Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!

summit video pic

To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:

1.     Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):

·       Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or

·       Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.

2.     Check out our jam-packed DFIR Summit agenda!

·       The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.

·       The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.

·       All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.

kaplan

Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:

·       FOR500 – Advanced Windows Forensics

·       FOR585 – Advanced Smartphone Forensics

·       FOR610 – Reverse-Engineering Malware

·       FOR508 – Digital Forensics, Incident Response & Threat Hunting

·       FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

·       FOR578 – Cyber Threat Intelligence

·       FOR526 – Memory Forensics In-Depth

·       FOR518 – Mac and iOS Forensic Analysis and Incident Response

·       MGT517 – Managing Security Operations: Detection, Response, and Intelligence

3.    All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.

4.     Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.

5.     Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.

6.     Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.

7.     Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!

 

8.     Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!

9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us text2985celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.

10.  Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.

11.  Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!

As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.

The Summit will be held on June 7-8, and the training courses run from June 9-14.

We hope to see you there!

SANS Threat Hunting and Incident Response Summit 2018 Call for Speakers – Deadline 3/5

 

1200x627_THIR-Summit-2018

Summit Dates: September 6 & 7, 2018
Call for Presentations Closes on Monday, March 5, 2018 at 5 p.m CST
Submit your presentation here

The Threat Hunting & Incident Response Summit will focus on specific hunting and incident response techniques and capabilities that can be used to identify, contain, and eliminate adversaries targeting your networks. SANS and our advisory partner Carbon Black are pleased to invite you to the Summit where you will have the opportunity to directly learn from and collaborate with incident response and detection experts who are uncovering and stopping the most recent, sophisticated, and dangerous attacks against organizations.

Chances are very high that hidden threats already exist inside your organization’s networks. Organizations can’t afford to assume that their security measures are impenetrable, no matter how thorough their security precautions might be. Prevention systems alone are insufficient to counter focused human adversaries who know how to get around most security and monitoring tools.

The key is to constantly look for attacks that get past security systems, and to catch intrusions in progress rather than after attackers have attained their objectives and done worse damage to the organization. For the incident responder, this process is known as “threat hunting.” Threat hunting uses known adversary behaviors to proactively examine the network and endpoints and identify new data breaches.

Call for Presentations Closes on Monday, March 5, 2018
Submit your presentation here

If you are interested in presenting, SANS and our advisory partner Carbon Black would be delighted to consider your threat hunting-focused proposal with use cases and communicable lessons. We are looking for presentations from both the intelligence producer and the intelligence consumer fields, with actionable takeaways for the audience.

The THIR Summit offers speakers opportunities for exposure and recognition as industry leaders. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

CFP submissions should detail how the proposed case study, tool, or technique can be utilized by attendees to increase their security posture. All THIR Summit presentations will be 30 minutes with 5 minutes for questions.

We are looking for presentations that focus on:
– Endpoint threat hunting
– Network threat hunting
– Hunt teams and how to organize them to be extremely effective
– Using known attacker methodologies to hunt/track adversaries
– Innovative threat hunting tools, tactics, and techniques
– Case studies on the application of threat hunting to security operations

Call for Presentations Closes on Monday, March 5, 2018
Submit your presentation here 

Coin Check: Win the challenge, join the elite list of lethal forensicators & take home a brand new DFIR challenge coin!

forensics_coin (1)Hundreds of SANS Institute digital forensics students have stepped up to the challenge and conquered. They’ve mastered the concepts and skills, beat out their classmates, and proven their prowess. These are the elite, the recipients of the SANS Lethal Forensicator Coin, an award given to a select portion of the thousands of students that have taken any of the SANS Institute Digital Forensics or Incident Response (DFIR) courses. Now, the institute is expanding the opportunity for students to earn these highly coveted tokens in each of the SANS DFIR courses.

Thanks to an effort led by curriculum lead Rob Lee & the SANS DFIR faculty, students can now win specific SANS Lethal Forensicator Coins designed to go with each of the DFIR course themes. These coins are tailored to be icons and the precious prizes to be won by students as a proof and symbol of their mastery in a specific digital forensics specialty.

New DFIR course challenge coins available now:

500FOR500: Windows Forensic Analysis

“Ex Umbra in Solem”: From the Shadows into the Light
In today’s digital world, forensics plays a critical role in uncovering the truth. Forensic examiners shine light on the facts of the case, making good decisions possible. And the forces of evil unceasingly develop new ways to hide their activities, forcing us to continually improve our skills to counter them.

508FOR508: Advanced Digital Forensics, Incident Response & Threat Hunting

“Non Potestis Celare”: You  cannot hide
The most successful incident response teams are evolving rapidly due to near-daily interaction with adversaries. New tools and techniques are being developed, providing better visibility and making the network more defensible. Adversaries can no longer hide.

610FOR610: Reverse-Engineering Malware

“R.E.M”: Reverse-Engineering Master

Today,  attackers are modifying their malware with increasing frequency to bypass antivirus and other endpoint controls. Through reverse-engineering Malware (R.E.M) Analysis Masters can isolate the most appropriate Indicators of Compromise (IOCs) to stop & identify malware.

585FOR585: Advanced Smartphone Forensics

“Omnis Tactus Vestigium Relinquit”:  Every contact leaves a trace
Knowing how to recover all of the data residing on the smartphone is now an expectation in the digital forensics field, and examiners must understand the fundamentals of smartphone handling, data recovery, accessing locked devices, and manually recovering data hiding in the background on the device. There are traces of evidence hiding on the device, and you know how to uncover them.

572FOR572: Advanced Network Forensics Analysis

“Malum Loquitur, Bonum Auscultat”: Evil must talk, so good must listen

Network Forensic professionals are hunters with great visibility, who can find a target among a mass of camouflaging data. Wisdom, experience, and stealth are all embodied by the owl’s watchful, unwavering eye, seeking its prey under the cover of darkness. No matter how crafty an adversary may be, their communications will allow the hunter to find, identify, and ultimately eliminate their presence.

518FOR518: Mac Forensics

“Impera magis. Aliter cogita”: Command more and think differently.

Apple users have always thought differently and that goes for Apple forensicators too. The analysts who hold this coin take command of their forensic analysis and appreciate looking at the raw data and interpreting it correctly without the necessity of superfluous tools. Knowing where you came from can help you move forward, this is where the hat tip to the original colored Apple logo comes in. New artifacts are presented to analysts in every OS update, the knowledge of historic elements may provide insight.

FOR578_coinFOR578: Cyber Threat Intelligence

“Hominem unius libri timeo”: I fear the man of one book.

FOR578 is all about developing analytical skills. To think critically and expand our views which is a skill that applies to any security profession. The quote is attributed to Thomas Aquinas and despite the common use of the phrase (which is meant to deride the person who is not well studied across multiple subjects) the original meaning was to state that a person who understood one good book well could defeat their opponent. Thus, this phrase can be interpreted two entirely different ways. Both are about self-education and broadening our views on the world.

FOR526_coinFOR526: Memory Forensics In-Depth

“Cur mihi oculi dolent?” Why do my eyes hurt?

Memory forensics reveals deeper insights into the state of a compromised system and stands as the best source for detection of malware and OS/process manipulation/subversion. These analysis methods reveal key evidence which may not be uncovered through querying the operating system or digging through network packets. This quote comes from the original Matrix movie, a question Neo asks of Morpheus when he first wakes from his life in the artificial reality created by sentient machines. It is this awakening and raw view of reality that we as forensic examiners/incident responders strive to achieve through deeper analysis of system memory.

 

Netwars DFIR Netwars

Staying up-to-date with the latest challenges in the digital forensics field demand analytical skills that cannot be gained by just reading a textbook. Just like firemen could never learn the skills of how to fight a fire by just studying theory, incident responders, threat hunters, and digital forensic investigators can test their skills with DFIR Netwars.

New DFIR Challenge coin back design:

BackThe challenges for each course are held on the last day. Students must successfully overcome a number of obstacles, directly compete against fellow students, and prove their proficiency during timed, hands-on incidents. The obstacles, competitions and hands-on scenarios have been created by SANS’ top instructors – digital forensics practitioners, subject matter experts, experienced teachers and professional leaders in their own right. At the end of the challenge, the instructor announces the winner(s) who are awarded the coins at the end of the 6th day of class and winners are later on listed on the SANS Institute’s virtual wall of Lethal Forensicator Coin Holders.

 

History of the SANS Challenge coins:

The coin – more precisely, Round Metal Object (RMO) – was initially created to recognize students who demonstrate exceptional talent, contributions, or who serve as leaders in the digital forensics profession and community. The coin is meant to be an honor; it is also intended to be rare. SANS Institute uses the coins to identify and honor those who excel at detecting and eradicating threats, understand the critical importance of cybersecurity and continually strive to further not only their knowledge but also the knowledge of the entire digital forensics field. They actively share their experience and encourage learning through participation in the community and are typically leaders in the digital forensics and incident response community.

Those who are awarded the Lethal Forensicator are also bestowed special privileges and recognition, including participation in the so-called and well-regarded “coin check” challenge and response.

“Coin check” Challenge:

Initiated by one coin holder to another, a coin check typically begins by a challenger holding his or her coin in the air or slamming it on a table and yelling “coin check!” All who are challenged must respond by showing their coins to the challenger within 10 seconds, and whoever fails to do so must buy everyone a round of drinks. If all the challenged coin holders do produce their coin, the challenger must by the round of drinks. (By the way, if you accidentally drop your coin and it makes an audible sound on impact, then you’ve “accidentally” initiated a coin check. And, there are no exceptions to the rules!)

Coin checks aside, there are other ways to win the DFIR Challenge coins besides being an exceptional DFIR student and winning the classroom challenges. Each GOLD GCFA, GREM, GCFE member that has written a published white paper that has furthered the field of research in the Digital Forensics field receives a coin, as do SANS Digital Forensics Blog authors who have written six published entries over a one-year span. In addition, speakers and panelists who participate at a SANS Digital Forensic Summit are awarded coins (vendors and vendor-related speakers are not eligible). Finally, any coin holder can nominate an individual in the digital forensics field who has contributed knowledge, tools or service.

