do declare an inocent well we need to quickly go through a number of steps and this is where the investigation kind of side comes into where I kind of Step In we get a call at the identification stage and say okay yeah shit's on fire please come help but containment is really important because what we're trying to do there is stop the bleeding so that's either you know pulling out network cables which

some people would say don't do please maybe um or just isolating the host if you've got like an EDR solution Etc um eradication we're wanting to um you know make sure that whatever methods that a thread actor is hooked into the system um are removed so that they can't get back into it and then we're going into recovery but you'll see that recovery talks about well you know containments failed we have to start again and that's really key because if there is a case where we've missed a computer that has some sort of persistence mechanism on it we can't just like carry on with our recovery we need to go back and make sure that we're going through those

phases again otherwise you're just getting a persistent threat within the environment at the end of it obviously we get do Lessons Learned there's reporting and the incidence complete but um identification can be you know tricky sometimes uh unless it's blaringly like in your face like files are encrypted you've got the lock bit screen saver um it's it's a difficult thing to do and Recovery is another one we need to touch on it's a slow low and slow burn this is very much coming back into that we're setting expectations with our clients that this isn't going to be sorted overnight this could be you know weeks and months and the case which I was working on over Christmas like that's

still ongoing we're still building back up that environment from ground zero so let's look at some digital forensic Concepts as well and I I apologize to anyone that's already familar with these but I think they're really good to know so Dr Edmund loard uh French bloke late 1800s early 1900s grandfather of forensics in the physical sense right no computers back then this BL was just chain smoking cigarettes and had a SE mustache um so every contact leaves a trace is essentially what he said and I think that's something that we can all kind of resonate with if you've seen CSI or you know any kind of crime scene investigation is you know there's either blood splatter or there's a murder

weapon there's I someone's toenail clippings or whatever it is um so yeah every contact leaves a trace and then there was a b called Jesse cornblum and he just evolved it he pretty much said the same thing to be honest um but it's it's the first lur of computer evidence and what he's saying is there's evidence of every action that occurs on a computer um I mean 99% of the time there's obviously times where anti-forensics employed so they tried to like sweep things under the carpet but most of the time computers are very good at just collecting information I mean we've just seen most recently with Microsoft's recall which was obviously controversial yeah hear a few grumbles

and groins in the crowd um but you know this is the thing is computers are consistently and you know they're always collecting information so with those you know the IR life cycle and the digital forensics Concepts let's move into well how do we tackle panic and this is me on a Friday or a Saturday being like Oh not another one um and that was my best I don't know old lady impression um but yeah they they typically do come in on a Friday or a Saturday and this again comes into this passion um project right that You' got to be passionate about DFI it's it just it hits you at the worst times like most of the time it's during the day

because the client's not awake at 2 a.m. unless they have a sock or whatever and then then I'm up like trying to wipe the sleep from my but let's have a look into like just a very basic kind of understanding of the process so essentially when we get that call and I'm not another one we want to understand that background and what has happened what's the leadup from point A of just normal services and you know normal timeline to where it's got bad okay obviously ransomware files encrypted say no more but that's really key because it it starts to for us to understand the timeline of events and how things have happened and it it will start to for us

to start forming investigative questions investig yeah anyway um understand the client priorities is also very key so if um let's let's take a mining industry for example like their main uh concern or the CEOs or whoever it is is can we go can we keep mining minerals Etc but if we look on the other hand at maybe a hospital uh which is what I was dealing with over Christmas was well can we keep patients alive can we keep surgeries going uh you know triage just Healthcare really um are the machines that are connected to our Network going to keep working and that's obviously a completely different side of and it's this human and business Factor there right that business like

you know boohoo you can't mine minerals for a couple of months or something which obviously that's not great because there are the flow on effects but someone's life is I don't know whatever your morals are you you battle that in your own mind and then understanding their environment so as zfi um Consultants we're looked at as this like kind of magical genie that we know everything about technology where really we we we have a very good understanding at a base level of most things and there will be like niches that we're good at but it's very difficult to understand a client's environment and you also just need to go through this conversation with them to

understand you know what are you using on the perimeter you know is it hybrid is it on Prem is it in the cloud whatever the case may be and so we need to start building that understanding of uh what's going on because that then helps us understand well what are the paths that hacker could get into right deploying forensic agents and EDR massive EDR is endpoint detection and response software just anyone not in the no um so forens forensics agents and we'll be talking about the tools in a minute are really important but EDR is quite maybe more important at the initial stages because we want to kind of get it to be able to detect what's

