FOR508 Advanced Incident Response, Threat Hunting, & Digital Forensics PDF

Summary

This document is courseware for a SANS Institute course on Advanced Incident Response, Threat Hunting, and Digital Forensics. It includes information about the course, including course objectives, labs, and homework. The document also references external links and a dropbox link.

Full Transcript

© SANS Institute 2023
FOR508 | ADVANCED INCIDENT RESPONSE, THREAT HUNTING, & DIGITAL FORENSICS
GIAC Certified Forensic Analyst (GCFA)

85e6b3459a4880d22ae915f851d0b463
508.1

4
02
,2
09
Advanced Incident Response

r
be
amritparmar55@hotmail_com

m
ce
and Threat Hunting

De
>
m
co
l_
29230065 ho
m
t
ai
@
55
ar
rm

Amrit Parmar
pa
rit
m

the Courseware, in any medium whether printed, electronic or otherwise, for any purpose, without the express prior written

m
consent of SANS Institute. Additionally, User may not sell, rent, lease, trade, or otherwise transfer the Courseware in any way,

co
shape, or form to any person or entity without the express written consent of SANS Institute.

l_
29230065 ai
If any provision of this CLA is declared unenforc.eable in any jurisdiction, then such provision shall be deemed to be severable
m
from this CLA and shall not affect the remainder thereof. An amendment or addendum to this CLA may accompany this
Courseware.
ho
t
@

SANS Institute may suspend and/or terminate User’s access to and require immediate return of any Courseware in connection
with any (i) material breaches or material violation of this CLA or general terms and conditions of use agreed to by User; (ii)
55

technical or security issues or problems caused by User that materially impact the business operations of SANS Institute or
ar

other SANS Institute customers, or (iii) requests by law enforcement or government agencies.
rm

Amrit Parmar
SANS Institute acknowledges that any and all software and/or tools, graphics, images, tables, charts or graphs presented in
pa

this Courseware are the sole property of their respective trademark/registered/copyright owners, including:
rit
m

AirDrop, AirPort, AirPort Time Capsule, Apple, Apple Remote Desktop, Apple TV, App Nap, Back to My Mac, Boot Camp,

m
Course Dropbox Link: https://for508.com/dropbox-distance

co
Extra Website Links: https://for508.com/links

l_
29230065 ho
tm
ai
@
55

Course Dropbox Link: https://for508.com/dropbox-distance
ar

Extra Website links: https://for508.com/links
rm

Amrit Parmar
pa
rit
m

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 2
@
55

This page intentionally left blank.
ar
rm

Amrit Parmar
pa
rit
m

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 3
@
55

This page intentionally left blank.
ar
rm

Amrit Parmar
pa
rit
m

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 4
@
55

This page intentionally left blank.
ar
rm

Amrit Parmar
pa
rit
m

m
Optional Labs/Homework

co
Precooked Output

l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 5
@
55

The FOR508 SRL Intrusion Lab Workbook is full of crucial information that will assist with course objectives
ar

and provide guidelines and instructions for many investigations in the future.
rm

Amrit Parmar
To ensure you get the most out of each lab, we would like to step you through the different sections of the
pa

workbook. The workbook is specifically designed to enable students from a variety of backgrounds and different
rit

skill levels to get the most out of each lab.
m

new skills, but the more advanced you get, the fewer new skills you will learn each time taking a course. We

m
aim for students to reach this stage after having completed the final capstone exercise, reviewing the labs a

co
few more times, and then testing themselves by completing the full lab without referencing the step-by-step

l_
information within the solutions.

Takeaways:
29230065 ho
tm
ai
For every lab, the takeaway section highlights important case-related artifacts we uncovered as a result of our
@

analysis. The takeaway section is important because these artifacts will build on one another as we progress
through the course. Sometimes it is hard to remember “How did we find pa.exe?” in a new lab that suddenly
55

asks you to use prior knowledge to look for something new. We advise regularly reviewing the takeaways from
ar

each lab to refresh your memory of the ongoing incident we will be investigating.
rm

Amrit Parmar
pa

Precooked Lab Output:
For every lab, there is a certain amount of “keyboard kung fu” necessary to complete the course. If you are
rit
m

struggling with the seemingly never-ending command line input, we have relevant lab output pre-generated for

https://for508.com/dropbox-distance

m
co
Course MP3 – Download via SANS Account Portal

l_
Available ~1 week after class
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 7
@
55

