Tuesday, July 21, 2015

SANS DFIRSummit 2015

I was fortunate to have been able to attend both the DFIR Summit and the Forensic 508 course this year. It's been forever since I've been able to pick a training course, not tied to purchase of a product. I have always wanted to go to the summit, but it never worked out. Having heard good things about it, my expectations were high.

The Hilton venue itself was top notch. The rooms were updated and the conference space was very spacious, so it never felt crowded. It cost me $18 for an Uber, so it wasn't too far from the airport. The location 2 blocks from 6th street (aka Dirty 6th) was perfect. Every night there was tons of live music happening and lots of bars and restaurants to check out.

James Dunn from Sony kicked off the conference and unfortunately did not talk about the breach. He did however point out some great things about how orgs need to move beyond the Kill Chain. Most of what matters in crisis management happens after actions on objectives by the attacker. For instance, he offered two examples of how companies behaved following a breach. One decided to ignore another attacker in the environment. Another decided that it wasn't a priority to fix underlying causes. The examples were all too real.

The panel on Finding Needles in the Haystack definitely offered some goods insights. I think we have as an industry have conceded that most orgs still aren't even doing the basics, despite trying to take on more advanced capabilities. However the discussion did highlight differing opinions on the path forward. Vendors believe a tool offers the best chance to force multiply and move the needle. While many front line responders believe adding more people is a better use of resources. Personally I error on the side of adding smart people when they are available. I did really enjoy some of the comments from Sameer on how the government, particularly the Obama Whitehouse, views cyber security. They essentially all agreed the government has no place protecting the private sector and there wasn't any appetite for more spending. I would definitely like to see at least something budget neutral happen, like reallocating student loan funds to only degrees that add significant value to the economy like STEM.

My second favorite talk of the conference was Dmitry's talk on Threat Analysis of Complex Attacks. He repeated one of my favorite mantras: "You only know what the attacker wants you to know". While it didn't focus on Equation group like I was hoping, it did cover it somewhat, as well as Duqu 2. He had some very good things to say about attribution. However I didn't quite follow his logic on stating that a new zero day didn't have armoring because it was given to the actor group. That may have been true, but I didn't see the reason for that conclusion.

I was not able to attend Sara Newcomer's talk on OS X "Shell bags", despite really wanting to. One of my colleagues attended, and we were able to take back some knowledge to apply to our Mac collections and investigations. (See Quicklook Thumbnail Cache DB)

Julien Vehent's talk on Mozilla's endpoint security project, MIG, was very interesting. I think it was trying to solve some problems that GRR wasn't able to do. In terms of the breadth of functionality in the product, it didn't appear to have a lot of capabilities. But what it did have, it did really well. Extremely fast queries of end points. It also is focused mostly on Linux and Mac OSX, which might not align with most orgs. They did bake in some nice security into communication channels. I'm looking forward to seeing this tool developed further.

Next there was the annual Forensic 4cast Awards. The winners received an engraved hard drive. It sounds like some this years votes were the closest in history. Specifically for Investigator of the Year and Book of the Year.

Followed by a fun DFIR Night out at Buffalo Billiards. Apparently this is a thing ... :-) Guess who that is?

I did attend the Cellebrite lunch and learn on day 2 and really liked what I saw. Some of the features were so scary, I can see why they only sell it to law enforcement. Basically one of the modules goes beyond the phone and starts to harvest social media accounts and cloud storage. They also have a really nice module for showing relationships between contacts, similar to other intel tools. I am looking forward to bringing in some of their tools to our lab next year. While they didn't cover malware much, I was able to talk to Ronen afterwards to discuss the serious Android malware problems people are facing.

Probably my favorite talk was Ryan Benson's talk on Google Chrome Forensics, where he demoed Hindsight. So much good stuff there all for free. One particularly useful piece of information he discussed, was how much data of forensic value can be pulled from the Google Analytics cookies. I also learned a new term, Local Storage Records aka HTML 5 cookies.

Wendi Rafferty and Chris Scott's talk on remediation really drove home the key points of successfully resisting the adversary post-incident. There is so much you can do just within Active Directory controls to raise the bar. Leveraging 2 factor, administrative account segmentation, and software restriction policies bring a lot to the game. They also covered some recent tactics being used with webshells.

Kyle Maxwell's talk on Extrusion Detection was entertaining and useful as all of Kyle's talks are. He highlighted just how much you can learn by trolling paste sites and using tools like Combine to ingest indicators. There was also a great point about leveraging Virus Total Intelligence with a yara signature to monitor for any files targeting your company. Scumblr by Netflix is a very powerful free tool. More fun can be found at Yolothre.at

The conference wrapped up with the SANS360 talks. All of them were awesome, but I think Matt Linton's Dr. Seuss telling of an incident response was by far the funniest and most creative I've seen. Frank McLain dropped some really great insight in his talk about changing jobs without really changing a thing and falling into the same trap. And of course the always awesome Alissa Torres, gave a talk that needs to be required viewing for every HR department trying to recruit and retain InfoSec talent.

I really like the defensive focus of the conference as its all stuff you can take home an apply vs most "I hacked this" offensive talks which aren't typically very useful. The small community feel was a major plus too. I think its official that this is DFIR Summer Camp. This conference is definitely going to be on the rotation, however there is also a new Threat Hunting Summit starting next year in New Orleans. SANS has published most of the slide decks for your viewing pleasure. We can also expect some of the videos to be posted to the SANS Youtube channel over the next few months.