I discovered a crime … and now what?

[Author’s note: The author of this article is a technician, not a lawyer. Although several jurists have been consulted to corroborate that no legal barbarity has been said, it is strongly recommended to consult with a trusted legal professional if necessary].
[Author’s note 2: I would like to thank the ideas and comments offered by the Forensic Computing Telegram group: https://t.me/forense, whose activity has fostered and promoted this article].

Let’s imagine that Mary is a forensic analyst who is working on a case of corporate espionage. While analyzing some compressed files with strange names, she discovers with horror that they are full of images of child pornography.

Imagine that Pete is a pentester whose objective is to take control of a mail server, having to submit as evidence a half dozen high-level emails. Once he has achieved his objective, he extracts several mails at random from the mail accounts, but verifies with indignation that they contain information about a civil servant being bribed for the granting of an important public contract.

Both Mary and Pete have signed a strict confidentiality agreement with the company in which they work, which clearly states that “all the information they have knowledge of during their working activity must be kept in the strictest secrecy.” [Read more…]

Exchange forensics: The mysterious case of ghost mail (IV)

Articles in the series “Exchange forensics: The mysterious case of ghost mail”: [1] [2] [3] [4]

[Note: This is a fiction story, the characters and situations are not real, the only real thing is the technical part, which is based on a mixture of work done, experiences of other colleagues and research carried out. with the same technical dose but with less narrative, you can consult the video of the talk that the author gave at the 11th STIC Conference of the CCN-CERT here]

We return to the investigation of the incident by examining what our colleague had found in the OWA logs. If we gather all the information regarding the accesses made from the two IP addresses with the Firefox User-Agent, we find several patterns of interest:
[Read more…]

Exchange forensics: The mysterious case of ghost mail (III)

Articles in the series “Exchange forensics: The mysterious case of ghost mail”: [1] [2] [3]

[Note: This is a fiction story, the characters and situations are not real, the only real thing is the technical part, which is based on a mixture of work done, experiences of other colleagues and research carried out. with the same technical dose but with less narrative, you can consult the video of the talk that the author gave at the 11th STIC Conference of the CCN-CERT here]

After a sleepless night (tossing and turning, brooding on the incident and trying to understand what may have happened, what we may have overlooked, what we still need to try), we return loaded with caffeine to the Organization.

Autopsy has finished the processing of the hard disk image, but after a superficial analysis of the results our initial theory is confirmed: the user’s computer is clean. In fact, it is so clean that the malicious email did not even touch that computer. Therefore, it is confirmed that everything that happened must have happened in the Exchange.

We keep thinking about the incident, and there is something that irks us: if the attackers had complete control of the Exchange, they could have deleted the mail from the Recoverable Items folder, which they didn’t. But what they did manage was to erase it from the EventHistoryDB table, which operates at a lower level … or perhaps they didn’t either.

[Read more…]

Exchange forensics: The mysterious case of ghost mail (II)

(Note: This is a fiction story, the characters and situations are not real, the only real thing is the technical part, which is based on a mixture of work done, experiences of other colleagues and research carried out. with the same technical dose but with less narrative, you can consult the video of the talk that the author gave at the 11th STIC Conference of the CCN-CERT here )

On the previous article we left off with our views on the mail server of the Organization, a Microsoft Exchange 2010. The first thing we can do is ask Systems to do a message tracking of the email, using a graphical tool (although we can also do it by console) to locate the history of a high level email within Exchange.

First attempt, and the email still does not appear. We repeat the addresses and the Systems technician repeats the search without success. The email must necessarily be there, so we ask him to search again the whole day… and we finally find it, 14 minutes later than when it should have been sent.

Apparently the Organization has not implemented its time synchronization strategy well, and we have a 14 minute drift between the Exchange server and the clients (mental note: insist on the need to deploy an NTP server as soon as possible), but at last we have located the email. The screenshot sent by Systems would be something similar to this one (for confidentiality issues we cannot put any of the originals):

[Read more…]

Case study: “Imminent RATs” (III)

Articles from the series “Case study: “Imminent RATs”: [1] [2] [3]

Note: This is a fictional story; the characters and situations are not real. The only real thing is the technological part, which is based on a mixture of work done, experiences of other colleagues and research carried out.
These articles are part of a basic incident response workshop. Therefore, there are things that could be done more efficiently and elegantly… but the idea was to do them in a simple way so that they were easy to understand. And like any good practical workshop, you can follow it step by step: you can download a Remnux virtual machine with everything you need for the workshop here (for VMWare) or here (.ova format))

Additional analysis

The incident was practically solved in the previous article, but we still have some doubts in the pipeline:

  • What actions did the malware perform on the system?
  • What type of malware is it?

To get out of doubts we execute the document in a specially tuned virtual machine with anti-VM measures, which also has Noriben and Sysmon installed. In addition, we capture the outgoing traffic with WireShark to have as complete a view as possible of what the malware does.
[Read more…]

Case study: “Imminent RATs” (II)

Analysis (follow-up)

In the previous article, we had determined there was “something weird” in the computer, and we had downloaded both, a possibly malicious .doc and a user executable and mailbox. It’s time to get down to work to see what they may contain…

[Note: As a good security practice, malicious files should NEVER be shared without minimal protection. Therefore, you can download both files from here, but they are zipped with the password “infected”. Please, handle them with extreme care, you’ve been warned.]

