My favorite DFIR presentations for 2016

 

2016 was a year full of interesting presentations and conferences! I took a moment to think about the presentations that helped me better understand the threat landscape, introduced me to new tools and processes, provided inspiration for my team and help me with my daily operations.

The selection of the presentations below is subjective but  indicative of the trends regarding the DFIR community during 2016. Moreover, the below sequence is completely random.

I would appreciate any feedback and I would be more than happy to be sent your ones! Enjoy!

1. John Lambert (Microsoft) – Changing the physics of defense
2. Sean Metcalf (Trimarc) & Will Schroeder (Veris Group) –  Attacking EvilCorp: Anatomy of a Corporate Hack
3. Daniel Bohannon (MANDIANT) – Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D””e`Tec`T ‘Th’+’em’
4. David Sharpe (GE-CIRT)  – Intrusion Hunting for the Masses
5. Rob Joyce (NSA TAO) – Disrupting Nation State Hackers
6. Andy Robbins, Will Schroeder, Rohan Vazarkar (Veris Group) – Six Degrees of Domain Admin
7. Kevin Perlow (Booz Allen Hamilton) &  Allen Swackhamer (Target) – Tracking Threat Actors through YARA Rules and Virus Total
8. Andrew Case (Volexity) – Utilizing Memory and Network Forensics for Scalable Threat Detection and Response
9. Michael Kemmerer (MITRE) –  Detecting the Adversary Post-Compromise with Threat Models and Behavioral Analytics
10. Chris Gates & Chris Nickerson – Building A Successful Internal Adversarial Simulation Team
11. Matt Dunwoody & Nick Carr (MANDIANT) – No Easy Breach: Challenges and Lessons Learned from an Epic Investigation
12. Jared Haight (Gotham Digital Science) – Introducing PowerShell into your Arsenal with PSAttack
13. Mark Russinovich (Microsoft) – Tracking Hackers on Your Network with Sysinternals Sysmon
14.  Tom Ueltschi (‎Swiss Post) – Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)
15. Frode Hommedal (Telenor CERT) – Tactical Response

For more information see below:

1. John Lambert (Microsoft) – Changing the physics of defense

We’ve heard that attackers have all the advantages. Defenders are too slow, too disorganized, and too far behind the curve. The physics of cyber favor the offense. Today’s modern defenders are changing all of this. The world is in transition and the playbook for network defense is being re- rewritten as a new set of forces take hold.
Modern defenders are harnessing the cloud to store data volumes that were economically out-of-reach just a few years ago. Attacker’s opsec mistakes are imprisoned in today’s big data systems waiting for discovery by defenders that are sharing knowledge more widely than ever before. In the past, victims were
disorganized and now everywhere you look defenders are sharing‹every geography, every industry, and even competitors. The skillsets of defense have changed from AV and SIEM to reverse engineering, intelligence driven hunting, and data science. This talk will discuss these and other major trends sweeping the world of defense and why they are changing the balance between attack and defense.

Slides: https://onedrive.live.com/?authkey=%21AJaS6VKY2AeMdDU&cid=F29DB6166A2D81B4&id=F29DB6166A2D81B4%21108&parId=F29DB6166A2D81B4%21107&o=OneUp

2. Sean Metcalf (Trimarc) & Will Schroeder (Veris Group) –  Attacking EvilCorp: Anatomy of a Corporate Hack

With the millions of dollars invested in defensive solutions, how are attackers still effective? Why do defensive techniques seem to rarely stop or slow down even mid-tier adversaries? And is there anything the underfunded admin can do to stop the carnage? Join us in a shift to ?assume breach? and see how an attacker can easily move from a single machine compromise to a complete domain take over. Instead of “death by PowerPoint,” see first-hand how a fictional corporation suffers “death by a thousand cuts.” The fictional EvilCorp presents their top defensive tools and practically dares someone to attack the network. The battle of Red vs. Blue unfolds showing EvilCorp’s network submit to the unrelenting attacks by an experienced adversary. When the dust settles, the Red Team looks victorious. But what, if anything, could have tipped the scales in the other direction? In this demo-heavy session (several demos are shown to demonstrate modern attack effectiveness), we showcase the latest attack techniques and ineffective defenses still used to protect companies. Defense evasion tools and techniques are detailed as well as attack detection methods. Effective mitigation strategies are highlighted and the Blue Team is provided a roadmap to properly shore up defenses that can stop all but the most determined attacker.

Slides: https://adsecurity.org/wp-content/uploads/2016/09/DerbyCon6-2016-AttackingEvilCorp-Anatomy-of-a-Corporate-Hack-Presented.pdf

3. Daniel Bohannon (MANDIANT) – Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D””e`Tec`T ‘Th’+’em’

The very best attackers hide their commands from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, network defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs. We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker. Next, I will introduce three new layers of obfuscation that can be applied to any PowerShell command. You can use each layer independently, or stack them together to prevent any one technique becoming an easy signature for defenders. The first layer directly manipulates PowerShell and .Net cmdlets, functions and arguments. The second string manipulation layer can then be applied to a single command or an entire script. Finally, I will demonstrate several techniques for content execution using PowerShell command input parameters that hide command line arguments from appearing for powershell.exe. Attempting to detect every possible obfuscated version of particular commands is not an efficient means of detection. Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging and rely primarily on command line logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will also highlight methods using C# within powershell.exe that enable the attacker to execute .Net functions without being recorded in PowerShell event logs. Attackers and popular frameworks like Metasploit, PowerSploit, and Empire use PowerShell?s remote download cradle to execute remote scripts on a target system entirely in memory. This capability is typically used to avoid A/V and many application whitelisting products. I will give particular focus to the numerous ways within PowerShell, .Net, and native Windows applications that this remote download functionality can be accomplished without using .Net?s popular Net.WebClient class. I will also explore a half dozen functions that attackers can use to encode and decode PowerShell commands, including .Net?s SecureString functions. I will conclude this talk by highlighting the public release of Invoke-Obfuscation.ps1. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms. These techniques are available as miniature plug-n-play versions to be easily added to existing PowerShell frameworks in an effort to promote more wide-scale adoption.

Slides: http://www.slideshare.net/danielbohannon2/invokeobfuscation-derbycon-2016

4. David Sharpe (GE-CIRT)  – Intrusion Hunting for the Masses

So, mature CIRTs are supposed to have people hunting for APT, right? Don’t have a hunt team yet? Don’t know what to hunt for, or how or where to hunt? You are not alone. This talk will cover a range of effective and practical techniques that have worked over the years for finding targeted intrusions.

Slides: –

5. Rob Joyce (NSA TAO) – Disrupting Nation State Hackers 

From his role as the Chief of NSA’s Tailored Access Operation, home of the hackers at NSA, Mr. Joyce will talk about the security practices and capabilities that most effectively frustrate people seeking to exploit networks.

Slides: https://www.usenix.org/sites/default/files/conference/protected-files/enigma_slides_joyce.pdf

6. Andy Robbins, Will Schroeder, Rohan Vazarkar (Veris Group) – Six Degrees of Domain Admin

Active Directory domain privilege escalation is a critical component of most penetration tests and red team assessments, but standard methodology dictates a manual and often tedious process – gather credentials, analyze new systems we now have admin rights on, pivot, and repeat until we reach our objective. Then — and only then — we can look back and see the path we took in its entirety. But that may not be the only, nor shortest path we could have taken. By combining our concept of derivative admin (the chaining or linking of administrative rights), existing tools, and graph theory, we can reveal the hidden and unintended relationships in Active Directory domains.

Bob is an admin on Steve’s system, and Steve is an admin on Mary’s system; therefore, Bob is effectively (and perhaps unintentionally) an admin on Mary’s system. While existing tools such as Nmap, PowerView, CrackMapExec, and others can gather much of the information needed to find these paths, graph theory is the missing link that gives us the power to find hidden relationships in this offensive data. The application of graph theory to an Active Directory domain offers several advantages to attackers and defenders. Otherwise invisible, high-level organizational relationships are exposed. All possible escalation paths can be efficiently and swiftly identified. Simplified data aggregation accelerates blue and red team analysis. Graph theory has the power and the potential to dramatically change the way you think about and approach Active Directory domain security.

Slides: https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Robbins-Vazarkar-Schroeder-Six-Degrees-of-Domain-Admin.pdf

7. Kevin Perlow (Booz Allen Hamilton) &  Allen Swackhamer (Target) – Tracking Threat Actors through YARA Rules and Virus Total

One of the largest challenges in incident response and security operations is tracking changes in campaigns and maintaining an up-to-date list of indicators of compromise. This presentation will detail creating and maintaining YARA rules and leveraging them against the VirusTotal database to track file relationships, subtle changes in campaigns, and generate predictive intelligence using two real-world casestudies. In addition, we will provide several working ideas for tracking and logging this information and automating analysis specific to individual campaigns.

Slides: https://files.sans.org/summit/Digital_Forensics_and_Incident_Response_Summit_2016/PDFs/Tracking-Threat-Actors-through-YARA-Rules-and-Virus-Total-Kevin-Perlow-and-Allen-Swackhamer.pdf

8. Andrew Case (Volexity) – Utilizing Memory and Network Forensics for Scalable Threat Detection and Response

Modern threats necessitate active hunting for malware and attackers throughout an organization’s environment.  Unfortunately, traditional approaches to detection of this malicious activity are now inadequate as advanced malware and skilled attackers easily mislead them.  During this presentation attendees will learn how malware and attackers evade these traditional methods as well as how memory and network forensics can be used to give defenders an upper hand. Memory forensics, which is the examination of a system’s state through analysis of RAM, is much harder to fool as malicious applications necessarily create artifacts in memory in order to operate. Similarly, network forensics gives defenders a concrete look at data flowing throughout their environment, and it provides little room for attackers to hide their lateral movement and data exfiltration. Beyond initial detection, this presentation will also show how these types of analysis can also provide rapidly scalable triage of the rest of a potentially compromised network.  The scenarios presented in this talk will be based on real-world malware as well as real investigations performed on large networks throughout the world. Attendees will leave with the ability to start proactively detecting and triaging threats in their environment – all using open source tools.

