Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Reverse Deception: Organized Cyber Threat Counter-Exploitation (91 page)
What Happened on Your Box?
To discover exactly what happened, you can employ the skills of those well-versed in the art of digital forensics. This can involve taking an exact copy of the hard drive on the machine, copying what is currently in the machine’s memory, and analyzing it for artifacts left by your attacker. In addition to a thorough log file analysis, performing this activity can help you determine how attackers got on the machine and what they did once they occupied your space.
Table 8-8
lists a couple of tools, one commercial and one open source, that can help you accomplish this task. These tools work as follows:
Table 8-8
Forensic Tools
EnCase
This commercial, Windows-based tool is widely used throughout the digital forensics community. It allows you to gather data from the hard drive or memory, analyze data from numerous sources, automate some of the more mundane tasks, and produce robust reports based on what it finds. You can find more information about this tool at
www.guidancesoftware.com/
.
This is a compilation of open source, multiplatform command-line tools that allow you to gather and analyze files taken from multiple file systems. Don’t let the “command line” part turn you off though; you can also download the Autopsy Browser, which provides a nice graphical interface to the data you are analyzing. To grab both of these tools, head over to
www.sleuthkit.org/index.php
.
What Did That Malicious Software Do?
So now you’ve come to the moment of truth. You found a piece of malware that you think is responsible for the malicious gateway into your network. The digital forensic tools described in the previous section can help you find out how it got on the machine. However, now you want to know what it was doing while on the compromised host. Was it communicating with other machines external to your local area network? Was it siphoning information from your network? This is an art, and there are different ways to determine what you are looking for (such as static and dynamic binary analyses), but the small set of tools listed in
Table 8-9
can help your team get started on this quest.
Table 8-9
Debugging Tools
These tools work as follows:
This widely used tool works on multiple platforms and offers older versions for free and the newest version for purchase. It is an interactive assistant that allows you to break down the malicious software, stepping through it line by line, to determine the exact purpose of the program. You can download this invaluable aid for your toolbox at
www.hex-rays.com/idapro/
.
This is a Windows-based tool that also allows you to examine that nasty piece of software you found on your network. You can learn more about it and download this tool at
www.ollydbg.de/
.
Consider this a bonus tool to use for analyzing malware. It is not complicated and can’t step through the malware line by line like the previous tools. However, when you run this program against your malware, it will pull (mostly) human-readable strings out of the file. This may not seem very useful as you read this, but imagine if crimeware authors decided to put in their e-mail address, website, or URLs to which this software was designed to communicate. The tool is simple, but it can yield a wealth of information. Read your man pages for more information on this handy tool which can be found by typing -help, —help, /?, or the common help option which will show you how to access the man page documents.
Conclusion
There are many tools you can use to protect yourself and your organization. This chapter covered just a small sampling to point you in the right direction so that you can see how they fit into your enterprise security architecture.
Understanding the state of your network is key to implementing a good deception (honeynet) architecture. Likewise, understanding how your enemy operates via the honeynet affords you the opportunity to test your defenses based on the TTPs observed. We’ve covered preventative measures, actively capturing your enemies during the midst of their malicious activity, being proactive in checking your security posture, and taking measures to understand your enemies after your security has been compromised.
Your ability to fend off advanced threats depends on tools such as those mentioned in this chapter. If these are not a good fit for you, take the time to find out which ones are suitable. If you don’t employ tools such as these, it will be very difficult to determine your attacker’s techniques and determine attribution (guess what the next chapters are about).
CHAPTER
9
Attack Characterization Techniques
