Incident Response -> Digital Forensics

First IR book I got my hands on above. My first computer conference was http://www.first.org/. It’s no wonder I’m a Blue Team kinda person. Here is my common process IR braindump.

• Test your process? What automation is gonna help IR -> DF?
• Finding the trail …
• What kind of system are you looking at?
• Do you have remote access? Root access?
• What evidence do you wish to collect from the system?
• Remote acquisition of HDD, Ram or interactive query?
• VM? Cloud? Local? Remote Office? Laptop? OS?
• Custom tools? Audit scripts? Forensics Automation?
• pslist, malfind, filescan, sockets, connscan, and connections with Volatility Framework?
• Who’s talking to badguy.com?
• Did you check your DNS logs?
• Did you check your Firewall logs?
• Did you check the outbound proxy?
• Who’s internal address is on 10.187.10.112?
• What is that computer?
• Who logged into that computer?
• Did you check the DHCP logs?
• Is that a static assignment?
• OMG that’s a Windows XP box?
• When was that last patched? Was it phished?
• Is it exploited?
• What did anti-virus or host based IDS say?
• Facebook OSQuery installed on box?
• GRR installed? MIG?
• Can I remote image the HDD? Can I remote image the Mem?
• What’s the baseline on the box?
• Any sysinternal tools on the box for process monitoring baselines?
• Files changed? Local logs?
• Did Windows XP box at 10.187.10.112 communicate with anyone?
• Did this box do anything? Scans? Talk to any systems locally? Exfil?
• Did you check the proxies?
• Did you check the mapped drives?
• Did you check the SIEM? NTOP? Logs?
• What are the IOCs? C&C communications?
• Surricata? Bro? Snort? Security Onion? MIDAS?
• Are there PCAPs? Network packet logging?
• Moloch? Packet Pig? DNS Pig? PCAP-RPC? MHN?
• Is it time for forensics? Do you need to contain? Observe?
• Remote or local acquisition? Mem or HDD?
• Process extraction? File extraction? PySSDeep?
• What tools you gonna use? Volatility? Bulk extractor? Cuckoo? YARA? DNS Graph? Communications graph?
• Correlate to threat intelligence? Situational awareness? Vulns? Activate other processes? Protect data?
• What box do I got to get to next? Follow the white rabbit?

Top 25 Programming-Code Links that get clicked every day on this blog

1. https://github.com/RIPE-NCC/hadoop-pcap
2. https://github.com/sherpasurfing/SHERPASURFING
3. https://github.com/packetloop/packetpig
4. https://github.com/CamDavidsonPilon/Probabilistic-Programming-and-Bayesian-Methods-for-Hackers
5. https://github.com/fedragon/spark-jobserver-examples
6. https://github.com/bigsnarfdude/d3py/tree/master/examples
7. https://github.com/etsy/MIDAS
8. https://github.com/bigsnarfdude/BayesMadeSimple
9. https://github.com/aaw/hyperloglog-redis
10. https://github.com/svpcom/hyperloglog/blob/master/hyperloglog/hll.py
11. https://github.com/google/grr
12. https://github.com/bigsnarfdude/moloch
13. https://github.com/bigsnarfdude/spark/tree/master/extras/kinesis-asl
14. https://github.com/wrobstory/vincent/raw/master/examples/Vincent_Examples.ipynb
15. https://github.com/facebook/osquery
16. https://github.com/jt6211
17. https://github.com/SuperCowPowers/workbench
18. https://github.com/jeffbryner/machinelearning
19. https://github.com/twitter/algebird/wiki/Learning-Algebird-Monoids-with-REPL
20. https://github.com/ClickSecurity/data_hacking
21. https://github.com/tdunning/anomaly-detection
22. https://github.com/jt6211/hadoop-binary-analysis
23. https://github.com/jt6211/hadoop-dns-mining
24. https://code.google.com/p/pcapr/wiki/Xtractr
25. https://code.google.com/p/dnscapy/

Misc Algebird

• https://github.com/twitter/algebird/wiki/Learning-Algebird-Monoids-with-REPL
• http://twitter.github.io/algebird/com/twitter/algebird/QTree$.html
• https://github.com/mikeizbicki/HLearn
• http://debasishg.blogspot.ca/2014/01/count-min-sketch-data-structure-for.html
• https://gist.github.com/debasishg/8172796
• http://infolab.stanford.edu/~ullman/mmds/ch3.pdf
• https://speakerdeck.com/samklr/algebird-abstract-algebra-for-big-data-analytics

 