For more information on our SANS DFIR courses, please visit our Forensics Courses list. And to read more about the coin and the history of the term “Forensicator,” check out our Community – Lethal Forensicator Coin page.

Three Steps to Communicate Threat Intelligence to Executives.

As the community of security professionals matures there is a merging of the intel community, the incident response professionals, and security operations. One struggle folks have is how to make the threat intelligence actionable for the business. You have the large data from Recorded Future, yet, how do you apply the data in a practical way and communicate to the business?

The answer is keep it short and to the point and in the risk language, they use.  Bring solutions, not problems to the table. An executives greatest challenge is time. They want smart people who can make the day to day decisions to protect the company from attacks, in order for them to address large strategic topics.

In addition, the business media channels are talking about the security problems.  Just browse to The Wall Street Journal and see the latest cyber security news posts. That is good for our profession, so we need to be proactive. How do we be proactive? There are four steps that need to be done.

The first is know what is a business differentiator for the company.  Ask the executives what makes this organization competitive. Why is it different? Ask how might that difference be vulnerable to cyber-attack?

The second step is to do the analysis. Be proactive, being situationally aware, Recorded Future can provide access to that data. Not only knowing the threats, but how they apply to the organization. What part of the kill chain does the attack occur? Does it already map to an attacker campaign?

I’ll give a fictitious example.  You are an analyst at a power company. Reading the latest blogs on exploits and attacks you see a media release of a new type of malware attacking the power grid.  You know from business discussions that power production is critical for the business.  Is the threat, “the new malware” a risk to the organization?

Using Recorded Future, search for the first time the malware was mentioned in the score card.  In the case below of the Furtim malware, Recorded Future data shows blogs from a few years ago and a Virus Total post too. So much for the vendor hype that this is a new threat.

Ask yourself, does the organization have mitigations and controls in place to stop the threat, in this case at this point in time, the organizations anti-virus does detect the malware. Are there any other controls in place? Are there mitigations in place?  Maybe there is an IPS signature in place. If not, then run the attack in a test environment, build blue team solutions. Begin tracking the attack indicators and possible campaign by mapping the attack to the kill chain for the organization.

The third step is to communicate. Executives understand risk, so explaining the threat in terms of risk is effective and if there is not a control in place find one and communicate when it will be implemented.  Below is a canned example:

Dear All,

I’d like to make you aware of an item, in case you are asked about it. It involves a business concern, the power grid.  It appears there are a couple articles on the internet about a malware sample called Furtim, getting more media attention.

 One of the articles becoming popular is found here: https://sentinelone.com/blogs/sfg-furtims-parent/

The article makes a few points to gain media attention. 

Such as:

  • “sophisticated malware campaign specifically targeting at least one European energy company”
  • “potentially shut down an energy grid “
  • “The sample appears to be targeting facilities that not only have software security in place, but physical security as well “

So I took a look to see if we are protected or if there are gaps in the organization.  What the authors forget to mention is that for the infect to work, other gaps are needed.  For example, the sophisticated malware, in the article is a “final payload” and needs to use another common malware to infect a computer before it can be harmful.  After researching the Furtim malware and with the virus total results found here 

 https://www.virustotal.com/en/file/766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963/analysis/ the information shows Anti-virus detects the common malware as part of the infection chain.  Granted the malware can be re-coded but based on the current information I have today, this is a low risk to the organizations environment.  I’ll continue to monitor logs for specific connections out from our network that are related to command and control.

If you have questions, please feel free to contact me.

 In General, follow the three steps to apply threat intelligence. One, know the organization you are defending, what drives it? Two, be technically proactive, do the research, analyze the attack data and map it to the kill chain.  Three, communicate risk and solutions.  For more information about practical threat intelligence see Rob M. Lee’s blog and enroll in the SANS Threat Intelligence class.

WannaCry Ransomware Threat : What we know so far – WEBCAST slides

The WannaCry ransomware worm is unprecedented for two reasons. First, it’s a ransomware worm. Second, it appears to be using a recently patched exploit that was stolen from NSA to propagate. Jake Williams‘ firm, Rendition Infosec, has been tracking the use of this exploit since it was publicly released and completed another internet-wide scan of the Internet for this threat. The webcast walks you through what we know so far about the malware, the leaked exploits, mitigation strategies, and predictions for future impact.

WannaCry

This webcast aired on May 12th, 2017 and was conducted by SANS Instructor Jake Williams. View webcast here: http://dfir.to/WannaCrypt0r Webcast slides can be viewed here: WannaCry Ransomware Threat

SANS Institute Internet Storm Center: http://dfir.to/2r4dxMK
Microsoft released information what can be done to protect against #WannaCry which includes deploying MS17-010 if not already done (March patch release), update Windows Defender (updated 12 May 2017) and if not using SMBv1 to disable it available here. Microsoft has provided a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.

Webcast Summary: New SANS Cheat Sheet: A Guide to Eric Zimmerman’s Command Line Tools

 

Thank you for attending the SANS New Cheat Sheet: “A Guide to Eric Zimmerman’s Command Line Tools” webcast.

For webcast slides and recording visit: http://www.sans.org/u/raj

Capture

To download the Cheat Sheet visit: http://digital-forensics.sans.org/u/rao

To download Eric’s Command line tools visit: https://ericzimmerman.github.io/

 

In this webinar, Eric covered several tools that can be used to show evidence of execution as well as document creation and opening. He also provided an overview of bstrings and Timeline Explorer and provided demonstrations of how those tools can be used to add value to investigations.  Here is a webcast summary:

Timeline Explorer

Timeline Explorer allowed us to load one or more CSV or Excel files into a common interface and apply advanced sorting, filtering, and conditional formatting rules to our data.

Several useful shortcuts include:

CTRL-t: Tag or untag selected rows

CTRL-d: Bring up the Details window for super timelines

CTRL-C: Copy the selected cells (with headers) to the clipboard. Hold SHIFT to exclude the column header

Graphic 1

Evidence of execution programs

AppCompatCacheParser, AmcacheParser, and PECmd parse forensic artifacts related to evidence of execution.

AppCompatCacheParser extracts shimcache data from each ControlSet found in the SYSTEM Registry hive and exports them to CSV format.

Graphic 2

AmcacheParser extracts file and program information from the Amcache.hve hive to CSV format.

graphic 3

PECmd processes Windows prefetch files and extracts information such as the total number of times a program was run and up to the last 8 times a program was executed. Prefetch files also track the files and directories a program referenced when it was run.

Graphic 4

Lnk file internals

We started exploring lnk files by looking at the header and unpacking what each piece of the header meant and how to process it.

graphic 5

From here we looked at each of the structures present based on the data flags section of the header, including the Target Id lists. The raw target Id lists looked like this:

graphic 6

 

And once we processed and decoded each one, we end up with this:

grpahic 7

Document creation and opening programs

Now that we had a decent understanding of the internals of lnk files, we took a look at several tools to extract data from these valuable forensic artifacts.

LECmd and JLECmd process lnk files and jump lists and displays information related to the document opened such as the target documents created, modified, and last accessed time stamps, the volume serial number and type of drive, target Id lists, and more.

LECmd fully supports decoding all available structures including embedded shell items. It also added additional functionality like calculating the absolute path of the target file based on the shell items in the target Id list. Finally, LECmd resolved MAC addresses to the vendor based on an internal lookup table included with LECmd.

graphic 8

 

JLECmd provides the same data extraction capabilities as LECmd, but in the context of the lnk files being wrapping in another data structure.

In the case of custom destinations jump lists, this wrapping structure was merely a file that contained one or more concatenated lnk files.  Automatic destinations jump lists used an OLE CF container to track embedded lnk files.

JLECmd allows for dumping of all embedded lnk files which in turn allows for those lnk files to be analyzed with any lnk parsing tool.

graphic 9

Other tools

Finally, we took a look at bstrings and saw many examples of how to extract email addresses, URLs, UNC paths, and more from a given file using built in regular expressions. We also discussed how to extract strings from any code page and how to limit the amount of data returned by bstrings.

graphic 10

I hope you enjoyed the webinar and get much use out of the tools in your investigations.

Thank you again for attending! Feel free to reach out via twitter for feedback or questions

About the author:

INV_EricZimmerman2017_1200x1800_cEric serves as a Senior Director at Kroll in the company’s cybersecurity and investigations practice. At SANS, he teaches the FOR508: Advanced Digital Forensics, Incident Response and Threat Hunting course, and is a two-time winner of the SANS DFIR NetWars Tournament (2014, 2015). Eric is also the award-winning author of X-Ways Forensics Practitioner’s Guide, and has created many world-class, open-source forensic tools free to the DFIR Community.

 

Ken Johnson DFIR Scholarship

 

KJKen Johnson, husband of Jessica Towle Johnson, and father of two beautiful young children, Savannah and Brady, was tragically taken from this life on April 4, 2016 at the age of 38.

Ken was an amazing husband and father. He was married to his best friend on February 19, 2000. His love for his family was his driving force behind all of his accomplishments and successes. One of his and his family’s proudest moments was when he received his master’s degree from Iowa State University in 2013.

Ken’s passion for digital forensics led him to self-study Windows 8 internals and publish leading research on the topic. Even though Ken was relatively unknown in the Digital Forensics and Incident Response (DFIR) community at the time, he submitted to a Call For Presentations (CFP) and was accepted to present his findings at the 2012 SANS DFIR Summit.

Ken’s networking at the DFIR Summit led to a career at KPMG LLP, where he was a vital part of the response team for many high-profile computer forensic and incident response engagements. Ken enjoyed working with his team, and in the process became friends with many of his colleagues.

Over time, Ken’s network expanded to the greater DFIR community, where he enjoyed sharing and receiving knowledge amongst the industry. He attended and spoke at many conferences across the country and helped organize BSides Iowa at Iowa State. Ken also blogged about his journey through his profession; one of Ken’s most personal blog posts discusses decisions he made in his life to step out of his comfort zone and follow his dream in DFIR, all while thanking those closest to him for their support.

In memory of Ken Johnson, the SANS Institute and KPMG LLP created a scholarship that was introduced at the SANS DFIR Summit in June 2016 and will be awarded annually in early June.

 

IMG_0029IMG_0032

 

 

 

 

 

 

 

 

 

About the Scholarship

The objective of the Ken Johnson Scholarship is to foster the value of DFIR professional development and to encourage and mentor a dedicated student showing genuine promise in the DFIR field. This scholarship will provide:

  • Two SANS DFIR classes in any format (contributed by SANS and KPMG LLP)
  • One complimentary entry to the SANS DFIR Summit in the year the scholarship is awarded
  • Mentoring from two DFIR coaches (Matt Bromiley and David Nides)
  • Consideration for an internship

Scholarship Submission Guidelines

Eligibility Requirements:

  • Undergraduate (junior or senior year) or graduate students enrolled full-time in a degree program at an accredited college or university in the U.S. (Full-time is defined as twelve credit hours per semester for undergraduate students and nine credit hours for graduate students.)
  • Preference will be given to students enrolled in computer science, engineering, or other technology-related degree programs, but students earning degrees in other fields of study are encouraged to apply.
  • You may be a citizen of any country (U.S. citizenship is not required).

Application Submission:

  • Submissions are accepted on a rolling basis; one scholarship will be awarded annually at the DFIR Summit in June.
  • Resumes are required with applications.
  • Students are required to write a paper (not to exceed five pages, not including resumes) responding to the following questions:
  1. Why are you passionate about DFIR?
  2. What is a DFIR-related project you’re particularly proud of and relates to your future goals?

Complete scholarship submissions should be emailed to KenJohnsonScholarship@sans.org by May 18, 2018.

 

Critiques of the DHS/FBI’s GRIZZLY STEPPE Report

Author credit: FOR578 Threat Intelligence course Robert M. Lee
Source: Blog originally posted 12/30/2016
Attend the Webcast: “Analyzing the DHS/FBI’s GRIZZLY STEPPE Report”  Jan 6 2017 at 1 pm ET

On December 29th, 2016 the White House released a statement from the President of the United States (POTUS) that formally accused Russia of interfering with the US elections, amongst other activities. This statement laid out the beginning of the US’ response including sanctions against Russian military and intelligence community members.  The purpose of this blog post is to specifically look at the DHS and FBI’s Joint Analysis Report (JAR) on Russian civilian and military Intelligence Services (RIS) titled “GRIZZLY STEPPE – Russian Malicious Cyber Activity”. For those interested in a discussion on the larger purpose of the POTUS statement and surrounding activity take a look at Thomas Rid’s and Matt Tait’s Twitter feeds for good commentary on the subject.

Background to the Report

For years there has been solid public evidence by private sector intelligence companies such as CrowdStrike, FireEye, and Kaspersky that has called attention to Russian-based cyber activity. These groups have been tracked for a considerable amount of time (years) across multiple victim organizations. The latest high profile case relevant to the White House’s statement was CrowdStrike’s analysis of COZYBEAR and FANCYBEAR breaking into the DNC and leaking emails and information. These groups are also known by FireEye as the APT28 and APT29 campaign groups.

The White House’s response is ultimately a strong and accurate statement. The attribution towards the Russian government was confirmed by the US government using their sources and methods on top of good private sector analysis. I am going to critique aspects of the DHS/FBI report below but I want to make a very clear statement: POTUS’ statement, the multiple government agency response, and the validation of private sector intelligence by the government is wholly a great response. This helps establish a clear norm in the international community although that topic is best reserved for a future discussion.

Expectations of the Report

Most relevant to this blog, the lead in to the DHS/FBI report was given by the White House in their fact sheet on the Russian cyber activity (Figure 1).

figure1

Figure 1: White House Fact Sheet in Response to Russian Cyber Activity

The fact sheet lays out very clearly the purpose of the DHS/FBI report. It notes a few key points:

The report is intended to help network defenders; it is not the technical evidence of attribution
The report contains a combination of private sector data and declassified government data
The report will help defenders identify and block Russian malware – this is specifically declassified government data not private sector data
The report goes beyond indicators to include new tradecraft and techniques used by the Russian intelligence services
If anyone is like me, when I read the above I became very excited. This was a clear statement from the White House that they were going to help network defenders, give out a combination of previously classified data as well as validate private sector data, release information about Russian malware that was previously classified, and detail new tactics and techniques used by Russia. Unfortunately, while the intent was laid out clearly by the White House that intent was not captured in the DHS/FBI report.

Because what I’m going to write below is blunt feedback I want to note ahead of time, I’m doing this for the purpose of the community as well as government operators/report writers who read to learn and become better. I understand that it is always hard to publish things from the government. In my time working in the U.S. Intelligence Community on such cases it was extremely rare that anything was released publicly and when it was it was almost always disappointing as the best material and information had been stripped out. For that reason, I want to especially note, and say thank you, to the government operators who did fantastic work and tried their best to push out the best information. For those involved in the sanitation of that information and the report writing – well, read below.

DHS/FBI’s GRIZZLY STEPPE Report – Opportunities for Improvement

Let’s explore each main point that I created from the White House fact sheet to critique the DHS/FBI report and show opportunities for improvement in the future.

