1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response Rodney Caudle December 2009 GIAC GSEC, GCIA, GCIH, GCFA, GSNA, GCPM, GLDR, GSLC, GSPA
SANS Technology Institute - Candidate for Master of Science Degree 2 Objective Setting the Stage Basics of Investigative Trees Rules for Building Investigative Trees Example: Corporate Espionage Demo: iTree.pm
Setting the Stage Multi-Site Corporation Information Leakage Suspected Insider Suspected Factor: Outsourced IT You’re the objective third party SANS Technology Institute - Candidate for Master of Science Degree 3
4 Investigative Trees Designed to answer one question: Given a fixed amount of resources, what investigation will yield the results with the most confidence for a given outcome?
SANS Technology Institute - Candidate for Master of Science Degree 5 Building a Tree Ask a question Split into smaller questions that can be answered until the questions are small enough to act upon Build procedures to answer questions. There may be multiple ways to answer Add parameters to provide perspectives
Rules for iTrees Root node is the goal or outcome Leaf nodes represent conditions of meeting the parent node or goal –“OR” leaf nodes –“AND” leaf nodes All nodes should be Boolean in nature SANS Technology Institute - Candidate for Master of Science Degree 6
7 Rules (cont’d.) Additional parameters can be added to provide perspectives Leaf nodes may become root nodes of a sub-tree that can be saved as a library
General Parameters Confidence – level of trust Confidence i – level of trust (impacted) Impacted – True or false Weight – comparison to neighbor nodes Category – label for organization SANS Technology Institute - Candidate for Master of Science Degree 8
Other Parameters Cost Time Rate Units Dependency Early Start Early Finish Late Start Late Finish Slack Time SANS Technology Institute - Candidate for Master of Science Degree 9
Example: Corporate Root Question: Can we verify the vector for delivering the s? Need to define the leaf nodes or sub- goals SANS Technology Institute - Candidate for Master of Science Degree 10
Leaf Nodes (OR) Were the s sent via the Outlook- Exchange method? Were the s sent via the web-based OWA method? Were the s sent via a mobile device method? Were the s sent via SMTP through a gateway? SANS Technology Institute - Candidate for Master of Science Degree 11
Continue Expanding Were the s sent via SMTP through a gateway? –Can we verify the presence of SMTP headers in the original ? –Can we verify the presence of (s) in the log events from the SMTP gateway server? SANS Technology Institute - Candidate for Master of Science Degree 12
Add Steps to Get the Answers Can we verify the presence of SMTP headers in the original ? –Can we recover the presence of SMTP headers in the original ? Can we recover a copy of the original from the desktop or laptop? Does the contain SMTP headers (RFC821)? SANS Technology Institute - Candidate for Master of Science Degree 13
Demo: iTree.PM Perl module to automate the investigation tree creation process SANS Technology Institute - Candidate for Master of Science Degree 14
SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Investigative Trees = good investment Design supports KB natively Easy to expand and share information Perl Modules available for creation and automation