During the recent SANS Forensic Summit, there were a number of questions handed to Rob during the panels that went unanswered due to time constraints. After the IR panel, I took a look at some of the yellow index cards with questions and grabbed one in particular to answer. The question I found was (no author info was available):

What is the worst thing an IR team internally will do?

As I kept thinking about this, I kept coming back to two answers...either do nothing at all, or do too much of the wrong thing. Now, I'm assuming with my response that an incident has been detected, the IR team has been called into action, and some kind of response process has been initiated. At that point, you very likely have something that occurred to indicate that there is an incident, so you may very well have sensitive data being actively exfiltrated from the environment, so doing nothing at all could be extremely detrimental/harmful to the organization.

On the other hand, grabbing systems, running AV scans, deleting files, even wiping systems and reinstalling them can also be harmful to the organization. In a typical breach situation, the questions that need to be answered are:

1. Was the system compromised?
2. Did the system contain some kind of sensitive data?
3. Did "yes" to #1 lead to the exposure/exfiltration of #2?

If you destroy the indicators or "evidence" of what occurred, and cannot therefore determine the answers to these questions, where does that leave you? If you're just re-installing everything with no idea of the attack/infiltration vector, how do you protect yourself in the future? Heck, how do you even know that you fixed the issue, particularly if you have no idea how long the bad guy or their malware have been on the systems? You may be re-installing the malware itself!

So then I thought to myself, why do IR teams (both internal and external) do this sort of thing? In my experience, a lot of times it has to do with assumptions that are made...very often, incorrect assumptions. Due to lack of knowledge, skills, tools, and/or training, IR teams are very often under the gun to provide answers to management, or just get things working again. If you don't know what to look for, it's simply easier to make assumptions without any hard data and proceed on from there. I mean, really...if you destroy the data, who's going to be able to question you? I'm not saying that this is being done maliciously...what I am saying is that I have seen both internal IR teams as well as consultants make some very unfounded SWAG statements about an incident with no data to back them up, and proceed on from there. Very often, I'll just stand there, shaking my head, as they charge off into the sunset.

So, what's myanswer? The question was about IR teams, and not specifically management...so I'd have to say that, IMHO, the worst thing an internal IR team can do is NOT take it upon themselves to develop their own knowledge and skill sets. "I don't know what to do because management won't send me to training" should be an indicator that you've got the wrong people on your team...both for internal teams as well as consulting companies that provide response services. Not everything is going to be included in a class, and having to sit in a classroom to learn something means that the team member (or members) are unavailable for that time. More importantly, if you do get the opportunity to attend a class, but are unable to process the information and use it in your environment, that basically means that you got a nice paid vacation...and to be honest, I'd much rather have one of those some place other than in a classroom!

In summary, the worst thing an IR team can do is not learn from their mistakes, and not take it upon themselves to expand their skill sets and improve their processes.

Thoughts?

I spent all day last Tuesday in downtown DC attending the SANS Forensic Summit...it was totally awesome and well worth every second I was there.

First, a HUGE thank you to Rob Lee for setting the Summit up and inviting me and all of the other speakers, and an only slightly-smaller thank you to all of the folks who attended and made the Summit the success that it was!

Now on to the Summit itself...

Presentations
Richard
Richard Bejtlich gave the keynote address which was very entertaining. Richard is a dynamic and informative speaker, and has some very well thought-out and articulated views, and he's definitely someone worth listening to, even if you don't necessarily agree with everything he says. Unlike Ken Bradley, I don't work for Richard, so I can say anything I want! ;-) Seriously, though...Richard is truly one of the thought leaders in the industry, and definitely someone worth listening to.

Kris Harms
Kris had some great things to say as an incident responder for Mandiant. As a responder, for me, it's great to see other folks in the industry, listen to their presentations, and talk to them about what they're doing, and how they're addressing those problems that we all run into. Many times you'll pick up things that you didn't know, and other times you'll get validation regarding some of the things you're doing when you get a chance to see how others are addressing those same challenges. Kris and the Mandiant crew have a great deal of experience with APT, or advanced persistent threat, so if you get a chance to pick Kris's brain on the subject, do it.

Jamie and Peter
Jamie and Peter, both also from Mandiant, had some great things to talk about with respect to memory analysis, with a specific focus on malware detection. If you haven't really looked at it, you should definitely consider looking at Memoryze and AuditViewer.

Brendan
Brendan's presentation on analyzing Windows Registry hives extracted from a memory dump was a great piece of work! My (top)hat's off to Brendan on the work he's done to extend the work put into tools such as Volatility and RegRipper. Who knew you could grab a memory dump from XP, and the using open source tools, extract the password hashes which you can then crack using your tool-of-choice?