The report is intended to help network defenders; it is not the technical evidence of attribution

There is no mention of the focus of attribution in any of the White House’s statements. Across multiple statements from government officials and agencies it is clear that the technical data and attribution will be a report prepared for Congress and later declassified (likely prepared by the NSA). Yet, the GRIZZLY STEPPE report reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence. The beginning of the report (Figure 2) specifically notes that the DHS/FBI has avoided attribution before in their JARs but that based off of their technical indicators they can confirm the private sector attribution to RIS.

figure2-768x346

Figure 2: Beginning of DHS/FBI GRIZZLY STEPPE JAR

The next section is the DHS/FBI description which is entirely focused on APT28 and APT29’s compromise of “a political party” (the DNC). Here again they confirm attribution (Figure 3).

figure3-768x118

Figure 3: Description Section of DHS/FBI GRIZZLY STEPPE JAR

But why is this so bad? Because it does not follow the intent laid out by the White House and confuses readers to think that this report is about attribution and not the intended purpose of helping network defenders. The public is looking for evidence of the attribution, the White House and the DHS/FBI clearly laid out that this report is meant for network defense, and then the entire discussion in the document is on how the DHS/FBI confirms that APT28 and APT29 are RIS groups that compromised a political party. The technical indicators they released later in the report (which we will discuss more below) are in no way related to that attribution though.

Or said more simply: the written portion of the report has little to nothing to do with the intended purpose or the technical data released.

Even worse, page 4 of the document notes other groups identified as RIS (Figure 4). This would be exciting normally. Government validation of private sector intelligence helps raise the confidence level of the public information. Unfortunately, the list in the report detracts from the confidence because of the interweaving of unrelated data.

figure4

Figure 4: Reported RIS Names from DHS/FBI GRIZZLY STEPPE Report

As an example, the list contains campaign/group names such as APT28, APT29, COZYBEAR, Sandworm, Sofacy, and others. This is exactly what you’d want to see although the government’s justification for this assessment is completely lacking (for a better exploration on the topic of naming see Sergio Caltagirone’s blog post here). But as the list progresses it becomes worrisome as the list also contains malware names (HAVEX and BlackEnergy v3 as examples) which are different than campaign names. Campaign names describe a collection of intrusions into one or more victims by the same adversary. Those campaigns can utilize various pieces of malware and sometimes malware is consistent across unrelated campaigns and unrelated actors. It gets worse though when the list includes things such as “Powershell Backdoor”. This is not even a malware family at this point but instead a classification of a capability that can be found in various malware families.

Or said more simply: the list of reported RIS names includes relevant and specific names such as campaign names, more general and often unrelated malware family names, and extremely broad and non-descriptive classification of capabilities. It was a mixing of data types that didn’t meet any objective in the report and only added confusion as to whether the DHS/FBI knows what they are doing or if they are instead just telling teams in the government “contribute anything you have that has been affiliated with Russian activity.”

The report contains a combination of private sector data and declassified government data

This is a much shorter critique but still an important one: there is no way to tell what data was private sector data and what was declassified government data. Different data types have different confidence levels. If you observe a piece of malware on your network communicating to adversary command and control (C2) servers you would feel confident using that information to find other infections in your network. If someone randomly passed you an IP address without context you might not be sure how best to leverage it or just generally cautious to do so as it might generate alerts of non-malicious nature and waste your time investigating it. In the same way, it is useful to know what is government data from previously classified sources and what is data from the private sector and more importantly who in the private sector. Organizations will have different trust or confidence levels of the different types of data and where it came from. Unfortunately, this is entirely missing. The report does not source its data at all. It’s a random collection of information and in that way, is mostly useless.

Or said more simply: always tell people where you got your data, separate it from your own data which you have a higher confidence level in having observed first hand, and if you are using other people’s campaign names, data, analysis, etc. explain why so that analysts can do something with it instead of treating it as random situational awareness.

The report will help defenders identify and block Russian malware – this is specifically declassified government data not private sector data

The lead in to the report specifically noted that information about the Russian malware was newly declassified and would be given out; this is in contrary to other statements that the information was part private sector and part government data. When looking through the technical indicators though there is little context to the information released.

In some locations in the CSV the indicators are IP addresses with a request to network administrators to look for it and in other locations there are IP addresses with just what country it was located in. This information is nearly useless for a few reasons. First, we do not know what data set these indicators belong to (see my previous point, are these IPs for “Sandworm”, “APT28” “Powershell” or what?). Second, many (30%+) of these IP addresses are mostly useless as they are VPS, TOR exit nodes, proxies, and other non-descriptive internet traffic sites (you can use this type of information but not in the way being positioned in the report and not well without additional information such as timestamps). Third, IP addresses as indicators especially when associated with malware or adversary campaigns must contain information around timing. I.e. when were these IP addresses associated with the malware or campaign and when were they in active usage? IP addresses and domains are constantly getting shuffled around the Internet and are mostly useful when seen in a snapshot of time.

But let’s focus on the malware specifically which was laid out by the White House fact sheet as newly declassified information. The CSV does contain information for around 30 malicious files (Figure 5). Unfortunately, all but two have the same problems as the IP addresses in that there isn’t appropriate context as to what most of them are related to and when they were leveraged.

figure5-768x152

Figure 5: CSV of Indicators from the GRIZZLY STEPPE Report

What is particularly frustrating is that this might have been some of the best information if done correctly. A quick look in VirusTotal Intelligence reveals that many of these hashes were not being tracked previously as associated to any specific adversary campaign (Figure 6). Therefore, if the DHS/FBI was to confirm that these samples of malware were part of RIS operations it would help defenders and incident responders prioritize and further investigate these samples if they had found them before. As Ben Miller pointed out, this helps encourage folks to do better root cause analysis of seemingly generic malware (Figure 6).

figure6

Figure 6: Tweet from Ben Miller on GRIZZLY STEPPE Malware Hashes

So what’s the problem? All but the two hashes released that state they belong to the OnionDuke family do not contain the appropriate context for defenders to leverage them. Without knowing what campaign they were associated with and when there’s not appropriate information for defenders to investigate these discoveries on their network. They can block the activity (play the equivalent of whack-a-mole) but not leverage it for real defense without considerable effort. Additionally, the report specifically said this was newly declassified information. However, looking the samples in VirusTotal Intelligence (Figure 7) reveals that many of them were already known dating back to April 2016.

figure7

Figure 7: VirusTotal Intelligence Lookup of One Digital Hash from GRIZZLY STEPPE

The only thing that would thus be classified about this data (note they said newly declassified and not private sector information) would be the association of this malware to a specific family or campaign instead of leaving it as “generic.” But as noted that information was left out. It’s also not fair to say it’s all “RIS” given the DHS/FBI’s inappropriate aggregation of campaign, malware, and capability names in their “Reported RIS” list. As an example, they used one name from their “Reported RIS” list (OnionDuke) and thus some of the other samples might be from there as well such as “Powershell Backdoor” which is wholly not descriptive. Either way we don’t know because they left that information out. Also as a general pet peeve, the hashes are sometimes given as MD5, sometimes as SHA1, and sometimes as SHA256. It’s ok to choose whatever standard you want if you’re giving out information but be consistent in the data format.

Or more simply stated: the indicators are not very descriptive and will have a high rate of false positives for defenders that use them. A few of the malware samples are interesting and now have context (OnionDuke) to their use but the majority do not have the required context to make them useful without considerable effort by defenders. Lastly, some of the samples were already known and the government information does not add any value – if these were previously classified it is a perfect example of over classification by government bureaucracy.

The report goes beyond indicators to include new tradecraft and techniques used by the Russian intelligence services

The report was to detail new tradecraft and techniques used by the RIS and specifically noted that defenders could leverage this to find new tactics and techniques. Except – it doesn’t. The report instead gives a high-level overview of how APT28 and APT29 have been reported to operate which is very generic and similar to many adversary campaigns (Figure 8). The tradecraft and techniques presented specific to the RIS include things such as “using shortened URLs”, “spear phishing”, “lateral movement”, and “escalating privileges” once in the network. This is basically the same set of tactics used across unrelated campaigns for the last decade or more.

figure8

Figure 8: APT28 and APT29 Tactics as Described by DHS/FBI GRIZZLY STEPPE Report

This description in the report wouldn’t be a problem for a more generic audience. If this was the DHS/FBI trying to explain to the American public how attacks like this were carried out it might even be too technical but it would be ok. The stated purpose though was for network defenders to discover new RIS tradecraft. With that purpose, it is not technical or descriptive enough and is simply a rehashing of what is common network defense knowledge. Moreover, if you would read a technical report from FireEye on APT28 or APT29 you would have better context and technical information to do defense than if you read the DHS/FBI document.

Closing Thoughts

The White House’s response and combined messaging from the government agencies is well done and the technical attribution provided by private sector companies has been solid for quite some time. However, the DHS/FBI GRIZZLY STEPPE report does not meet its stated intent of helping network defenders and instead choose to focus on a confusing assortment of attribution, non-descriptive indicators, and re-hashed tradecraft. Additionally, the bulk of the report (8 of the 13 pages) is general high level recommendations not descriptive of the RIS threats mentioned and with no linking to what activity would help with what aspect of the technical data covered. It simply serves as an advertisement of documents and programs the DHS is trying to support. One recommendation for Whitelisting Applications might as well read “whitelisting is good mm’kay?” If that recommendation would have been overlaid with what it would have stopped in this campaign specifically and how defenders could then leverage that information going forward it would at least have been descriptive and useful. Instead it reads like a copy/paste of DHS’ most recent documents – at least in a vendor report you usually only get 1 page of marketing instead of 8.

This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations. It is my opinion and speculation that there were some really good government analysts and operators contributing to this data and then report reviews, leadership approval processes, and sanitation processes stripped out most of the value and left behind a very confusing report trying to cover too much while saying too little.

We must do better as a community. This report is a good example of how a really strong strategic message (POTUS statement) and really good data (government and private sector combination) can be opened to critique due to poor report writing.

Author’s Bio

Robert M. Lee, a SANS certified instructor and author of the “ICS Active Defense and Incident Response” and “Cyber Threat Intelligence” courses, is the founder and CEO of Dragos, a critical infrastructure cyber security company, where he focuses on control system traffic analysis, incident response and threat intelligence research. He has performed defense, intelligence and attack missions in various government organizations, including the establishment of a first-of-its-kind ICS/SCADA cyber threat intelligence and intrusion analysis mission. Author of SCADA and Me and a nonresident National Cyber Security Fellow at New America, focusing on critical infrastructure cyber security policy issues, Robert was named EnergySec’s 2015 Energy Sector Security Professional of the Year.

SANS Threat Hunting and Incident Response Summit – Call For Presentations

 

Call for Speakers- Now OpenDFIR_B2.1_newicon

Summit Dates: April 18-19, 2017
Call for Presentations Closes on 21 October 2016
Apply here: http://dfir.to/ThreatHuntCFP

The Threat Hunting & Incident Response Summit will focus on specific hunting and incident response techniques and capabilities that can be used to identify, contain, and eliminate adversaries targeting your networks. SANS and our advisory partner Carbon Black are pleased to invite you to the Summit where you will have the opportunity to directly learn from and collaborate with incident response and detection experts who are uncovering and stopping the most recent, sophisticated, and dangerous attacks against organizations.

Chances are very high that hidden threats already exist inside your organization’s networks. Organizations can’t afford to assume that their security measures are impenetrable, no matter how thorough their security precautions might be. Prevention systems alone are insufficient to counter focused human adversaries who know how to get around most security and monitoring tools.

The key is to constantly look for attacks that get past security systems, and to catch intrusions in progress rather than after attackers have attained their objectives and done worse damage to the organization. For the incident responder, this process is known as “threat hunting.” Threat hunting uses known adversary behaviors to proactively examine the network and endpoints and identify new data breaches.

If you are interested in presenting or participating on a panel, we’d be delighted to consider your Threat Hunting-focused proposal with use cases and communicable lessons. We are looking for presentations from both the intelligence producer and the intelligence consumer fields with a focus on topics that will be directly relatable and applicable to the summit audience.

The Threat Hunting and Incident Response Summit offers speakers opportunities for exposure and recognition as an industry leader. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

CFP submissions should detail how the proposed Threat Hunting and Incident Response case study, tool or technique can be utilized by attendees to increase their security posture. All Threat Hunting and Incident Response Summit presentations will be 30 minutes with 5 minutes for questions.

We are looking for Threat Hunting and Incident Response Presentations that focus on:

1. The effectiveness of threat hunting in reducing the dwell time of adversaries
2. Threat hunting – Buzzword or Actionable Strategy
3. Automated threat hunting: Fact or fiction
4. Threat hunting tools, tactics, and techniques that can be used to improve the defense of your organization
5. Case studies on the application of threat hunting to security operations
6. Innovative threat hunting tactics and techniques
7. New tools that can help threat hunters

CALL FOR PAPERS – SANS Cyber Threat Intelligence Summit 2017

Capture5

 

Summit Dates: January 31, 2017 and February 1, 2017

Training Course Dates: January 25-30, 2017 Summit Venue: Renaissance Arlington Capital View Hotel — Arlington, VA

Deadline to Submit is July 29, 2016.  To submit click here

 

 

 

This year the CTI Summit is going old school. CTI is a relatively new field, however the intelligence field itself has been around for centuries. Throughout the summit we will focus on understanding how classic intelligence approaches and techniques apply to cyber threat intelligence – where they align and where they don’t – and will provide use cases of not only classic methods of producing Cyber Threat Intelligence, but of implementing and making decisions based off of intelligence as well.

If you are interested in presenting or participating on a panel, we’d be delighted to consider your CTI-focused proposal with use cases and communicable lessons. We are looking for presentations from both the intelligence producer and the intelligence consumer fields with a focus on topics that will be directly relatable and applicable to the summit audience.

The CTI Summit offers speakers opportunities for exposure and recognition as an industry leader. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

CFP submissions should detail how the proposed CTI case study, tool, or technique can be utilized by attendees to increase their security posture. All CTI Summit presentations will be 30 minutes with 5 minutes for questions.

The CTI Summit Advisory Board would like to encourage first time presenters to respond to the call for presentations. A diverse mix of both new and experienced speakers will raise the bar for the summit. Advisory Board members are willing to provide submission feedback prior to the CFP deadline as well as mentoring and guidance throughout the process.


We are looking for CTI Presentations that focus on:

  • Classic intelligence approaches applied to CTI analysis and production
  • Interesting perspectives or case studies that challenges CTI assumptions and results in a shift in understanding
  • Case studies on the application of cyber threat intelligence to a security or business problem
  • Innovative ways to utilize or analyze CTI with classic techniques
  • New tools developed to support or enable CTI

Benefits of Speaking

  • Promotion of your speaking session and company recognition via the CTI conference website and all printed materials
  • Visibility via the CTI post-Summit on the SANS DFIR Website
  • Top 3 presentations invited to do a full SANS Webcast
  • Full conference badge to attend all Summit sessions
  • Speakers can bring 1 additional attendee at no registration cost
  • Private speakers-only networking lunches
  • Speaker networking reception on evening before Summit
  • Presentations will be recorded and may be made available via the Internet to a wider audience