happening in the environment and stop those um Badness is what I'll say but we want that spread as far and wide as we can so EDR get that out there that can kind of start giving us that kind of level of understanding of like what things are popping off what alerts are we getting and then we also want to do the friends of agent side because that's where we start threat hunting and this is where I really enjoy it because I start pulling on threads I get to dive deep into people's computers um and be quite curious and kind of understand what's happened so talk about quickly Enterprise forensics so the challenge is in an

incident like ransomware is it logically possible to image all the all the machines no it probably isn't and we're going to talk about the old school and new school forensics um how do you perform forensics on a lar scale well this is where forensic tooling comes in and being able to spread it out far and wide if you have an active threat in in an environment is it uh time efficient to spend days of analysis on a host well probably not because if that host is a dead end then you know we've just wasted clients time and money looking at something that's not going to benefit us so what we need to do is collect just

what we need to assess the situation threat hunting analyze the key forensic AR facts the evidence of threats and then provide the actions back to the customer whether that's us doing it or them doing it cuz most places have their own it teams as well and we're working in tandem with them to push this thread actor out and start to you know start tools to the trade Velociraptor C let me go five minutes over hia so we'll we'll touch on Velociraptor first has anyone heard of vtor awesome yeah brilliant such a cool tool um if you haven't I want you guys to go and like check it out it seems a bit weird at first especially if you

can't be able to apply it to something but it's it it's awesome it's developed by this guy called Mike Cohen he works for Rapid 7 I think rapid 7 actually like pretty much bought Velociraptor and Mike came over as well um super smart guy but essentially um we have questions as investigators and this is what we're talking about with those forensic agents like we want to get it out far and wide and we want to be able to query these machines to be like what have you done like what's happened to you and these are where these questions come out like what what user ran malware doxe what host does malware XE and once you get

one kind of thread you can start pulling on other threads so you can kind of see like the technical kind of thing is we we're essentially got a command and control um but it's a good one so don't worry um so yeah so the assets are obviously the host and we just put velocir to where we can um as far and wide and then me as an admin I go I want this artifact and it goes sweet I'm going to send that out to the site of uh hosts and they go cool this is it like take it away um and that comes back to me and that's where I can start to answer those questions that

um you know CEO man's got so and and this again is um yeah not Mary Poppins what's her name Sound of Music um look at all those artifacts so these are all like just examples of what we can start pulling and I know some of these will be maybe a little bit foreign to you if you haven't worked in security or DFI specifically but the the top level um titles should give you a bit of an idea so you know evidence of execution is massive um file existence so we're looking at the the file system the mft account usage we're going to talk about event logs probably my favorite artifacts is event logs um but yeah take a picture if you need

to um or come talk to me afterwards these are just some of the the cool things that you can get with Velociraptor okay but sweet so now that we've found this thread and we know that server a is absolutely hosted like it's got malware up the wo there's files gone whatever like how do we take a look at it and so the old school way of looking at things was oh we're going to have to turn the server off we're going to have to image it we're going to process it and then we're going to analyze it and that's taken like a week because the serers I don't know two 250 terab or whatever the size of it what we can do

now and is called a tree AR image so essentially all we're getting is the forensic artifacts these ones that we need and putting them into a little bundle and we're able to rip that out really quickly and so we'll talk about Cape next and how that works but as you can see like this is like kind of the same as the last slide as these are the things that we can get and what are probably interesting to us event logs again love it um so F that's perfect um so cape cape is developed by a guy called Eric Zimmerman please take note of this go and look at Cape it's really good what we're able to do is run

Velociraptor and use Cape within Velociraptor to go well I want to get a triage image of server a because we know it's just there's [ __ ] everywhere and so Cape can just go in there and it can be used as this collection it goes well okay I want the N user de I want the user glass. de I want all these registry hives and sorry if I'm speaking gibberish um the mft etc etc and just go sweet we want that one uh one gigabyte collection grab it what Kate's really good for as well is there are tools out there in the forensic space such as axium s probably a really good example of it magnet axium um take note look it

up uh but it can process kind of like all of these different artifacts but Cape also can do this so it uses a lot of like command line utilities um and just does it all together at once so it goes oh well if you got event logs we'll run this or You' got registry we'll run red Ripper or whatever so then it outputs everything and you can quickly um look um instead of having to do this image process analyze it's like image and process is done in 20 minutes maybe an hour massive um and then analyze which does take a bit longer but you're not having to rely on that slow you know burn okay this is my favorite one haoa I

strongly recommend if anyone's in DFI if you're not using this go and use it because it is so handy what we're trying to do essentially is there's a lot of information there's a lot of stuff to go through so we want to find out these you know low hanging fruit and it's the name of the game find the low hanging fruit and you can spider web off of that um what it does is it has Sigma rules which are very similar to Yara rules if you're um familiar with those um essentially just a rule set that goes and looks over the windows event logs and goes okay can I match this rule against this entry in

the Windows Event log and if it can it gives you you know alerts from Top critical down to informational um and if any of you have taken time to look at that you can see well okay we got mic cats going there's some you know fa log on failures there's all these kind of little interesting tidbits that I'm already kind of salivating at getting my into so then from there I can kind of break it down and be like well okay well let's go look at the top critical and see how that relates to other things that have happened on the computer so super interesting um definitely recommend it it's a very quick way and it's the first thing that

