Skip to main content

SANS DFIRSummit 2015

I was fortunate to have been able to attend both the DFIR Summit and the Forensic 508 course this year. It's been forever since I've been able to pick a training course, not tied to purchase of a product. I have always wanted to go to the summit, but it never worked out. Having heard good things about it, my expectations were high.



The Hilton venue itself was top notch. The rooms were updated and the conference space was very spacious, so it never felt crowded. It cost me $18 for an Uber, so it wasn't too far from the airport. The location 2 blocks from 6th street (aka Dirty 6th) was perfect. Every night there was tons of live music happening and lots of bars and restaurants to check out.

James Dunn from Sony kicked off the conference and unfortunately did not talk about the breach. He did however point out some great things about how orgs need to move beyond the Kill Chain. Most of what matters in crisis management happens after actions on objectives by the attacker. For instance, he offered two examples of how companies behaved following a breach. One decided to ignore another attacker in the environment. Another decided that it wasn't a priority to fix underlying causes. The examples were all too real.

The panel on Finding Needles in the Haystack definitely offered some goods insights. I think we have as an industry have conceded that most orgs still aren't even doing the basics, despite trying to take on more advanced capabilities. However the discussion did highlight differing opinions on the path forward. Vendors believe a tool offers the best chance to force multiply and move the needle. While many front line responders believe adding more people is a better use of resources. Personally I error on the side of adding smart people when they are available. I did really enjoy some of the comments from Sameer on how the government, particularly the Obama Whitehouse, views cyber security. They essentially all agreed the government has no place protecting the private sector and there wasn't any appetite for more spending. I would definitely like to see at least something budget neutral happen, like reallocating student loan funds to only degrees that add significant value to the economy like STEM.

My second favorite talk of the conference was Dmitry's talk on Threat Analysis of Complex Attacks. He repeated one of my favorite mantras: "You only know what the attacker wants you to know". While it didn't focus on Equation group like I was hoping, it did cover it somewhat, as well as Duqu 2. He had some very good things to say about attribution. However I didn't quite follow his logic on stating that a new zero day didn't have armoring because it was given to the actor group. That may have been true, but I didn't see the reason for that conclusion.



I was not able to attend Sara Newcomer's talk on OS X "Shell bags", despite really wanting to. One of my colleagues attended, and we were able to take back some knowledge to apply to our Mac collections and investigations. (See Quicklook Thumbnail Cache DB)

Julien Vehent's talk on Mozilla's endpoint security project, MIG, was very interesting. I think it was trying to solve some problems that GRR wasn't able to do. In terms of the breadth of functionality in the product, it didn't appear to have a lot of capabilities. But what it did have, it did really well. Extremely fast queries of end points. It also is focused mostly on Linux and Mac OSX, which might not align with most orgs. They did bake in some nice security into communication channels. I'm looking forward to seeing this tool developed further.

Next there was the annual Forensic 4cast Awards. The winners received an engraved hard drive. It sounds like some this years votes were the closest in history. Specifically for Investigator of the Year and Book of the Year.



Followed by a fun DFIR Night out at Buffalo Billiards. Apparently this is a thing ... :-) Guess who that is?



I did attend the Cellebrite lunch and learn on day 2 and really liked what I saw. Some of the features were so scary, I can see why they only sell it to law enforcement. Basically one of the modules goes beyond the phone and starts to harvest social media accounts and cloud storage. They also have a really nice module for showing relationships between contacts, similar to other intel tools. I am looking forward to bringing in some of their tools to our lab next year. While they didn't cover malware much, I was able to talk to Ronen afterwards to discuss the serious Android malware problems people are facing.

Probably my favorite talk was Ryan Benson's talk on Google Chrome Forensics, where he demoed Hindsight. So much good stuff there all for free. One particularly useful piece of information he discussed, was how much data of forensic value can be pulled from the Google Analytics cookies. I also learned a new term, Local Storage Records aka HTML 5 cookies.

Wendi Rafferty and Chris Scott's talk on remediation really drove home the key points of successfully resisting the adversary post-incident. There is so much you can do just within Active Directory controls to raise the bar. Leveraging 2 factor, administrative account segmentation, and software restriction policies bring a lot to the game. They also covered some recent tactics being used with webshells.

Kyle Maxwell's talk on Extrusion Detection was entertaining and useful as all of Kyle's talks are. He highlighted just how much you can learn by trolling paste sites and using tools like Combine to ingest indicators. There was also a great point about leveraging Virus Total Intelligence with a yara signature to monitor for any files targeting your company. Scumblr by Netflix is a very powerful free tool. More fun can be found at Yolothre.at

The conference wrapped up with the SANS360 talks. All of them were awesome, but I think Matt Linton's Dr. Seuss telling of an incident response was by far the funniest and most creative I've seen. Frank McLain dropped some really great insight in his talk about changing jobs without really changing a thing and falling into the same trap. And of course the always awesome Alissa Torres, gave a talk that needs to be required viewing for every HR department trying to recruit and retain InfoSec talent.

I really like the defensive focus of the conference as its all stuff you can take home an apply vs most "I hacked this" offensive talks which aren't typically very useful. The small community feel was a major plus too. I think its official that this is DFIR Summer Camp. This conference is definitely going to be on the rotation, however there is also a new Threat Hunting Summit starting next year in New Orleans. SANS has published most of the slide decks for your viewing pleasure. We can also expect some of the videos to be posted to the SANS Youtube channel over the next few months.



Comments

Popular posts from this blog

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your ...

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l...

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool. A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up th...