Conference Response Incident Investigation CoRIIN 2016 in Lille

The 2nd edition of the CoRI&IN 2016 conference took place in Lille on January 27, 2016. It was held following the FIC 2016 (Forum International sur la Cybersécurité) and was organized by the “Centre Expert contre la Cybercriminalité Français (CECyF)”.

This conference was dedicated to the techniques of incidents responding and forensics. The conference gathered experts of incident response community, CERTs, specialized investigators, legal experts, lawyer and IT security researchers.

During this day we was able to attend 7 presentations oriented forensics for most of them. The presentation materials are available except for the feedback of real cases which remain confidential.

We give below a quick summary of each presentation, following the order of the conference agenda.

 

[Windows/Linux] Complex malware analysis

Paul RASCAGNERES and Sébastien Larinier presented the "FastIR Collector" tool. This software was developed to collect operating system information during forensics investigation. The data collected allow to identify and analyze all kinds of malware (rootkits, bootkit, userland RAT ...). The company has released the software under Open Source license.

FastIR Collector allows to collect various artifacts and configurable depending on the operating system (Windows / Unix). The artifacts collected on the system are many and varied. The main ones are: MFT, MBR, RAM, logs, events, drivers, browsers history ...

The forensic analysts can use these collected data to analyze the compromised system. Releases with bug fixes and changes (integration of new artifacts) are regularly published. A bug and change request tracking is made by the development team.

The slideshow: CoRIIN2016-01-FastIR.pdf

 

[Windows/Linux] Phishing targeted to total compromise of the domain

Johanne Ulloa has presented to present a targeted attack from beginning to end and processes put in place to protect themselves.

The first part of his presentation highlighted the ease of a targeted attack implementation. From open source tools, it is possible with a minimum of knowledge to create an email with an attached document. The attached document contains a macro that when executed by the user allows to download the malware. This malware will allow to open a connection with the Command and Control server of the attacker, who can, through security holes, access to laterally servers and extract data to sell.

The resistance type of protection (firewall) is being migrated to a resilient type of protection. This dynamic protection allows to evolve in function of attacks. The principle of operation is to run the downloaded file in a sandbox to determine whether the executable tries to access email or IP addresses. This information is automatically updated at the PC user (custom signatures for antivirus) and at the firewall (IP addresses). These measures allow to stop communications with Command servers and Controls and clean the computers of end users.

The slideshow: CoRIIN2016-02-Johanne-Ulloa.pdf

 

[Experience feedback] SSI crisis management in a an unprepared environment

Vincent Nguyen presented an experience feedback for a crisis management of major account which was not prepared.

This presentation was particularly interesting because it has been able to demonstrate the extreme stress level of the crisis management actors. Without mentioning the management progress and resources used, the presentation was indexed on two indicators: the length of the intervention and the stress level. Lack of sleep, meals at the corner of a table and the connections of the attacker make that the stress of the RSSI team quickly comes to a highest level.

Assuming that all the infrastructure could be compromised, a dedicated server to manage the crisis has been installed. This server embedded the following software:

• A wiki: allows to share information,
• A webmail: allow to exchange information,
• A VM with a SIEM tool: to provide surveillance of crisis management server,
• The endpoint scans tools in search of signature,
• Analysis and log file management tools.

The crisis cost amounted to several million euros distributed on the following positions:

• Review of firewalls,
• Review / purchasing supervision tool,
• Crisis Management Team and external stakeholders,
• The legal management of the crisis.

 

[Legal] SSI crisis management in an unprepared environment

Eve Matringe, lawyer of the Luxembourg Bar, has presented the legal point of view regarding the rights to replicate when an institution is a victim of an attack.

One way to handle this is to ask “How the "Self-defense" can justify the computer replica of the entity victim of a computer attack”. According to the law, if we allow ourselves to attack, we accept the right to be attacked. In this case the attacker becomes a victim and can call justice for the damages suffered.

In the case of legitimate defense, it is necessary to be extremely careful. Reprisals must be proportionate to the attack and one must be sure of the identity of the attackers.

The slideshow: CoRIIN2016-04-Eve-MATRINGE.pdf

 

[Experience feedback] SSI crisis management in an unprepared environment

Jean-Baptiste Galet has presented an experience feedback of the monitoring means implementation in response to incident and their usefulness in the context of forensics.

The incident response is made in support of customer technical team. It starts by looking suspicious external communication through the network probes. Once infected computer identified, digital forensics starts. This investigation will allow to collect legal evidence:

• Data Extraction (RAM, hard disks)
• Timeline of events
• Artifacts collect
• Data analysis
• Search compromises indices
• Ensuring traceability chain

 

[Technology] Overview of extraction techniques and analysis of RAM

Pierre Veutin and Nicolas Scherrmann have presented new techniques to analyze the memory contents in search of data such as images, documents...

Traditional tools allow sequential analysis of 4K memory pages (ASLR). They allow to find a large number of file but often incomplete. By using address ranges reconstruction tools (dedicated tools), there are fewer file but exploitable by investigators.

Taking as example the search of an image in RAM after internet browsing, the tools used for reconstruction of address ranges enabled to retrieve systematically the desired image.

The slideshow: CoRIIN2016-06-Veutin-Scherrmann.pdf

 

[Experience feedback] Audit inforensic feedback

Vladimir Kolla presented an inforensic audit of a complete information system of thousands of workstations and servers.

The audit was conducted in three phases:

1. The installation of probes between sites and headquarter as well as on the internet outputs. This allowed to detect 80% of all compromise devices.
2. Research IOC on the probes identified 90% of all compromise devices.
3. The analysis of client PCs (scaner IOC, forensic tools, autorun, boot at startup ...) helped to find 100% of compromise devices.

The devices were infected with fake anti-virus or malware from macro Office. The improvement points proposed to improve the security policy:

• Use of proxy in the cloud for the home working,
• Removing admin rights for users,
• Logs supervision (centralize and analyze),
• Hiring an CISO.