The  Five  Point  Palm  Exploding  Heart  Technique  for  Forensics  Andrew Hay The 451 Group

The  451  Group  

451  Research  is  focused  on  the  business  of  enterprise  IT  innovation.  into  the  

competitive  dynamics  of  innovation  in  emerging  technology  segments.  

Tier1  Research  is  a  single-­‐source  research  and  advisory  firm  covering    the  multi-­‐tenant  datacenter,  hosting,  IT  and  cloud-­‐computing  sectors,  blending  the  best  of  industry  and  financial  research.    

The  Uptime  Institute   Global  Data  Center   and  a  pioneer  in  the  creation  and  facilitation  of  end-­‐user  knowledge  communities  to  improve  reliability  and  uninterruptible  availability  in  datacenter  facilities.  

TheInfoPro  is  a  leading  IT  advisory  and  research  firm  that  provides    real-­‐world  perspectives  on  the  customer  and  market  dynamics  of  the  enterprise  information  technology  landscape,  harnessing  the  collective  knowledge  and  insight  of  leading  IT  organizations  worldwide.  

ChangeWave  Research  is  a  research  firm  that  identifies  and  quantifies  in  consumer  spending  behavior,  corporate  purchasing,  and  

industry,  company  and  technology  trends.    

Introductions  

Andrew  Hay  Senior  Security  Analyst,  The  451  Group  Author,  Speaker  and  Blogger  

Coverage  Areas:  ESIM  (SIEM  &  Log  Management)  IT-­‐GRC  Forensics  &  Incident  Response  Intrusion  Detection/Prevention  

Macro  research  areas:  [Nation  State]  Cyber  Security  &  Critical  Infrastructure  Protection  

 

What  is  this  talk  about?  

Forensics  has  traditionally  been  viewed  as  very  system-­‐specific  Only  recently,  has  external  (off  of  the  target  machine)  sources  of  

   

 

Image Source: http://infosecnewbie.blogspot.com/2010/11/open-source-forensics-fundamental.html

 

Image Source: http://preview.tinyurl.com/3wtpgre

 

Image Source: http://preview.tinyurl.com/3ux8bo6

 

The  idea  for  this  talk  came  from  Kill  Bill  two-­‐part  epic  

revenge  drama  In  it,  martial  arts  master  Pai  Mei  

wherein  pressure  points  on  the  victim's  chest  are  struck  leaving  them  with  a  few  footsteps  before  their  death  This  technique  is  referred  to  as  

Heart      

Image Source: http://inatitude.files.wordpress.com/2009/02/pai-mei.jpg

So  what  are  the  five  points?  

Platform  Forensics  

Network  Forensics  

Data  Reduction  

Orchestration  

Corroborators  

Point  1    Platform  forensics  

   

No  one  will  argue  that  the  artifacts  residing  on  the  suspect  endpoint  hold  lots  of  information  Volatile  memory,  application  

 One  should  be  cognizant,  however,  of  the  other  sources  of  information  spread  throughout  an  enterprise  environment  NOT  residing  on  the  target  system  

Image Source: https://cagandoregra.wordpress.com/2010/08/03/the-36th-chamber-of-shaolin-a-camara-36-de-shaolin/

Point  1    Platform  forensics:  possible  tools  

Platform  Forensics  

Point  2    Network  forensics  

 If  a  host  needs  to  talk  to  the  world,  it  needs  to  leverage  the  network  Likewise,  if  an  attacker  interacted  with  the  machine  remotely  there  may  be  a  trail  Deep  packet  inspection  (DPI),  network  flow  generation/collection/inspection,  packet  sniffers  and  flow  analytics  engines  

Image Source: http://www.imdb.com/media/rm2382076160/ch0001814

Point  2    Network  forensics:  possible  tools  

Network  Forensics  

Point  3    Data  reduction  

 Feeds  and  sources  of  third  party  data  that  help  analysts  

 Why  look  at  what  we  know  

 

from  your  friends  Application  whitelisting,  threat  intelligence  feeds,  known  compromised  IP  addresses/ranges,  etc.  

Image Source: http://1morefilmblog.com/wordpress/dis-enchanted-female-power-and-authority-in-ella-enchanted-and-kill-billvolume-2/

Point  3    Data  reduction:  possible  sources  

Data  Reduction  

Point  4    Corroborators  

 

additional  information  Vulnerability  &  patch  management  Perimeter  detection/protection  Endpoint  protection  Change,  configuration  and  policy  management  System  management  DLP,  NAC,  etc.    

Image Source: http://1morefilmblog.com/wordpress/dis-enchanted-female-power-and-authority-in-ella-enchanted-and-kill-billvolume-2/

Point  4    Corroborators:  possible  sources  

Corroborators  

Point  5    Orchestration  

 Tools  designed  to  correlate,  normalize  and  alert  on  enterprise  information  (not  just  security  information)  Central  repositories  of  

central  repositories  of  information!  

SIEM,  log  management,  IT  GRC,  compliance  management,  etc.  

Image Source: http://celluloidamazing.blogspot.com/2009/11/when-i-woke-up-i-went-on-what-movie.html

Point  5    Orchestration:  possible  tools  

Orchestration  

What  will  it  look  like?  

Platform  Forensics  

Network  Forensics  

Data  Reduction  

Orchestration  

Corroborators  

The  result?  

 Many  hands  make  light  work    this  extremely  true  with  regards  to  forensics  Evidence  on  a  system  can  almost  always  be  enriched  by  external  sources  of  corroborating  evidence  Hindsight  is  20/20    deploy  now  to  help  later  

Image Source: http://totallyradicalsportz.wordpress.com/2010/10/11/smackfest/

The  result?  

 Vendors  must  strive  to  

work  Some  vendors  are  starting  down  this  path  but  primarily  to  enrich  their  own  data  WE  need  to  teach  non-­‐forensics  vendors  the  value  of    forensic  data  WE  need  to  teach  forensics  vendors  the  value  of  integration    Image Source: http://blog.lowpricelessons.com/wp-content/uploads/2011/01/kill-bill-uma-in-car.jpg

The  result?  

Image Source: http://en.wikipedia.org/wiki/File:Clenched_human_fist.png

Questions?  andrew.hay@the451group.com  

Thank    

Questions?