Panels
The panels are a summit/conference format that Rob uses to great effect. I first encountered this sort of technique at Aaron's OMFW last year, and Rob has included it at the Summit. Several folks from a particular field (I was on the IR panel) each give short presentations, and then the floor is opened for questions which Rob filters so that things keep moving. This is a great way to do two things; first, to really push through some varying views in a short period of time, and second, to open up discussions that continue between individuals later, during breaks or even over email after the summit is over.

PodCast
Ovie and Bret were nice enough to invite me, as well as Rob Lee, Ken Bradley, and Jesse Kornblum to take part in the live recording of the CyberSpeak podcast, which was a LOT of fun...as I'm sure you'll be able to tell when you listen to it.

Hey, don't listen just to me...Chris and Matt have posted their impressions of the Summit, as well.

Tips
One of the things I picked up from Kris Harm's talk was a great tip on a means for doing differential analysis of volatile data. Most of use are familiar with the use of pslist to get process information, and how to analyze the information that we receive. I tend to combine that information with the output of tlist, as well as other tools (netstat, etc.) to develop an overall picture of what was happening on the system. What I picked up from Kris is that grep()'ing through the output of handle.exe, you can look for "pid:", which provides you with yet another means of locating processes. The same technique can be used for malware detection, by looking for mutants/mutexes (mentioned by both Kris, and his cohort over at Mandiant, Peter Silberman) using something called the "least frequency of occurrence" (thanks, Peter!).

I'm really looking forward to getting to the SANS Forensic Summit tomorrow! This is a great place to meet, listen to some great presentations, and to chat with folks from various fields (LE, FTE, corporate consultant, etc.) in the industry. My hat's off to Rob Lee for pulling this fantastic event together!

Per the Summit agenda, I will be on the IR panel in the morning, and then giving my Registry Analysis presentation at 1pm, right after lunch. When I was teaching at TBS while I was on active duty in the USMC, we used to call this "the death hour", so I'm going to address this urge to nap after lunch with several live demos, as well as a surprise at the end of the presentation!

But that's not all! There's more! Check out who else is attending...Mandiant is well represented at the conference, and Chris Pogue will be there, as will Eoghan Casey. Chris and Eoghan are fellow Syngress authors, so be sure to swing by the Syngress table at the Summit, get a copy of their books, and then hunt them down to have them sign them for you!

There's a rumor that Troy Larson of Microsoft will be there as well...but I have to tell ya, while I've heard the guy's name and been told that he's been on conference calls, I've never actually seen the guy! As far as I know, Troy is the yeti of the forensics community! ;-) Hopefully, he'll turn up sometime before the live recording of Ovie and Bret's Cyberspeak podcast.

While I only plan to be at the Summit on the 7th, there are a LOT of great speakers and panelists who are going to be there, and this is definitely an event that anyone who can attend, should! Without question! Where else are you going to be able to have so many giants of the forensics community together in one place, from various areas (corporate, federal gov't, LE), and covering so many pertinent topics (memory analysis, courtroom preparation, etc.)?

And if you have a Captain Picard fetish and have a "thing" for bald men, this is THE place to be in DC! ;-)

Folks, let's not forget that the SANS Forensic Summit is coming up! Check out the list of speakers, presentations, and panels...this conference is going to be great!

Also, I spoke to the marketing folks at Syngress, and they are going to have a table at the Summit (graciously provided by Rob Lee) where they're going to have books available. Now, the way cool...no, wait...the WAY COOL thing about this is that several of the authors are also speakers at the Summit! So, if you don't have Chris Pogue's book, get it and get it signed by none other than Chris Pogue himself! Eoghan Casey's going to be there, too!

Finally, I have pristine copies (one each) of Windows Forensic Analysis (first and second editions), as well as Perl Scripting for Windows Security. I am going to bundle all three of them together and provide them as a give-away following my presentation at the conference.

BTW...the presentations from the 2008 SANS Forensic Summit are archived here! Take a look!

PS: I had a meeting yesterday and got there a few minutes early...I was meeting a friend for lunch and took a minute or two to walk through a nearby bookstore. Guess what I saw on the shelf? I'll give you a hint...I went to the Computer section, and was browsing in the area where they keep the books on security and forensics... ;-)

Rob Lee has updated the SANS Forensic/IR Summit information, as well as the agenda. Chris Pogue of TrustWave will be joining us in the IR panel, the first panel of the summit. Chris is a co-author of Unix and Linux Forensic Analysis, so be sure to bring your copy to get it signed!

If you've got only one chance to go to a conference, the Summit is THE one to attend in 2009!