We have worked hard in this class to provide students with the most up-to-date and relevant toolkit available.
ar

You may be familiar with the SIFT Workstation, a Linux-based forensic distribution that has become a
rm

mainstay in the forensic community. The SIFT project was the brainchild of Rob Lee and is managed by

Amrit Parmar
Erik Kristensen on behalf of SANS and the entire forensics community. It takes hundreds of hours of work to
pa

release each version and get the hundreds of embedded tools to play nicely with one another. While you will
rit

be using the virtual machine version of the SIFT, you can now install SIFT on bare metal by installing
m

Ubuntu Linux and then adding the “SIFT package”. Linux works efficiently even on older hardware, so if

m
co
© 2023 SANS Institute | All Rights Reserved | Version I01_02

l_
29230065 ho
tm
ai
@
55

Welcome to FOR508! We are very excited to share this course with you. This begins Section One.
ar
rm

Author team:

Amrit Parmar
pa

Rob Lee
rit

[email protected]
m

https://twitter.com/robtlee

m
co
Section 6: APT Enterprise Incident Response and Hunting Challenge

l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 9
@
55

This page intentionally left blank.
ar
rm

Amrit Parmar
pa
rit
m

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 10
@
55

This page intentionally left blank.
ar
rm

Amrit Parmar
pa
rit
m

m
co
l_
29230065 m
ai
Mandiant M-Trends 2023

FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 11
@
55

FACT: Over the last decade, most organizations failed at detecting intrusions. However, we have seen dramatic
ar

improvement as organizations begin to take incident response seriously and take a more active approach in threat
rm

hunting.

Amrit Parmar
pa

The last decade has not been kind to network defenders. Our existing security models became defunct, and attackers
rit

have used the enormous complexity of enterprise networks against us. But the tide is shifting. Statistics from Mandiant
m

M-Trends show a dramatic increase in internal detections, an excellent indicator for the increasing sophistication of

m
to intrusions from advanced adversaries

co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 12
@
55

Threats to the modern enterprise are legion and defending against the hordes of attackers can seem impossible.
ar

Over the past decade, we have seen a dramatic increase in sophisticated attacks against organizations. Nation-
rm

state attacks originating from China and Russia, often referred to as Advanced Persistent Threat (APT) actors,

Amrit Parmar
pa

have proved difficult to suppress. Massive financial attacks from the four corners of the globe have resulted in
billions of dollars in losses. Ransomware and extortion became an existential threat almost overnight. While
rit

the odds are stacked against us, the best teams out there are proving that these threats can be managed and
m

mitigated. The adversary is good and getting better. Are we learning how to counter them? Yes, we are.

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 13
@
55

This page intentionally left blank.
ar
rm

Amrit Parmar
pa
rit
m

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 14
@
55

Stark Research Labs (SRL) has been the target of multiple very high-profile cyber-attacks in the last several
ar

years. This is almost certainly due to it being a leading high-tech innovator focusing on biotech, metals research,
rm

and advanced alloy generation, resulting in many innovations. SRL’s contributions have helped protect soldiers

Amrit Parmar
on the battlefield, engineered new heavy space lift rockets, and contributed to many advanced weapons projects.
pa

In intelligence circles there is much speculation around the latest initiatives and technologies on which Stark
rit

Research Labs is focused. As a result, SRL has become a prime target of many state-sponsored adversaries
m

around the world.

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 15
@
55

Information technology staff at SRL started documenting unusual behavior on the corporate network during
ar

January 2023. There were several sever anomalies reported, including the mail server, during which services to
rm

both internal and external users were sporadically interrupted. After a few rounds of troubleshooting, IT began

Amrit Parmar
to suspect malicious activity could be the root cause. These incidents reached a tipping point when a workstation
pa

processing sensitive project data showed evidence of quarantined malware indicative of human-operated
rit

activity.
m

Multiple orgs in the WSC orbit have

m
co
reported similar tradecraft

l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 16
@
55

Stark Research Labs is a founding partner of the World Security Council (WSC), a global organization
ar

dedicated to the safe development and deployment of advanced technologies to address emerging global
rm

conditions. A recent briefing from the WSC threat intelligence team, known as “The Intelopes,” has identified a

Amrit Parmar
previously-unknown threat actor code-named CRIMSON OSPREY. This threat grouping appears to be a state-
pa

level adversary who has taken a particular interest in the WSC, their partners, and anyone with a connection that
rit

could strengthen the alliance the WSC is forging. While it’s not clear if CRIMSON OSPREY is operating solely
m

and fully on behalf of any government, they are professional and quite successful—easily justifying the “state-

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 17
@
55

The SRL network is representative of many medium-sized enterprises. It has several major internal segments
ar

separated by a firewall and DMZ. Once inside the perimeter, there are few network protections between hosts,
rm

but host-based safeguards are in place. We will cover the network configuration in more detail in the next slide.

