Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM...
Transcript of Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM...
Digital Forensics and Incident Response in
Introduction
Megan Roddie◦ Cyber Threat Research at IBM◦ CFO of Mental Health Hackers◦ M.S. in Digital Forensics◦ M.S. in Information Security
Engineering (est. 2021)◦ GCFA, GCIH◦ @megan_roddie
INTRODUCTION TO G SUITE1
DON’T GET COMPROMISED2
Don’t Wait. Secure it.
◦ First Step: Don’t get compromised!◦ Many steps to be taken to prevent
a compromise◦ 2FA, 2FA, 2FA
https://blog.reconinfosec.com/securing-g-suite/
G SUITE DFIR VS. TRADITIONAL DFIR3
Map
ping
G S
uite
Att
acks
to th
e Cy
ber K
ill Ch
ain
https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite
“Traditional” DFIR
◦ Malware◦ Phishing◦ Denial of Service◦ Web attacks
(XSS, SQL Inject)
◦ Phishing◦ Information Leak◦ Account Abuse
G Suite DFIR
Incident types
“Traditional” DFIR
◦ Variety of access methods
◦ Vulnerability exploitation
◦ Publicly accessible network resources
◦ Human threat
◦ Smaller attack surface
◦ Social Engineering
◦ Phishing email◦ Brute force
G Suite DFIR
Attack vector
“Traditional” DFIR
◦ Multiple devices / device types (computers vs. servers vs. network devices)
◦ Core configuration settings might be centralized; more system independent settings
◦ Contained to single platform
◦ Core configuration settings are centralized
G Suite DFIR
Environment
“Traditional” DFIR
◦ Large attack surface
◦ Diversity of incident types
◦ Variety of sources of information
◦ Limited attack surface
◦ Specific incident types
◦ Data is centralized
G Suite DFIR
Overview
CASE SCENARIO4
The Scenario
A company’s client list seems to have leaked to an outside entity.
They suspect that the list of customers might have been found via G Suite (files, emails, contacts) but do not know of a compromise.
Cyber Experts, LLC. is contracted to find out if a compromise exists.
What we know
◦ There might be a compromise
◦ Nothing
What we need to find out
Scenario Start
What’s been done
◦ All the things
Identify suspicious activity
◦ Login Audit Logs
Identify suspicious activity
◦ whois 43.241.236.23◦ whois 52.129.23.26◦ whois 64.18.221.42◦ ...
https://blog.ecapuano.com/auditing-gsuite-login-activity/
https://blog.reconinfosec.com/auditing-gsuite-login-activity/
Containment
◦ Disable account
◦ Reset password
◦ Reset all login sessions
What we know
◦ We know whose account was compromised
◦ We know when the account was compromised
◦ No other accounts indicate same pattern of abnormal activity
◦ The known compromised account has been disabled and all active sessions have been reset
What we need to find out
How are we looking now?
What’s been done
◦ How did it happen?
◦ What was the account used for?
◦ Is there any persistence in place?
How did it happen?
Brute force?
No
So… Phishing?
What was the account used for?
ReviewAll
TheLogs
Is there any persistence in place?
◦ App passwords
◦ Authorized API
◦ Add 2FA device
◦ Email forwarding
◦ Email filters
Moral of the story...
FUTURE RESEARCH5
Incident Response (IR)
◦ Automation via G Suite API◦ Started but not my area of
expertise▫ Reach out if you want to collaborate
Digital Forensics (DF)
◦ File Metadata Analysis◦ Recreate SANS Windows Time
Rules for Google Drive
Questions?
Thank you!