1. 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response Rodney Caudle December 2009 GIAC GSEC, GCIA, GCIH, GCFA, GSNA, GCPM, GLDR, GSLC, GSPA

2. SANS Technology Institute - Candidate for Master of Science Degree 2 Objective Setting the Stage Basics of Investigative Trees Rules for Building Investigative Trees Example: Corporate E-Mail Espionage Demo: iTree.pm

3. Setting the Stage Multi-Site Corporation Information Leakage Suspected Insider Suspected Factor: Outsourced IT You’re the objective third party SANS Technology Institute - Candidate for Master of Science Degree 3

4. 4 Investigative Trees Designed to answer one question: Given a fixed amount of resources, what investigation will yield the results with the most confidence for a given outcome?

5. SANS Technology Institute - Candidate for Master of Science Degree 5 Building a Tree Ask a question Split into smaller questions that can be answered until the questions are small enough to act upon Build procedures to answer questions. There may be multiple ways to answer Add parameters to provide perspectives

6. Rules for iTrees Root node is the goal or outcome Leaf nodes represent conditions of meeting the parent node or goal –“OR” leaf nodes –“AND” leaf nodes All nodes should be Boolean in nature SANS Technology Institute - Candidate for Master of Science Degree 6

7. 7 Rules (cont’d.) Additional parameters can be added to provide perspectives Leaf nodes may become root nodes of a sub-tree that can be saved as a library

8. General Parameters Confidence – level of trust Confidence i – level of trust (impacted) Impacted – True or false Weight – comparison to neighbor nodes Category – label for organization SANS Technology Institute - Candidate for Master of Science Degree 8

9. Other Parameters Cost Time Rate Units Dependency Early Start Early Finish Late Start Late Finish Slack Time SANS Technology Institute - Candidate for Master of Science Degree 9

10. Example: Corporate E-Mail Root Question: Can we verify the vector for delivering the e-mails? Need to define the leaf nodes or sub- goals SANS Technology Institute - Candidate for Master of Science Degree 10

11. Leaf Nodes (OR) Were the e-mails sent via the Outlook- Exchange method? Were the e-mails sent via the web-based OWA method? Were the e-mails sent via a mobile device method? Were the e-mails sent via SMTP through a gateway? SANS Technology Institute - Candidate for Master of Science Degree 11

12. Continue Expanding Were the e-mails sent via SMTP through a gateway? –Can we verify the presence of SMTP headers in the original e-mail? –Can we verify the presence of e-mail(s) in the log events from the SMTP gateway server? SANS Technology Institute - Candidate for Master of Science Degree 12

13. Add Steps to Get the Answers Can we verify the presence of SMTP headers in the original e-mail? –Can we recover the presence of SMTP headers in the original e-mail? Can we recover a copy of the original e-mail from the desktop or laptop? Does the e-mail contain SMTP headers (RFC821)? SANS Technology Institute - Candidate for Master of Science Degree 13

14. Demo: iTree.PM Perl module to automate the investigation tree creation process SANS Technology Institute - Candidate for Master of Science Degree 14

15. SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Investigative Trees = good investment Design supports KB natively Easy to expand and share information Perl Modules available for creation and automation www.investigativetrees.com