Amrit Parmar
pa

Their DMZ network consists of a web server, FTP server, SMTP server, and DNS server. The gateway firewall
rit

provides inbound client-VPN access. Employees regularly utilize the VPN for remote work, with both user
m

authentication and client-side certificates required.

m
rights on their systems.

co
Firewall blocks direct inbound and outbound traffic

l_
Systems must connect through a proxy for web access
29230065
Unique strong passwords assigned to all local admin accounts
ho
tm
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics 18
@
55

Stark Research Labs Domain Configuration:
ar
rm

The SHIELDBASE domain is on Windows Server 2022 (2022 Domain Functional Level)

Amrit Parmar
Full auditing is turned on per recommended guidelines. Event log forwarding is enabled, sending logs to the
pa

"ELF01" server
rit

Win-RM is fully enabled to support PowerShell Remoting and Windows event log forwarding
m

All systems are upgraded to PowerShell v5, and full PowerShell logging is enabled

m
co
Credential Theft

l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 19
@
55

This page intentionally left blank.
ar
rm

Amrit Parmar
pa
rit
m

m
co
Eradication/
Remediation

l_
29230065 ai
m
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 20
@
55

Computer intrusion incident response can be broken down into a six-step incident process. This model
ar

originated from United States government agencies and has been extensively documented by the US National
rm

institute for Standards and Technology (NIST). It has a long and proven history of success and is a good

Amrit Parmar
starting place to evaluate the steps required to respond and recover from an incident.
pa
rit

Overview of the Six-Step Incident Response Process
m

The six steps of this model are preparation, identification, containment, eradication, recovery, and lessons

defensible. Recovery plans are typically divided into near-, mid-, and long-term goals, and near-term changes

m
should start immediately. The goal during this phase is to improve the overall security of the network and to

co
detect and prevent immediate reinfection. Some recovery changes could include:

l_

Enhanced Network Visibility
29230065
Improve Enterprise Authentication Model ho
tm
ai
Establish Comprehensive Patch Management Program
@

Enforce Change Management Program
Centralized Logging (SIM/SIEM)
55

Enhance Password Portal
ar

Establish Security Awareness Training Program
rm

Network Redesign
Amrit Parmar
pa
rit

Follow-Up
m

Follow-up is used to verify the incident has been mitigated, the adversary has been removed, and additional

m
co
Eradication/
Remediation

l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 22
@
55

The Problem? Immediate Eradication Without Proper Incident Scoping/Containment
ar

A significant problem with the six-step incident response process is few teams follow the process as prescribed. There
rm

is often intense pressure leading to a tendency to skip immediately to the “Eradication/Remediation” phase before true

Amrit Parmar
scoping and understanding of the incident has occurred. While this makes it possible to begin remediation quickly,
pa

what exactly is being fixed? Moving to eradication too early removes the benefits and capabilities provided by cyber
rit

threat intelligence and intelligence-driven incident response doctrine.
m

m
co
l_
29230065 ho
tm
ai
@
55
ar
rm

Amrit Parmar
pa
rit
m

Bit mangling

m
IOC development
Traffic shaping

co
Campaign identification Adversary network segmentation

l_
29230065 m
“AVOID PLAYING YOUR HAND”

ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 24
@
55

The bulk of response time is often spent in the containment and intelligence development phase of the incident
ar

response cycle. This is where responders learn about an ongoing attack and ultimately unravel the intentions of the
rm

attacker. The need for threat intelligence collection during an attack cannot be overstated. If you are not collecting

Amrit Parmar
information on attacker activity, you are starting from the absolute beginning in every investigation. Intelligence
pa

helps guide your network and host sweeps, facilitating rapid identification of additional compromised hosts in your
rit

environment. For example, if you find an instance of evil.exe in an unusual directory on a system, it is likely the
m

adversary also placed a similar file in the same directory on another system. This is called an indicator of

m
co
l_
29230065 ho
tm
ai
@
55
ar
rm

Amrit Parmar
pa
rit
m

m
co
Eradication/
Remediation

l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 26
@
55

In practice, the two critical phases of “Identification and scoping” and “Containment / Intelligence
ar

Development” form a mini-cycle unto themselves. Information gleaned during forensic analysis in the
rm

intelligence collection phase is used to further scope the network, identifying previously unknown compromised

Amrit Parmar
systems. Those new systems are analyzed, providing additional information on adversary actions and new
pa

IOCs, which are then used to find even more systems. This synergistic loop continues until the incident response
rit

team believes they have fully scoped the incident and are ready to attempt eradication and remediation of the
m

environment.

Threats will return

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 27
@
55

Nothing is more important to an organization than finally removing the adversary threat from the network.
ar

Sadly, this is much easier said than done and most organizations move to this step too soon after incident
rm

detection. Without proper scoping and intelligence collection, remediation is simply not possible. Pre-emptive

Amrit Parmar
remediation ends up only annoying the adversary, causing them to change tactics, and ultimately making it
pa

harder for the IR team to track and complete the incident response process. In the end, remediation is a part of
rit

an ongoing incident response cycle. Many organizations fail in their first attempts at remediation. It can be
m

very difficult to fully scope an intrusion in a large network and ensure that all attacker command and control

Why is successful remediation so difficult to accomplish? Modern adversaries are veterans at the game. They

m
are extremely good at avoiding detection and ultimately plan on being detected at some point. As a result, they

co
often go to great lengths to ensure survivability beyond attempts at remediation. Even when an attacker is

l_
into a network.
29230065
successfully remediated, expect a new wave of attacks immediately following. The typical adversary today is a
ho
t m
ai
well-resourced, professional organization with the time and resources available to continually attempt re-entry
@

Remediation Events
55

Remediation takes time to plan. Planning should start almost immediately after the start of an incident response.
It almost always involves additional groups outside of the incident response team, with massive coordination
ar

required to enact a burst of network changes over a short period of time. This is commonly called a
rm

“Remediation Event.” Remediation events are often planned over a weekend when an organization can commit
Amrit Parmar
pa

to purging an adversary from its network without greatly impacting business operations.
rit
m

A remediation event should:

while degrading the ease of maneuverability to the threat. There are many new solutions that can be

m
implemented but following the SANS Critical Controls is a good first step. Most organizations underestimate

co
how implementing the basics, like the top four critical controls, makes incident response and active defense

l_
easier. 29230065
much more doable and less costly. Eliminating noise in an environment makes finding future adversaries much
ho
tm
ai
http://for508.com/lqe4r
@
55
ar
rm

Amrit Parmar
pa
rit
m

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 30
@
55

With proper visibility, remediation can (and should) begin on day one of an incident. The new way forward in
ar

incident response is a remediation-focused approach. The primary goal of any incident response is to
rm

successfully remediate the environment by eliminating attacker access and preventing further data loss.

Amrit Parmar
Visibility allows responders to initiate these actions much earlier in the response cycle, actively countering
pa

threats as they are found, instead of waiting until weeks or months after the initial incident to perform a large-
rit

scale sneak attack with no guarantee of success. Visibility is king, and like any battlefield, incident responders
m

are in a race to take the high ground from the adversary. Advances in network and endpoint forensics coupled

Vendor/threat information

m
Threat intelligence
Security appliance alert

co
Security patrols
“Five-alarm fire” response

l_
Reduce adversary dwell time
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 31
@
55

A reactive organization begins incident response when an alert or notification comes in. The alert could come
ar

from a third party such as the FBI, or it could come from the organization’s own security sensors. The best
rm

analogy to a reactive approach is the IR team is largely waiting to be called into action and relying on the

Amrit Parmar
accuracy of the notifications it is receiving. Most organizations start building their incident response teams as a
pa

reactive organization. In many cases, the IR team is comprised of augmentation staff that normally fulfill other
rit

duties during their regular jobs. As the organization grows larger or as it has an increasing number of incidents,
m

the team might become permanent. The best analogy here is small towns with volunteer fire departments versus

