1 sans technology institute - candidate for master of science degree 1 investigative trees –...
TRANSCRIPT
![Page 1: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/1.jpg)
1SANS Technology Institute - Candidate for Master of Science Degree 1
Investigative Trees – Converting Attack Trees into Guides for
Incident Response
Rodney CaudleDecember 2009
GIAC GSEC, GCIA, GCIH, GCFA, GSNA, GCPM, GLDR, GSLC, GSPA
![Page 2: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/2.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 2
Objective
• Setting the Stage• Basics of Investigative Trees• Rules for Building Investigative
Trees• Example: Corporate E-Mail
Espionage• Demo: iTree.pm
![Page 3: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/3.jpg)
Setting the Stage
• Multi-Site Corporation• Information Leakage Suspected• Insider Suspected• Factor: Outsourced IT
• You’re the objective third party
SANS Technology Institute - Candidate for Master of Science Degree 3
![Page 4: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/4.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 4
Investigative Trees
• Designed to answer one question:
Given a fixed amount of resources, what investigation will yield the results with the most confidence for a given outcome?
![Page 5: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/5.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 5
Building a Tree
• Ask a question• Split into smaller questions that can
be answered until the questions are small enough to act upon
• Build procedures to answer questions. There may be multiple ways to answer
• Add parameters to provide perspectives
![Page 6: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/6.jpg)
Rules for iTrees
• Root node is the goal or outcome• Leaf nodes represent conditions of
meeting the parent node or goal– “OR” leaf nodes– “AND” leaf nodes
• All nodes should be Boolean in nature
SANS Technology Institute - Candidate for Master of Science Degree 6
![Page 7: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/7.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 7
Rules (cont’d.)
• Additional parameters can be added to provide perspectives
• Leaf nodes may become root nodes of a sub-tree that can be saved as a library
![Page 8: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/8.jpg)
General Parameters
• Confidence – level of trust
• Confidencei – level of trust (impacted)
• Impacted – True or false• Weight – comparison to neighbor
nodes• Category – label for organization
SANS Technology Institute - Candidate for Master of Science Degree 8
![Page 9: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/9.jpg)
Other Parameters
• Cost• Time• Rate• Units
• Dependency • Early Start • Early Finish • Late Start • Late Finish • Slack Time
SANS Technology Institute - Candidate for Master of Science Degree 9
![Page 10: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/10.jpg)
Example: Corporate E-Mail
• Root Question: Can we verify the vector for delivering the e-mails?
• Need to define the leaf nodes or sub-goals
SANS Technology Institute - Candidate for Master of Science Degree 10
![Page 11: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/11.jpg)
Leaf Nodes (OR)
• Were the e-mails sent via the Outlook-Exchange method?
• Were the e-mails sent via the web-based OWA method?
• Were the e-mails sent via a mobile device method?
• Were the e-mails sent via SMTP through a gateway?
SANS Technology Institute - Candidate for Master of Science Degree 11
![Page 12: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/12.jpg)
Continue Expanding
• Were the e-mails sent via SMTP through a gateway?– Can we verify the presence of
SMTP headers in the original e-mail?
– Can we verify the presence of e-mail(s) in the log events from the SMTP gateway server?
SANS Technology Institute - Candidate for Master of Science Degree 12
![Page 13: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/13.jpg)
Add Steps to Get the Answers
• Can we verify the presence of SMTP headers in the original e-mail?– Can we recover the presence of
SMTP headers in the original e-mail?• Can we recover a copy of the original e-
mail from the desktop or laptop?• Does the e-mail contain SMTP headers
(RFC821)?
SANS Technology Institute - Candidate for Master of Science Degree 13
![Page 14: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/14.jpg)
Demo: iTree.PM
• Perl module to automate the investigation tree creation process
SANS Technology Institute - Candidate for Master of Science Degree 14
![Page 15: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response](https://reader035.vdocument.in/reader035/viewer/2022072014/56649e8e5503460f94b915ee/html5/thumbnails/15.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 15
Summary
• Investigative Trees = good investment• Design supports KB natively• Easy to expand and share information• Perl Modules available for creation and
automation
www.investigativetrees.com