To start with, we can open the user’s .pst to verify that the infection path is correct, something we can easily do from Windows with the Kernel Outlook PST Viewer:
[Read more…]

Case study: “Imminent RATs” (I)

Note: This is a fictional story; the characters and situations are not real. The only real thing is the technological part, which is based on a mixture of work done, experiences of other colleagues and research carried out.
These articles are part of a basic incident response workshop. Therefore, there are things that could be done more efficiently and elegantly… but the idea was to do them in a simple way so that they were easy to understand. And like any good practical workshop, you can follow it step by step: you can download a Remnux virtual machine with everything you need for the workshop here (for VMWare) or here (.ova format)).

Incident Response in less than 15 lines

Ultra-fast summary of incident response:

  • Preparation: We prepare ourselves for a possible attack by deploying detection and response measures in the Organization.
  • Detection and analysis: We detect possible attacks and analyze them to determine whether or not they are false positives, and in the event of an attack we analyze its severity.
  • Containment, eradication and recovery: We contain the spread of the attackers through the system, expel them and return the system to normal operation.
  • Post-incident lessons: We analyze the incident in search of measures to improve both the security of the system and the response itself for future incidents.

[Read more…]

Exchange forensics: The mysterious case of ghost mail (I)

Articles in the series “Exchange forensics: The mysterious case of ghost mail”: [1] [2] [3] [4]

(Note: This is a fiction story, the characters and situations are not real, the only real thing is the technical part, which is based on a mixture of work done, experiences of other colleagues and research carried out. If you want a version with the same technical dose but with less narrative, you can consult the video of the talk that the author gave at the 11th STIC Conference of the CCN-CERT here).

Another day in the office, with a list of pending tasks to plan longer than the beard of Richard Stallman and none of them entertaining: reports, documentation of a couple of projects and the preparation of a meeting is what the menu of the day offers for almost the entire week.
Luckily, the saying that “no plan survives contact with the enemy” in this case works in our favor. The phone rings, and my boss goes straight to the point: “A YARA rule has been triggered from the ATD group in CARMEN of [Redacted] (entity whose identity we are going to leave anonymously, calling it “the Organization” from now on). Take your stuff and rush over there.”

The adrenaline rush at the thrill of the hunt is instantaneous: ATD is our internal name of a group of attackers that we hunted a few months ago on another client, and our reversers ripped the malware open from top to bottom without mercy. The analysis allowed us to detect a series of particular “irregularities” in their way of acting, which allowed us to generate a series of high fidelity YARA rules (that is, false positives practically null). If it was triggered on CARMEN (our advanced intrusion detection tool), then 99% sure to be infected”.
[Read more…]

Clearing up the complexity: Security for non-technicians

IT security is almost always complex, covering many different areas and creating the sensation of a technical equivalent to “doctors’ handwriting”.

Who hasn’t had a moment where two security technicians start talking about the “APT exploiting a XP kernel CVE and exfiltered by HTTP using 404 modifieds, and thank God the IDS caught it and we put up a deny in the firewall before it dropped a new version of the malware C2”.

If you’re a security technician you’re probably smiling at these lines, but if not, you probably haven’t understood a word of it. The problem is obvious: IT security is complicated, and communicating in IT security is even more complicated.

In my opinion, all us IT security experts should work on our communication skills. We need to convince management to invest more time and resources in improving it, and convince users that security is necessary (for their own good in many cases).

For that reason, I’d like to propose a book list, of texts written by technicians, but where several of the main IT security concepts are explained in clear, simple and even agreeable ways.

”Secrets and Lies: Digital Security in a Networked World”, Bruce Schneier – Ed Wiley

Schneier is one of the best disseminators of IT security around at the moment. As well as his IT security blog he has published several books where he treats in a simple way such subjects as risk, system protection, cryptography and even society’s own trust base. All his books are interesting but “Secrets and lies” is the best. If your boss only has time to read one security book, let it be this one.

”The Code book”, Simon Singh – Ed. Anchor

If there’s one field of IT security that’s particularly complicated that’s cryptography (I have the theory that “public key cryptography can only be understood the third time it’s explained”). However, Singh does a great job of perfectly explaining the most complex concepts of cryptography, all based on historic moments and full of anecdotes. A wondrous book.

“Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon”, Kim Zetter – Ed Crown

Stuxnet is considered by many to be the first act in the cyberwarfare in all senses: intention, sophistication and complexity are words that spring to mind when we think about a malware that, possibly, has opened Pandora’s box and without doubt will be studied in future times. Zetter is able to tell us how it was detected, analyzed and eradicated in such a pleasant almost addictive way and his story becomes a kind of techno thriller.

“Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door” – Brian Krebs, Ed. Sourcebooks

Krebs is possibly the most famous journalist specialized in IT security in the world. From blog“>his blog he analyses all the most important IT security news critically but clearly. His book is a complete guide to cybercrime, telling us, with all the inside details, the sub world of IT crime from spammers to how they launder the money they make.

“The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers” – Kevin Mitnick & William Simon, Ed. Wiley

Kevin Mitnick (aka “The Condor”) is one of the better known hackers in history, being especially famous for his mastery of social engineering (or as he calls it, “hacking people”). In his book, based on his own stories and those of other hackers from the time, he tells how to overcome several different security systems with few or no technicisms. Applying lateral thinking is very interesting and how they attack certain problems jumping security in sometimes dumb but very effective ways.

“Inside cyberwarfare” – Jeffrey Carr, Ed O’Reilly

Cyberwarfare, cyberespionage, cybercrime… However tightly we close our eyes, they’re still going to be there. Carr makes a very complete list of problems we can find in the Internet, concentrating on how far different countries are capable of cyberwarfare, as well as the different scenarios and technologies to use. Although Carr is analytical and clear, running from trying to panic people, the fear it puts into you when you read it is … upsetting.

There are plenty more “simple” books talking about IT security, but these are the ones I think most representative. What about you? Do you have a bedside book to teach non-technicians about IT security? Share it!