My first post on this topic didn’t result in a great deal of engagement, but that’s okay. I wrote the first post with part II already loaded in the chamber, and I’m going to continue with this topic because, IMHO, it’s immensely important.
I’ve see more times than I care to count findings and reports going out the door without validation. I saw an analyst declare attribution in the customer’s parking lot, as the team was going on-site, only to be proven wrong and the customer opting to continue the response with another team. Engagements such as this are costly to the consulting team through brand damage and lost revenue, as well as costly to the impacted organization, through delays and additional expenses to reach containment and remediation, all while a threat actor is active on their network.
When I sat down to write the first post, I had a couple more case studies lined up, so here they are…
Case Study #3
Analysts were investigating incidents within an organization, and as part of the response, they were collecting memory dumps from Windows endpoints. They had some information going into the investigations regarding C2 IP addresses, based on work done by other analysts as part of the escalation process, as well as from intel sources and open reporting, so they ran ASCII string searches for the IP addresses against the raw memory dumps. Not getting any hits, declared in the tickets that there was no evidence of C2 connections.
What was missing from this was the fact that IP addresses are not employed by the operating system and applications as ASCII strings. Yes, you may see an IP address in a string that starts with “HTTP://” or “HTTPS://”, but by the time the operating system translates and ingests the IP address for use, it’s converted to 4 bytes, and as part of a structure. Tools like Volatility provide the capability to search for certain types of structures that include IP addresses, and bulk_extractor searches for other types of structures, with the end result being a *.pcap file.
In this case, as is often the case, analyst findings are part of an overall corporate-wide process, a process that includes further, follow-on findings such as “control efficacy”, identifying
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: