First, I need high-end network forensics. I plan to use my open source tools to do a good deal of collection and some analysis, but in certain cases I need more content-centric capabilities. For example, it would not be easy for me to extract certain types of application layer content (think documents, email attachments, and the like) using some of my tools. I am also not the only person who may need to do this work, so a collaboration- and non-expert-friendly system is needed.
For this I am taking a close look at NetWitness NextGen. I recently bought a copy of Investigator Field Edition. You can think of this product as a network forensics-equivalent of a hard drive forensics product. It's content-centric, not packet-centric like Wireshark. I'm considering using NetWitness Informer to provide Tactical Traffic Assessment services to my businesses by periodically collecting traffic and reporting on what I find.
I can't deploy network sensors everywhere I have a victim host. Therefore, I am going to end up doing a lot of host-centric detection and response. When I suspect a host has been compromised, I want to be able to remotely access that host, collect live response data, and perhaps remotely image the hard drive. I need to know as much about the victim as I can, as quickly as possible.
To meet this requirement I am considering MANDIANT Intelligent Response. I visited their Alexandria, VA offices and got a look at the product. I like the fact that it is built to not only support customers, but also for the MANDIANT consultants supporting DoD and other companies like mine. The consultants feed design ideas to the developers, and the team I met was open to my suggestions. I've also worked with many of the MANDIANT group and I believe they know what is needed to win incident response engagements. MANDIANT's product supports collaboration by allowing multiple investigators to research cases remotely. Their appliance has plenty of storage (3 TB I believe) to house remotely imaged hard drives as well.
The third capability I need to augment involves runtime and binary forensics, also known as memory forensics. Going one step beyond the need to conduct live response, I want to take a snapshot of memory on a victim. I want to identify rogue processes, and then 1) retrieve those processes in binary form for static and dynamic analysis on a test box and/or 2) attach a debugger to the rogue process to learn more about it in the wild. The first case is helpful to determine how malware could be used and how it is like to communicate with the outside world. The second case could be used to observe malware in the wild, possibly even monitoring its communications with its controller -- even if those communications are encrypted on the wire.
To meet this last requirement I met today with HBGary and looked at a beta of their new HBGary Responder product. Over the next few months they are going to add the capability to remotely push their agent to a victim and then pull data from the victim to a concentrator. They plan to add collaboration features (similar to MANDIANT's) so I could manage cases in a distributed manner. Their Responder product provides Active Reversing capability and integrates the pure reverse engineering power of their Inspector tool. I was impressed by Responder's graphing capabilities and the way it showed areas of code that might interest me.
In addition to my technical detection and response needs, I also must provide security metrics for my program. It should be clear after reading such wonderfully titled posts as Control-Compliant vs Field-Assessed Security that I think input metrics are overrated. I need more output metrics to estimate the score of the game, i.e., are we winning, drawing, or losing? I am considering using HBGary Responder to provide one of our metrics in the following manner.
- Select a random subset of assets, like employee laptops.
- Use HBGary Responder to collect memory images of these assets.
- Use the product's binary hashing capabilities to identify processes by comparing them to the Bit9 Knowledgebase and other lists.
- Count the number of normal, suspicious, and malicious results over time, per machine. Ideally we want to see fewer suspicious and malicious results, with higher numbers indicating problems.
- Beyond the metric, use the conclusions to conduct incident response for those suspicious and malicious results.
I generated a bunch of other metrics last year in Controls Are Not the Solution to Our Problem.
Incidentally, I'm not the only person to think these companies are offering something worthwhile. Today I read Analyze This Malware over at Dark Reading.
Application forensics is a final category of importance for which there are no real commercial tools yet. The canonical example is database forensics. The Oracle leader is (unsurprisingly!) David Litchfield and the SQL server leader is Kevvie Fowler. Both should have books on their respective subjects arriving this year.