Infogressive’s engineers are a special kind of broken. We like to learn and put ourselves through things that are REALLY hard just because we’re curious… (and a little masochistic).
When I was new to the company, I shadowed on an Incident Response lead by one of our vendor partners, and was introduced to the world of forensics.
It seemed really interesting to me. Almost like a weird treasure hunt where you’re looking for the bad guy. I wanted to know more about how to do it, so I bugged my boss to let me go to training. The class they were going to send me to was FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting.
You’ll notice in the title of the class, it says “Advanced” right at the beginning. Having next to 0 experience in Forensics previously, I started to prep for the class by reading a few entry-level textbooks and sitting through any webinar or free training class I could get my hands on, (thank you Cybrary!). I also listened to older copies of the FOR508 class that a coworker had attended. Those mp3’s became the only thing I listened to for the next 3 months.
Finally, the time for the class came.
Here’s a little run down of what FOR508 covers:
- Detect how and when a breach occurred
- Identify compromised and affected systems
- Determine what attackers took or changed
- Contain and remediate incidents
- Develop key sources of threat intelligence
- Hunt down additional breaches using knowledge of the adversary
For more information, check out the course description here.
My instructor was an incredibly smart individual by the name of Chad Tilbury. Chad’s background was starting with AirForce OSI and eventually becoming the technical director for Crowdstrike doing incident response and investigations on the more advanced threats out there.
The class itself consisted of 6 days broken into sections where you would have your typical lecture and then long stretches of lab time to make sure you knew what you were doing. The last day was focused on a capture the flag event with an intrusion scenario where we needed to investigate what happened, build a timeline around it, and present our findings to the class. Whoever found the most and had the best presentation was presented with the class coin as their trophy.
Day 1 covered identification and scoping of an incident, as well as intelligence gathering and remediation. We were given a little background on where the term APT came from, as well as an introduction to the IR process. The main tool we would use for the class was the SIFT distribution that was designed by SANS. Think of this as Kali for incident response. We also covered a lot of the core Windows processes and what their “normal” behavior looks like. Once you know normal, you can start to identify “evil”. This was wrapped up with information about finding IOCs (Indicators of compromise) and some advice on remediation.
Day 2 focused on memory forensics. We learned what memory forensics entails, as well as the advantages and challenges that come with it. The main focus of our tools revolved around Mandiant’s RedLine and Volatility. The number of things you can do with Volatility is mind-blowing, and if you know how to script or program, you can pretty much create your own forensics tool with Volatility as the heart. Seriously a swiss army knife for the DFIR guys.
Day 3 focused on intrusion forensics. This was mainly the various places in Windows to look for evidence that a file had been executed. This could be malware or just an administration tool that can help to move laterally through the environment, (lookin’ at you PSExec…). We also started to get into event log analysis, covering specific log IDs and codes that will help us understand what’s happening on a host.
Both the second half of Day 3 and all of Day 4 consisted of timeline analysis. This is one of the most important aspects of incident response and forensics as this begins to tell the story from the first initial attack all the way through to the discovery of the intrusion. There was a lot to cover.
Our final learning day started to cover file system forensics. Up until this point, everything we were learning was focused on being able to find an answer as quickly as possible. This is how it works in the real world. When you’re dealing with an organization the size of EquiFax, you can’t do deep-dive forensics on every host. It just doesn’t scale. So, the focus of the first few days was to identify our patient zero so that we knew who to focus the most amount of time and resources on. File system forensics gets into the serious bits and bytes of the operating system. We went into the metadata of a file, talked about slack space, NTFS, FAT, MAC times, all sorts of stuff.
To be honest, my memory starts to get fuzzy around this time because there was so much being thrown at you. As Rob Lee would say, you were learning by waterboarding at this point.
Day 6 was the CTF. Our scenario was that Stark Industries had received some intel about a hacking group that might be targeting them, (Of course they were called Hydra). We broke into teams and started to get to work. We scanned for IOCs, dug through memory images, and got into the deep of the file system. All of our data had to be compiled into a timeline and a powerpoint presentation. Because I was a moderator, I worked with the simulcast students that were all remote. We presented our findings and came in 3rd place. No coin, but still pretty cool.
I left the conference with a strange grey substance leaking from my ear. I realized later that it was what was left of my brain : )
On top of a challenging, yet excellent class, there were also some amazing night talks and activities going on at the conference. Two of the talks I attended involved using open source, 3rd party resources for malware investigations and a thorough post-mortem of the Ukrainian power grid breach. There was also a DFIR NetWars competition that was a capture the flag event that required skills learned in classes such as FOR500(Windows File System Forensics), FOR508(see above), FOR572(Network Forensics), and FOR610(Reverse Engineering Malware).
Studying and test prep once I got back home involved listening to more of the MP3’s, re-working all of my labs, and creating an index that was more like a study guide and just as thick as one of the textbooks in the class. I studied for 2 months and then took the test. Even though I was confident that I would at least pass, I scored surprisingly high and qualified to teach the course if I wanted to go through the process. (No thanks. Just here for the tools).
To wrap up this post, if you’re in IT or InfoSec and you get the chance to go to a SANS training conference, for the love of binary DO IT. It’s intense and a lot of work, but completely rewarding. The amount of information that you learn in that week seriously kicks the crap out of any college-level course I’ve attended so far. The instructors are top-notch guys that are in the industry, working in the trenches when they’re not teaching. The material is current and immediately applicable to what you’re dealing with in your own network. I know that I definitely had a list of things that I immediately wanted to apply to our services so that we can better protect our customers.
Written by: Derrick Masters, Security Engineer