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 32
@
55

Threat hunting has become popular across the industry simply because it works. As a good pen test will
ar

demonstrate, attackers can be infinitely creative with finding new and undocumented ways to breach a network.
rm

The only current way to counter those types of attacks is with other humans inventing equally clever ways to

Amrit Parmar
detect attacker activity. Hunting, in its current state, is human vs. human with technology used as a force
pa

multiplier. Hunt teams can be a critical part of your security eco-system, discovering novel ways to detect the
rit

latest threat activity that is not already being detected with automated tools. As the graphic on this slide shows,
m

that information should flow back to your security operations center (SOC) to be automated and folded into your

analyst will always feel like they missed something, did not have the right skills to find it, or the adversary is

m
simply better than them. No amount of searching will help remove the doubt that comes with hunting and not

co
finding anything of substance. A good hunt team manager will constantly need to nudge analysts on to the next

l_
artifact to look for.
29230065 m
ai
Without any type of threat intelligence, most hunting groups are simply tasked with looking for “things that look
ho
t
weird” perhaps without even knowing what weird versus normal looks like. A trained hunter must know the
@

difference between normal and abnormal as a prerequisite. Even better, if a threat intelligence capability is
informing the team, they will organize hunts to look for specific threat groups targeting specific programs using
55

specific techniques. This is an achievable goal.
ar
rm

Hunt Team Operational Tempo

Amrit Parmar
pa

A common challenge of hunt teams is operational tempo. Incident response initiated by reactive response teams
is usually a sprint with long days, seven days a week, until the incident is remediated. While this scenario is
rit
m

typical for reactive response teams it could be the death of your hunt team.

m
co
Credential Theft

l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 34
@
55

This page intentionally left blank.
ar
rm

Amrit Parmar
pa
rit
m

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 35
@
55

This page intentionally left blank.
ar
rm

Amrit Parmar
pa
rit
m

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 36
@
55

Threat intelligence attempts to map attacker techniques, tactics, and procedures to the attack lifecycle. Nearly
ar

all attacks progress through a series of common steps to accomplish adversary objectives. Understanding these
rm

steps allows defenders to craft opportunities to discover attacks while in progress. The model on this slide is

Amrit Parmar
sourced from documentation on Microsoft Advanced Threat Analytics, and it does a commendable job of
pa

demonstrating the cyclical nature of attacks as attackers perform network discovery and elevate privileges to
rit

achieve greater access.
m

m
co
l_
29230065 ho
tm
ai
@
55
ar
rm

Amrit Parmar
pa
rit
m

Control attacker shell, command prompt, or PowerShell

m
co
Achieve intrusion objectives: laterally move,
Actions on Objective

l_
find/exfiltrate data, disruption, or denial of

29230065
service

m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 38
@
55

The “Kill Chain” is an important model used in threat intelligence. It helps categorize the sequence of actions
ar

occurring in most attacks and provides a framework for organizing detection indicators. It is best described by
rm

one of its authors, Mike Cloppert:

Amrit Parmar
pa

Security Intelligence: Attacking the Cyber Kill Chain
rit

Now we will introduce the attack progression (known as "kill chain") and briefly describe its intersection with
m

indicators. The next segment will go into more detail about how to use the attack progression model for more

The behavioral aspect of indicators deserves its own section. Indeed, most of what we discuss in this

m
installment centers on understanding behavior. The best way to behaviorally describe an adversary is by how

co
they do their job. After all, this is the only discoverable part for an organization that is strictly CND (some of

l_
29230065
our friends in the USG likely have better ways of understanding adversaries). That "job" is compromising

ai
data, and therefore we describe our attacker in terms of the anatomy of her attacks.
ho
t m
Ideally, if we could attach a human being to each and every observed activity on our network and hosts, we
@

could easily identify our attackers and respond appropriately every time. At this point in history, that sort of
capability passes beyond pipe dream into ludicrous. However mad this goal is, it provides a target for our
55

analysis: We need to push our detection "closer" to the adversary. If all we know is the forged email address
ar

an adversary tends to use in delivering hostile email, assuming this is uniquely linked to malicious behavior,
rm

we have a mutable and temporal indicator upon which to detect. Sure, we can easily discover when it's used in
Amrit Parmar
pa

the future, and we are obliged to do so as part of our due diligence. The problem is this can be changed at any
rit

time on a whim. If, however, the adversary has found an open mail relay that no one else uses, then we have
m

found an indicator "closer" to the adversary. It's much more difficult (though, in the scheme of things, still

most attention-grabbing example is the identification of zero-day exploits used by an APT actor at the Delivery

m
phase before the exploit is invoked.