Slides: https://sector.ca/wp-content/uploads/presentations16/Case-Sector-2016-Scalable-IR.pdf

9. Michael Kemmerer (MITRE) –  Detecting the Adversary Post-Compromise with Threat Models and Behavioral Analytics

Revisiting the .conf2014 presentation titled: “Uncover Compromised Systems by Collecting Data From Existing Endpoint Solutions and Observing Patterns of Behaviors.” The talk will focus on the ATT&CK framework, the soon to be released Cyber Analytic Repository (CAR) and updates to how we use Splunk for Endpoint Security.

Slides: https://www.mitre.org/sites/default/files/publications/pr-16-3058-presentation-detecting-adversary-post-compromise.pdf

Video link: https://conf.splunk.com/files/2016/recordings/detecting-the-adversary-post-compromise-with-threat-models-and-behavioral-analytics.mp4

10. Chris Gates & Chris Nickerson – Building A Successful Internal Adversarial Simulation Team

The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us.

Slides: http://www.slideshare.net/chrisgates/building-a-successful-internal-adversarial-simulation-team-chris-gates-chris-nickerson

11. Matt Dunwoody & Nick Carr (MANDIANT) – No Easy Breach: Challenges and Lessons Learned from an Epic Investigation 

Every IR presents unique challenges. But–when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day–the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.

Slides: –

12. Jared Haight (Gotham Digital Science) – Introducing PowerShell into your Arsenal with PSAttack

PS>Attack is a custom tool that was created to make it easier for Penetration Testers to incorporate PowerShell into their bag of tricks. It combines a lot of the best offensive tools from the offensive PowerShell community into a custom, encrypted console that emulates a PowerShell environment. It also includes a custom command, “Get-Attack” to act a search engine for attacks making it easy to find the right attack for any situation. In this presentation we will cover how PowerShell can be used during every part of a penetration test and how PS>Attack can help make the whole process a lot easier.

Slides: –

Plus, three additional presentation slides without video recordings:

13. Mark Russinovich (Microsoft) – Tracking Hackers on Your Network with Sysinternals Sysmon

Sysinternals Sysmon is an advanced system monitoring service that logs file manipulation, process and image loading, and other events that can be used to identify the presence of an attacker. Learn tips and tricks that will help you get the most out of this powerful hacker hunting tool.

Slides: https://www.rsaconference.com/writable/presentations/file_upload/hta-w05-tracking_hackers_on_your_network_with_sysinternals_sysmon.pdf

14.  Tom Ueltschi (‎Swiss Post) – Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)

Enterprises and organizations of all sizes are struggling to prevent and detect all malware attacks and advanced adversary actions inside their networks in a timely manner. Prevention focused technology hasn’t been good enough to prevent breaches for years and detection has been lacking in many ways.

This presentation will give an overview and detailed examples on how to use the free Sysinternals tool SYSMON to greatly improve host-based incident detection and enable threat hunting approaches.
Splunk is just an example of a SIEM to centralize Sysmon log data and be able to search and correlate large amounts of data to create high-quality alerts with low false-positive rates. The same could likely be done using another free or commercial SIEM.

The main goal is to share an approach, a methodology how to greatly improve host-based detection by using Sysmon and Splunk to create alerts.

One main topic throughout the presentation will be how to find suspicious or malicious behaviors, how to implement search queries and how to reduce or eliminate false-positives. Examples will cover different crimeware malware families as well as tools and TTPs used by Red Teams and advanced adversaries.

For the latter, a commercial tool (Cobalt Strike) was used to test different privilege escalation and lateral movement techniques and develop queries for detection. Sysinternals Process Monitor and Sysmon tools were used to analyze behaviors on the endpoints involved.

Any Blue Team member should be able to take away some ideas and approaches to improve detection and incident response readiness in their organization.

Slides: http://security-research.dyndns.org/pub/slides/BotConf/2016/Botconf-2016_Tom-Ueltschi_Sysmon.pdf

15. Frode Hommedal (Telenor CERT) – Tactical Response

Since the CSIRT Modeling talk given at the FIRST TC in Oslo in November 2015 I’ve given lots of different variants on that talk on different occasions. This presentation, first held at the CERT-EE Symposium in Tallinn on May the 30th, 2016, is in many ways a continuation and expansion on that talk, that covers the subject Tactical Response in a lot more detail.

Slides: http://frodehommedal.no/presentations/cert-ee-symposium-2016/#/

Advertisements

One thought on “My favorite DFIR presentations for 2016

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s