I look at once I've processed a triage image straight to high booer find out where those all bits are and then start looking at other bits um and it just forms my questions but okay all these techn all these tools are great fun for us technical folk but how does that help well we now know what has happened because we've been able to do our triage images our threat hunting we can answer the questions everyone's holding out to here the the CEO at this Point's probably nearly had manism so we need to let some pressure off on on him and the lawyers are probably very much the same the insurers bit the same the staff are probably just

chilling on holiday at this moment getting paid hopefully and then we can also put defenses in place so we now understand how everything's happened so we're able to put those medic ation we're able to give recommendations how to stop this happening in the future and of course we want to recover and remediate but most importantly we want to get the business back to doing what they do best business which means stons so some observations um how good am I on time got okay so these are just some ransomware ttps that I've seen through my cases um so if we're looking at initial access obviously vulnerabilities are just coming out over and over again um I can't even remember vulnerabilities

just come out um but anyway so like misconfiguration so that might be like oh well we left RDP open on the firewall or um there's SSH available Etc you know just no MFA or whatever the case may be info Steelers are getting really popular right now so people downloading crack software is where we typically see it um essentially that's like Adobe doxe cracked you know it's free it's cool um but that just pulls all your browser passwords and anything else it can kind of sink its teeth into um which is really good bad because they either sell it on to initial access Brokers so on a dark web forum and go hey this password cost 20 bucks M it's

going to be good time enjoy it and someone will come in maybe a couple months later and um wak Havoc or it's just the actual thread actor themselves and that's just part of their ttps and their threat chain uh Network compromise so we see a lot of network scanners um lull bins which are living off the land binary so you can essentially think of it as like you know command prompt or po shell uh but it it can get a little bit deeper into some more interesting um Lins there is actually a really good website if you just type in Lin you'll be able to find it on Google Remote Management and monitoring tools are really interesting because a

lot of places are using things like um Team Viewer or any desk or Splashtop or connectwise Etc as legitimate CIS admin tools and they are legitimate most of the time but if a thread actor can see that you're using those well they're just going to be like cool I'm going to use that as well because no one's going to suspect anything uh file servers obviously look we've got file servers we need them for our staff to do their jobs and whatnot but they they do leave us vulnerable because once a threat actor finds a file server that's where the money is right they want to make that impact they want to encrypt those files and they want to take them away uh and

that's typically where you'll see large outbound data traffic is um yeah big spikes on your firewall sometimes your ISP can pick it up and you can get the logs through them uh but it's usually you know well yeah terabyte of information went out at 2: in the morning um impact targeting the virtualization layer I think is quite interesting is that uh thread AES are now you know understand that a lot of systems are virtualized just because of uh cost efficienc Etc um so they are now trying to Target getting into esxi and hyperv which is the VMware and Microsoft um virtualization uh management planes where they can either just encrypt the virtual machines at the kind of uh what

you would call the virtual machine disc level not talk to me afterwards um or they'll just lock you out and if you can't get into the management plan well how do you manage things it might still be running at this point but they probably done other things um so yeah you're you're up another Creek with definitely no paddles and maybe no hands um defense tempering you know we're seeing uh either you know it's like bring your own vulnerable driver to stop people uh sorry to degrade EDR or they're literally just turning off Microsoft Defender um and we're also seeing a lot of remote execution abuse which kind of comes into the LOL bin side a little bit as well so yeah remote

po Shell PS exac is massive or if they get to the domain controller they pushing stuff out through GPO um so yeah anyway I'm really trying to run here sorry give me two seconds um so key takeaways be prepared instant response plans playbooks exercising these should be looked at at least on a yearly basis if you're more of a weapon maybe it's six months but obviously things come into play DFI service provider on speed do call me I work at Cyber CX you know unbiased plug but get someone that can do the uh you know the Dirty Work do the investigation be comfortable with being uncomfortable you know forensics takes time the the questions will be answered

just set some expectations and then explore you know all what I've talked to today come and talk to me afterwards if you want because I don't think we're going to have time for questions um so yeah go go go take notes hopefully you've taken notes about today's talk and you can go dig in into veloc to cap and high booer I just want to say thank you B leads this is my first talk in Christ

yeah you can you can find me at these locations um I didn't put my email up there because I didn't want anyone trying to brute force my [ __ ]