SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Stuxnet, Cyber Weapons and Incident Response

Our focus this week, albeit loosely, is on Incident Response. There has been much news of late regarding the Stuxnet malware, and a couple of the more interesting perspectives are linked in the "Good Reads" section below. As forensicators and incident responders, the advent of such "weapons-grade" malware raises the stakes significantly, and we have to step up our game to match. Memory forensics becomes far more crucial when dealing with advanced threats, and Mandiant offers some help in this area with an update to their Memoryze tool. But our ability to learn from the incidents we investigate and share that information also becomes vastly more important. To help us in this area, Verizon has provided their VERIS Framework, which is a tool for gathering metrics from incident investigations so that we can begin to share and learn from the breaches that inevitably occur. The VERIS Framework isn't all that new, but deserves more attention. So read on for these and other interesting bits, and be sure to let us know what you think.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

Tools:

  • This week, Mandiant announced a new version of Memoryze, their Windows memory forensics tool. This release brings support for Windows 7 (32 & 64-bit) and Windows 2008 64-bit, along with a speed improvement of up to 40% "depending on memory size and configuration parameters."
  • Over the weekend, The Sleuth Kit 3.2.0b1 (beta) was released. This latest version includes some significant enhancements such as "a new automation framework and new tools that can recover deleted files into the original directory structure, compare a directory to a disk image, and load image information into a sqlite database."
  • While not exactly new, the Verizon Incident Sharing (VERIS) Framework is worthy of note for those (like me) who hadn't heard of it. I've become concerned, of late, with generating metrics to quantify and classify both attacks and incidents, and this seems like an excellent starting point for both collecting internal metrics and collaborating with other organizations. The VERIS Framework is the basis for the data collected and presented in Verizon's Data Breach Investigations Report (DBIR), and Version 1.0 was publicly released back in July.

Good Reads:

  • Symantec's Security Response Blog has an excellent post detailing the process used by the Stuxnet worm to infect the Programmable Logic Controllers (PLCs) used in certain Industrial Control Systems.
  • Frank Rieger poses an interesting hypothesis about the identity of the original/intended target of the Stuxnet malware, then concludes his article by saying:

    Stuxnet will go down in history as the first example of a news class of malware, that has been engineered to weapons-grade performance with nearly no side-effects and pinpoint accuracy in delivering its sabotage payload.

  • That closing statement from Mr. Rieger provides an excellent segue into Richard Bejtlich's recent Thoughts on "Cyber Weapons," in which Mr. Bejtlich shares some thoughts on what distinguishes "Cyber Weapons" (as represented by advanced malware such as Stuxnet) from offensive security tools such as Metasploit and Ronin (which are commonly used by defenders to test their own defenses).

News:

  • Microsoft released Internet Explorer 9 beta this week. So, the obvious question is: will this version introduce any significant changes to the forensic artifacts we commonly deal with? If anyone has research time on their hands, please check out the artifacts and let us know what you find.
  • KrebsOnSecurity: The SpyEye botnet kit adds a new way for botmasters to steal your money.

Levity:

  • Do you ever have days when this feels like a metaphor for Information Security?
  • But I AM a JedI! (Hope this kid likes Star Wars.)

Coming Events:


Digital Forensics Case Leads for 20100923 was compiled by Gregory Pendergast, Interim Information Security Officer at Virginia Commonwealth University. If you have an article to suggest for case leads please email it to caseleads@sans.org.