co
l_
29230065
Synthesis clearly demonstrates the criticality of malware reverse engineering skills. It is likely that the backdoor
ho
tm
ai
that would have been dropped, even if it is of a known family, using a known C2 protocol, also contains new
indicators further defining the infrastructure at the disposal of adversaries. Examples include indicators such as
C2 callback IP addresses and fully qualified domain names. Perhaps minor changes in the malicious code would
@

produce new unique hashes, or a minor version difference results in a slightly different installation filename that
55

could be unique. Although antivirus is typically a bad example of detection in the context of APT intrusions,
there are times when it can be of value for older variants of code. For instance, how many reading this analyze
ar

emails that are detected by their perimeter antivirus system? If the detection is for a particular backdoor
rm

uniquely linked to an APT campaign, the email could contain valuable indicators about the adversary's delivery
Amrit Parmar
pa

or C2 infrastructure that might be reused later in an intrusion that your antivirus system does not detect.
rit

Detecting campaigns enables resilient detection and prevention mechanisms across an intrusion and engages
m

CND responders earlier in the kill chain, reducing the number of successful intrusions. It should be obvious but

for list of “What do techniques/tactics
“common” activity

m
Credential access we look for?” discussed in
shared by many Persistence

co
indicators FOR508
adversary groups Lateral movement

l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 43
@
55

Threat hunting is often frustrating and ineffective if your team lacks effective threat intelligence. Actionable
ar

threat intelligence is key to helping your organization detect and defend against advanced attacks. Adversarial
rm

Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the

Amrit Parmar
actions an adversary may take while operating within an enterprise network. The model is designed to help
pa

characterize and describe post-compromise adversary behavior. It both expands the knowledge of network
rit

defenders and assists in prioritizing network defense by detailing the post-compromise (post-exploit and
m

successful access) tactics, techniques, and procedures (TTPs) advanced persistent threats (APT) use to execute

Defense Evasion: The adversary is trying to avoid being detected.

m
Credential Access: The adversary is trying to steal account names and passwords.

co
Discovery: The adversary is trying to figure out your environment.

l_
29230065
Lateral Movement: The adversary is trying to move through your environment.
ho
tm
ai
Collection: The adversary is trying to gather data of interest to their goal.
Command and Control: The adversary is trying to communicate with compromised systems to control them.
Exfiltration: The adversary is trying to steal data.
@

Impact: The adversary is trying to manipulate, interrupt, or destroy your systems and data.
55

Many of these techniques are covered in FOR508, but they also touch on techniques covered in FOR572
ar

(Network Forensics) and FOR610 (Malware Analysis). In this class, we focus on techniques seen most
rm

frequently in the wild and with the highest effort-to-hit ratios, with the goal of rapid detection of intrusion
Amrit Parmar
pa

activity.
rit
m

MITRE ATT&CK: https://for508.com/9mjrc

m
co
l_
29230065 ho
tm
ai
@
55
ar
rm

Amrit Parmar
pa
rit
m

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 47
@
55

A goal of FOR508 is to educate analysts and hunters on attacker techniques and demonstrate how to find them
ar

across the enterprise. At the completion of this course, we expect you to have a very strong understanding of the
rm

most common attacker techniques and a toolkit for identifying and mitigating those techniques. The good news

Amrit Parmar
is the list of common attack techniques is manageable; the bad news is the set is growing and there will always
pa

be more obscure techniques discovered in the wild. The ATT&CK framework is an excellent resource for
rit

keeping up to date on attacker techniques and associated artifacts. By looking at attacks through this lens, you
m

can identify new techniques to hunt for and judge the effectiveness of your current data sources and hunting

Home-grown often most applicable

m
co
Tools typically drive usage

l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 48
@
55

An indicator of compromise (IOC) describes attacker tools and tradecraft using a rich and precise language that
ar

can be understood by both humans and security tools. IOCs can be a particularly powerful technique to identify
rm

malware components on a compromised host. Generally, they include a combination of Boolean expressions