Use cases for probabilistic data structures in Infosec metrics

Use Cases for monitoring counts on anything and for network monitoring

• Network Login counts
• Failed attempts per user
• Failed attempts per groups
• Failed attempts per role
• Success counts for above
• Passwords reset volumes per day, month, year
• Counts for credentials per person
• Password age
• Password change day counts
• Password lengths
• User accounts counts for overall issued
• Time elapsed for provision
• Time elapsed for decommission
• Time elapsed for authorization for changes
• Number of privilege accounts per person
• Infection counts per user
• Infection counts per machine
• Infection counts per IP
• New account provisioning counts per hour, day, week, month, year
• Success and failed for each IP per user counts
• Counts of logins devices
• Counts of login unique destinations
• Packet Counts
• Port Counts
• DNS request counts per host
• DNS over all
• DNS request to internal devices
• DNS request for each device
• Per device aggregation of all types of traffic
• Comparing the increase of the number of DNS requests per second with respect to the average number of DNS requests per second
• DHCP request counts
• Segment DHCP counts for lease requests
• Availability
• Packet Delay
• Packet Reordering
• Packet Loss
• Packet Inter-arrival Jitter
• Types of packets counters for each host
• Bandwidth Measurements (Capacity, Achievable Throughputs)
• Counts for twitter per user
• Counts of tweets from user to user
• Counts of uses of words in tweets
• Counts of uses of hashtag in tweets
• Counts of uses of any word or hashtag from specific locations
• Device counts
• Software counts
• Application patch level counts
• Active user counts
• Inactive user counts
• Remote login per country counts
• Remote login per IP address counts
• Website visit counts per user
• Email counts
• Email attachment counts
• SPAM counts
• Statistics for developer
• Stats on access per application, IP address, service, user

https://bigsnarf.wordpress.com/2013/02/08/probabilistic-data-structures-for-data-analytics/

Reading – Probabilistic Programming & Bayesian Methods for Hackers

 

http://camdavidsonpilon.github.io/Probabilistic-Programming-and-Bayesian-Methods-for-Hackers/

Statistical Analysis

Data collection: We will use data from a large national survey that was de- signed explicitly with the goal of generating statistically valid infer- ences about the U.S. population.

Descriptive statistics: We will generate statistics that summarize the data concisely, and evaluate different ways to visualize data.

Exploratory data analysis: We will look for patterns, differences, and other features that address the questions we are interested in. At the same time we will check for inconsistencies and identify limitations.

Hypothesis testing: Where we see apparent effects, like a difference be- tween two groups, we will evaluate whether the effect is real, or whether it might have happened by chance.

Estimation: We will use data from a sample to estimate characteristics of the general population.

 

Links

• http://greenteapress.com/thinkstats/thinkstats.pdf
• http://www.greenteapress.com/thinkbayes/thinkbayes.pdf
• https://www.youtube.com/watch?v=z_sIDLVisvA
• https://github.com/bigsnarfdude/BayesMadeSimple
• http://nbviewer.ipython.org/github/CamDavidsonPilon/Probabilistic-Programming-and-Bayesian-Methods-for-Hackers/blob/master/Chapter2_MorePyMC/MorePyMC.ipynb
• http://nbviewer.ipython.org/github/fonnesbeck/Bios366/blob/master/notebooks/Section4_3-Introduction-to-PyMC.ipynb
• http://blog.yhathq.com/posts/estimating-user-lifetimes-with-pymc.html
• https://docs.google.com/presentation/d/1T0vkJ1ebH-OK3MWfo6AvMz4kP5fE5M5oTK4t18CDOTA/embed?hl=en&size=m&slide=id.g9fe1d775_00
• http://blog.melchua.com/2013/03/14/allen-downeys-bayesian-statistics-made-simple-workshop-a-recap-and-review/
• http://allendowney.blogspot.ca/2014/04/bayess-theorem-and-logistic-regression.html
• http://allendowney.blogspot.ca/2014/05/implementing-pmfs-in-python.html

Infosec Big Data Stack Developer

 

http://techcrunch.com/2014/11/08/the-rise-and-fall-of-the-full-stack-developer/

Nice explanation of Adaptive Machine Learning in a Streaming enivronment

Automated Security Testing

1. Nikto
2. Nmap
3. Openvas
4. Spiderfoot
5. Sslscan
6. Sqlmap
7. Xsser
8. Dns_Malware
9. Geoip
10. Punkspider
11. Shodan
12. Plecost
13. Default Error Page
14. Directory Listing
15. Exploit-DB
16. Fingerprint Web
17. Brute Directories
18. Brute Dns
19. Brute Extensions
20. Brute Permutations
21. Brute Predictables
22. Brute Prefixes
23. Brute Suffixes

http://cybersecology.com/web-vulnerability-scanners/review-golismero-web-knife/

http://www.golismero.com/

Still interesting work