Blog: SANS Digital Forensics and Incident Response Blog: Author - mikecloppert

Blog: SANS Digital Forensics and Incident Response Blog:

An Overview Of Protocol Reverse-Engineering

JOIN SANS FOR A 1-DAY CYBER THREAT INTELLIGENCE SUMMIT headed by Mike Cloppert - 22 Mar 2013-http://www.sans.org/event/what-works-cyber-threat-2013


With this post I'm kicking off a series designed to help analysts reverse engineer undocumented - or poorly documented - network protocols. It is fairly common for incident responders to be presented with a network packet capture (PCAP) containing undocumented bi-directional traffic, or binary files exhibiting such behavior. The content and purpose of these transactions is often learned through "conventional" reverse engineering of the client binary executable (using common dynamic and static techniques). This process is time-consuming in the context of rapidly-evolving incident response scenarios, as extensive analysis of network communications may be complicated by a number of factors. I have been ...

Why Stuxnet Isn't APT

Stuxnet has become so buzz-worthy that I almost feel like an article relating it to "APT" is the epitome of anecdotal industry naval-gazing. Making a qualitative assessment of each can be a useful exercise in classifying and understanding the threat landscape, however. This in turn helps clarify risk, driving resource allocation, investment, and R&D. Even more important than the conclusions presented herein, I want to elucidate some of the analysis that goes into threat assessments so that others might be empowered to do the same.

Favoring Frameworks for Intrusion Detection and Prevention

Revealing, maturing, and utilizing indicators through their lifecycle is the analytical engine behind Security Intelligence (or, if you prefer, Intel-driven CND). Each of these actions can be enhanced with custom, FOSS, and COTS tools, but perhaps no aspect relies on tools more heavily than the act of leveraging intelligence. The data rates and sizes of today's computers and networks mean that only through the use of automation can intelligence be leveraged - manual searching and correlation by analysts is simply impossible. Thus, the ability to codify intelligence in network and host security tools defines the limits of an organization's effective use of that intelligence.

Security Intelligence: Defining APT Campaigns

In the three previous installments of this series, I introduced security intelligence and how to begin thinking about sophisticated intrusions. In this entry, I will discuss how my team at Lockheed Martin defines the adversaries that we track using the definitions covered previously, with a particular focus on the kill chain. As always, credit for these techniques belongs to my team and the hard work of evolutionary CND we've done over the past 6 years.

The "persistence" in APT intrusions is manifested in two ways: maintaining a presence on your network, as well as repeatedly attempting to gain entry to areas where presence is not

...

Uncident Response

Awhile ago, I was asked to assist in responding to a security problem on a client's network. A major vulnerability was reported on a website that involved failure of the primary authentication and access control mechanism. So severe was the vulnerability that not only could one user view another's PII, but complete authentication circumvention was itself trivial! I was tasked with assessing what, if any, impact had resulted from this exposure. This probably sounds familiar to many security analysts: a vulnerability was discovered, what compromise resulted from it?

These cases turn classic incident response on its head. We are trained, and often work, on issues where a compromise is discovered, from which analysis reveals a vulnerability. Here, we have the opposite. One immediate difference is clear: when there is a compromise, some vulnerability was necessarily exploited. However, the result of a vulnerability investigation is not so clear. Our normal incident

...