Thoughts on 2008 SANS Forensics and IR Summit

Last week I attended at spoke at the 2008 SANS WhatWorks in Incident Response and Forensic Solutions Summit organized by Rob Lee. The last SANS event I attended was the 2006 SANS Log Management Summit. I found this IR and forensics event much more valuable, and I'll share a few key points from several of the talks.

  • Steve Shirley from the DoD Cyber Crime Center (DC3) said "Security dollars are not fun dollars." In other words, what CIO/CTO wants to spend money on security when he/she could buy iPhones?

  • Rob Lee noted than an Incident Response Team (IRT) needs the independence to take actions during an emergency. I've called this authority the ability to declare a "Network State of Emergency" (NSOE). When certain preconditions are met, the IRT can ask a business owner to declare a NSOE, just like a state governor can declare a state of emergency during a forest fire or other natural disaster. The IRT can then exercise predefined powers (like host containment, memory acquisition, live response, etc.), acting under the business owner's authority without coordinating in the moment with IT or other parties. Rob also mentioned that SleuthKit 3 would arrive soon; it was released yesterday. Rob shared the idea that sharing IR information resembles the full disclosure debate.

  • Mike Poor from the newly renamed InGuardians provided the following advice when asked "what logs should we collect?" He responded: "Collect the logs to tell the story you want to tell." I thought this was a great response. Some enterprises don't want to tell a story. Some only know the middle, by virtue of being in the midst of an intrusion. Those who collect data that validates a successful resolution of an intrusion can tell the end of the story. Those with mature visibility and detection initiatives can tell the beginning of the story as well. Furthermore, during lunch Mike suggested I read Ed Skoudis' WMIC articles to understand Windows Management Instrumentation Commands.

  • Aaron Walters from Volatile Systems and Matt Shannon from F-Response announced that F-Response 2.0.3 can remotely acquire memory on target systems. Aaron mentioned that intruders have dynamically injected malicious code into processes, like Web servers, to offer one-time-use URLs that don't exist on disk. Aaron also noted cases where a system reports it is patched, but because of a driver conflict the system is really running vulnerable software. Aaron provided a short demo of Voltage, a commercial enterprise product for investigations. Aaron used the MIT Simile Timeline application to outline time series data visually.

  • Harlan Carvey cited Nick Petroni while defending the collection of memory on targets: "collecting memory now lets us answer new questions later." He said he sometimes arrives at a client site where all victim systems have been reinstalled and no logs are kept, yet the customer wants to know what happened.

  • Ovie Carroll, now Director of the Cybercrime Lab at U.S. Department of Justice Computer Crime and Intellectual Property Section, said he has been briefing judges on the need to collect volatile data during investigations. He said DoJ has to be ready to answer a defense attorney who says "by pulling the plug on my client's computer, you destroyed exculpatory evidence!" Ovie emphasized the importance of developing an investigative mindset in analysts, not simply concentrating on "data extraction." After his presentations we discussed how future investigations may have very little to do with individual PCs, since most of the interesting evidence might reside on provider applications and networks.

  • Mike Cloppert ruffled a few feathers (justifiably so) by stating "the advanced persistent threat has rendered the classical IR model obsolete." In other words, persistent threats make it difficult to start over when there is no end. Mike emphasized the need for "indicator management" and that "intelligence drives response." I agree; without having investigative leads, identifying intruders can be very difficult.

  • Eoghan Casey and Chris Daywalt warned of early containment and remediation during an incident. Do we want to disrupt an intruder or eject him?

I believe my keynote on day 2 went well. Rob stated he plans to hold a second conference in July near Washington, DC next year, so I look forward to attending it.


H. Carvey said…
...could have sworn someone said something about the Windows Registry... ;-)
Unknown said…
"Security dollars are not fun dollars."

I simply have to grin at that, since those sound like fun dollars to me!

I like Rob Lee's (and your) idea of the IRT having some ability to act on behalf of a businessowner. However, I wonder just how dire the situation would need to be before a businessowner approves potentially taking down critical services even for a short time? Or how many times the IRT might have overstated the concern. Or, god forbid, whether the businessowner has any impending doom (jail, fines) hanging over their head as incentive to err on the side of security. Or possibly how many mistakes are made because of lack of coordinating with IT (whoa whoa, you didn't know the implications of taking down that database server dirty?!).

Still, the idea does feel good.
davehull said…
Thanks for posting this. I wanted to attend the event, but scheduling prevented it.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics