Since it was first released in 2009, Sniper Forensics has provided digital forensic investigators something that has (in my opinion, for many years) been missing from their arsenal...a sound, repeatable methodology.
By integrating the Sniper Forensics methodology into their daily case work, investigators the world over have blogged, tweeted, texted, and emailed me that their cases have been solved faster and with greater accuracy than ever before. The methodology just plain works, each and every time. However, to date, the world of digital forensic has been the only beneficiary to this deadly accurate methodology. Post incident...find out what happened.
Well get ready...That's all about to change.
The Breach Triad
In digital forensics investigation, one of the key components to understand is The Breach Triad. To review, the three components of the triad are, Infiltration, Aggregation, and Exfiltration. In short, the bad guys have to find a way into the target network, the bad guys have to do something bad (like steal data), and the bad guys still need to make their getaway. This same framework can be applied to incident response with the same residual benefit to the responder...a clear picture of the likely target.
When responding to an incident, you (or at least I am) responding to something that is currently happening. This is one of the key differences between post mortem forensic investigations and incident response, although not exclusively (I have worked plenty of investigations in which the attackers still had access to the target system(s)). In one, you are being asked to determine what happened, while in the other, you are being asked to determine what's happening. That being the case, a logical conclusion can be made that somebody did something that provided them with access to the target network. Like in post mortem forensics, the bad guys have to first gain access, before they can do the really bad stuff.
Obviously this can take on one of any number of different shapes, albeit generally with a bit more complexity than our standard post mortem forensics case. The main reason for this, honestly, is sheer numbers. There are a lot of people that work for most companies. Small companies may have several dozen employees (or smaller in some cases), while large companies may have tens or hundreds of thousands of employees, so a would-be intruder has a pretty large attack surface. And unfortunately we all know that humans are the weakest point in any defense in depth strategy. People click on phishing emails, people visit infected non-business related websites, people have crummy passwords, people plug in infected USB drive (etc, etc, etc), and most people, almost never consider security to be part of their daily work.
To adequately defend their network, security professionals have to identify and mitigate every potential attack vector. ALSO, they need to stay abreast of emerging trends and threats and respond to them (hopefully) before they become a problem. If this sounds like a daunting job...that's because it is. It's an incredible amount of work just dealing with the technical specifics of such an undertaking, not to mention what we affectionately have dubbed, "The eighth layer of the OSI model", office politics. Taking ALL of that into consideration, if just one mistake is made...just one misconfiguration, or bad password, or end user error...and it can be game over. You see, while the defenders have to prepare for every potential scenario, the attackers only have find a single weakness.
Once an attacker gains access to the target network (beach head), it's only a matter of time before they identify additional hosts, infiltrate those and expand the systems they can access. I wrote a blog post a while back on my personal blog, "TheDigitalStandard.blogspot.com" titled, "The Mole Hole". In it, I talked about a penetration test I had recently conducted in which this exact scenario played out in front of me.
The network seemed to be shored up pretty well. No unnecessary services running , no arbitrary ports open, no outdated applications running...the usual. So while I was running an ARP spoof attack and sniffing network traffic I came across a user ID named, "test". "Surely not", I remember thinking to myself. These folks have a pretty good network and really decent security...it can't be that easy. So, I checked my pcap in Network Miner to see which system that user ID was being passed to and I tried it, along with the password, "test".
(SIDE NOTE...in my former life, I was an Unix admin with a pretty large company. When we would roll out new server builds, we had a test account called, "test" that had the password, "test". Once we had completed the build, we would remove the test account, and roll the server from QA into production. Apparently my team was not the first ones to think of this...)
So, I used the "test" account with the password, "test" and lo and behold...BAM...I was in. From there, I was able to use that system to scan a separate network segment, and dump NTLM hashes...several of which belonged to domain accounts...and one of which was in the domain admins group. At that point it was game over...I was domain admin and could come and go as I pleased, and it was time to set up a conference call with the customer and tell them that they were p0wn3d.
The whole point in my sharing that example is that it illustrates quite nicely how an entire network can be compromised by a single user ID with a bad password. Once that happens, the attackers then have free reign in your corporate infrastructure to do as they please.
OK Chris, we are adequately scared, but really, so what. So bad guys get in. Big deal. What are they going to do? I mean really, what's the worst that can happen? Well, I will cover that in my next post in this series called, "Aggregation". In the interim, why don't you run a couple of Google searches on the terms, "data breach 2011", and "hackers steal data". Jot down some notes, and keep them handy...we'll talk again next month!