Amrit Parmar
that can be used to identify characteristics of malware. If these characteristics are found and the Boolean
pa

conditions satisfied, then you have a hit. Since finding the first hit is one of the most challenging parts of
rit

incident response, a targeted set of IOCs can greatly speed up the IR process.
m

m
co
l_
29230065 ho
tm
ai
@
55
ar
rm

Amrit Parmar
pa
rit
m

condition:

m
uint16(0) == 0x5a4d and filesize < 4000KB and all of them

co
}

l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 50
@
55

YARA is currently the most widely used indicator of compromise format. Its popularity stems from striking the
ar

right balance of simplicity and power, making it easy for malware analysts and incident responders to identify
rm

and classify malware samples. YARA rules are written to match patterns, and the rules themselves are easily

Amrit Parmar
understood by both machines and human operators.
pa
rit

While many YARA rules are strings based, more sophisticated rules can be crafted using regular expressions,
m

wildcards, conditions, and modules such as pe header components from the portable executable structures. In

m
co
Credential Theft

l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 51
@
55

This page intentionally left blank.
ar
rm

Amrit Parmar
pa
rit
m

― Orson Scott Card, Ender's Shadow

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 52
@
55

This page intentionally left blank.
ar
rm

Amrit Parmar
pa
rit
m

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 53
@
55

Malware Paradox
ar

Several years ago, Jesse Kornblum stated, “Malware Can Hide, But It Must Run,” and this became known as the
rm

Malware Paradox. The paradox means that malware can exist but sooner or later something must activate it to

Amrit Parmar
pa

run. Execution leaves telltale artifacts. As an example, methods to keep malware “persistent” across multiple
reboots on a system is called a “persistence mechanism.” It is a simple piece of evidence to look for and could
rit

possibly help us point, in reverse, back to the malware—more on that shortly.
m

3

m
In-depth analysis on systems and malware to

co
further identify tradecraft and build IOCs.

l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 54
@
55

Your journey through FOR508 has been designed to follow a standard workflow for performing threat hunting,
ar

compromise assessments, and incident response activities. The roadmap we will use in this class is as follows:
rm

Threat Hunting & Assessment
Amrit Parmar
pa

We will start our process by looking at the network using tools that can scale collection and analysis, focusing
rit

on occurrence stacking and outlier analysis. Most attendees have thousands of endpoints necessitating broad
m

scoping techniques at the start of an investigation.

Systems without Tools or Malware (Living Off the Land)

m
co
l_
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 55
@
55

Systems involved in a compromise can be largely collected into three categories, as seen on this slide. During
ar

the course of FOR508 you will see systems that fit into each category and get a good understanding of how each
rm

can be identified. We will build a kit of tools and techniques that can assist with hunting and identifying

Amrit Parmar
compromised systems of each type.
pa
rit

Three Possible Detection Types
m

When hunting for a compromise, active malware is often the easiest to identify. Active malware generates a

m
co
Deep-Dive Targeted Single Host Forensic 1 2 3

l_
Forensics
29230065 MFT and Filesystem Anomalies
FOR508 | Advanced Incident m
Anti-Forensic
ai
Response, Residue
ho
t Anomalies
Threat Hunting, 1 2
1
and Digital Forensics
2
56
@
55

Defending a network requires balancing of limited resources across increasingly large enterprises. It is simply not
ar

feasible to perform every forensic test on every system in a network. The goal is to look for capabilities allowing
rm

scoping and analysis to be conducted at scale, while reserving the deep forensic techniques for only a small subset
of systems.
Amrit Parmar
pa
rit

As hunting or incident response begins, the focus starts with enterprise-wide collection and using automated
m

signature detections whenever possible. These signatures could be as simple as your host-based anti-virus or more

m
co
l_
29230065 ho
t m
ai
@
55
ar
rm

Amrit Parmar
pa
rit
m

m
co
Browser History Cookies Cache Session Restore TypedURLs

l_
Usage
29230065 m
ai
FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics
ho
t 58
@
55

It is much easier to detect systems with active malware than systems with only left-over residue. Because
ar

systems cleaned or compromised with living-off-the-land techniques often require deep dive forensics, the
rm

enormity of the analysis across an enterprise is daunting. However, in practice, detection is the same as systems

Amrit Parmar
with active malware—find traces of attacker activity and scan the enterprise looking for those same fragments.
pa

It just turns out the fragments are harder to find on these systems. Hackers change their profile, but not often
rit

enough that their profile will be completely unique on each system. Foren