A forensic case-study on the misuse of security appliances.

Barracuda networks announced earlier this year a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that they engaged Mandiant to assist in the investigation. Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage.


During the presentation, Mandiant will detail the initial attack vector used to gain foothold with the victim environments, discuss the malware families identified as the forensics methods employed to uncover the threat actors misuse within victim networks. Lastly, Mandiant draws conclusions on these types of intrusions and use of zero-days over the past years, and any means available to prevent or detect similar activity.

The System Resource Usage Monitor (aka SRUM) is a mechanism first added on Windows 8 that tracks system resource usage, specifically process and network data, making it a wealth of information about all the activities that occur on a machine. Since its discovery as a forensic artifact, the community has been relying on it. However, discrepancies in the recorded data can be found across the different versions of Windows.

Considering the importance that this artifact has gained over the years, in this talk we will deep dive into the SRUM mechanism, explain its architecture, debunk misconceptions and describe its inner-workings, which have remained undocumented up until now.

In addition, we will mention the limits of the SRUM for forensic purposes, detail on which Windows versions the artifact is available, the type of data that is recorded, and lastly how and why information is properly stored.

Detailed Topics

• Introduction (SRUM started win 8)

• Main versions of Windows

• Difference between win 8 vs most recent windows version – registry keys vs notbeen updated by registry

• Monitoring the SRUM

• which are the components related to SRUM

• Process Monitoring

• ETW

• Analysis of the SRUM

• DPS Service

• Main Extensions

• eeprov.dll - App Timeline Provider

• nduprov.dll - Windows Network Data Usage Monitor

• When is evidence recorded?

• How long is evidence stored in the database?

• When is evidence not recorded?

• Conclusion

Drawing from WithSecure Incident Response team's vast experience, this presentation will outline five key considerations. These points are essential elements that incident responders consider when determining the optimal moment to remediate an incident.

Session Outline:

• Introduction to Remediation: Introducing and delving into pivotal concepts, including clearing vocabulary confusion around remediation, containment and eradication, best-effort eradication, posturing, and the distinction between tactical and strategic eradication.
• Impact of Premature Action: We will explore the repercussions of hasty remediation measures. The discussion will emphasize how these impacts have evolved over the last five years, prompting the pertinent question - should this be a cause for concern when we are timing key stages of remediation?
• The key considerations: Introduce the five key considerations. Along with explaining why they hold a critical place in the process, we will also provide insight on how to effectively utilize these them.
• Case studies: After introducing these key considerations, we will delve into real-world case studies encompassing a variety of scenarios. These examples will illuminate the practical application of these considerations, providing the audience with a guided approach to determining the optimal timing for remediation.

Key Take Aways

Attendees will:

• Acquire a comprehensive understanding of remediation stages across a spectrum of incidents varying in severity.
• Gain both an understanding and practical insight into the considerations that incident responders make when determining the right moment to remediate an incident.
• Attendees will have the opportunity to reassess established doctrines, prompting critical thinking about what we know about remediating incidents.
• Gain insights from real-life case studies, including a unique, in-depth analysis of a complex data exfiltration incident involving multiple advanced threat actors. This case study showcases an extensive breach affecting 70% of a network comprising both Linux and Windows systems.

The acquisition of digital evidence from sources present on the internet (web pages, social media, or emails) has become an increasingly challenging task for forensic computer scientists. The idea behind FIT, initially conceived as a master's thesis, has evolved into an OPEN project in collaboration with various members of ONIF (National Observatory of Digital Forensics). Its purpose is to offer a FLOSS alternative capable of performing acquisitions of web pages, social media profiles, and email accounts. With its modular architecture, it is easily expandable and each acquisition is made with a set of artifacts following the best practices of the Digital Forensics. We will show you what has been accomplished and what we aim to achieve.

Incident response investigations often rely on the availability and accurate processing of system data from large Windows environments. However, processing data from Windows systems can be a major bottleneck, requiring significant resources and time. To address this issue, I developed Wiskess, a tool that automates the processing of disk images and triage collection artifacts from Windows systems.

In this talk, I will provide a detailed explanation of how Wiskess was developed and the benefits it brings to incident response investigations. The presentation will cover the five steps that make up the automated pipeline, allowing for an in-depth exploration of the tool's capabilities. I will also include a live demo of the tool in action.

Dissect is a powerful and easy-to-use open-source digital forensics and incident response framework, developed by Fox-IT (part of NCC Group). With Dissect, you can quickly access and analyze forensic artifacts from various disk and file formats. We will show you how Dissect is not only perfect for digital forensics but also for lab automation and threat intelligence research. Dissect can also be easily extended with new functionality to fit your specific needs. With its user-friendly interface, users can easily extract and analyze data, allowing them to convert chaos into valuable evidence.

Most of the discourse around performing forensics in the cloud focuses on provider-level logging. While this is undoubtedly useful, practitioners understand that resource-level forensic analysis is crucial when responding to incidents affecting cloud infrastructure - and much of this knowledge remains opaque and undocumented.

In this presentation, Chris Doman, CTO of Cado Security and Matt Muir, Threat Intelligence researcher at Cado Security will present novel research of undocumented forensic artifacts from cloud service provider specific operating systems and tools. They will provide the audience with an overview of forensic techniques across cloud compute and serverless environments. Native operating system artifacts will also be discussed and contrasted with their cloud equivalents, with consideration given to their usefulness in the context of the cloud.

We trust our tools to analyse the data and give us the 'right' answer, but should we? How can we verify that their output actually represents the truth? Tool validation should always be a key part of your processes, to prepare for DFIR investigations before you need to use tools in anger. In this presentation, I will also be introducing a project I have been working on, to provide Tool Validation resources to the community and encourage others to contribute

In this session we will dissect Snapchat data obtained from mobile phones extractions. We will dive into obscure serialized format (protobufs) to uncover information needed to recover juicy content (ie media). This content can be located both on the device as well as in the cloud, usually encrypted. We will also dive in attachments and how to match a media to a message.

During this very technical talk, attendees will learn:

• How to leverage Snapchat cache
• How to download and decrypt chat artifacts stored online
• How to decrypt Memories and My Eyes Only

What is Threat Informed Defense and how does it help in the daily work as an IT/OT specialist?

What is the advantage of using MITRE ATT&CK and D3FEND together in DFIR (rapid improvement with the help of CTI)?

What is Holistic Threat Modeling and MITRE Detection Engineering and how is good Detection Engineering defined to effectively use it for CTI and DFIR?

What role does the maturity of threat modeling have for companies regarding Thread Informed Defense (maturity level)?

What could be the goals/starting points for the audience to get more visibility, find gaps and analyze Cyber Threat Intelligence successfully and use the findings for DFIR? (Create for e.g. own attack flows with information about the directories, processes and artifacts as a playbook, prioritize TTPs etc.)

How to use rapidly the results to hunt and build own detection rules?

This talk will show a whole use case with a CTI report, how to extract it, find more information about the threat actor, prioritize the techniques, build an attack flow for DFIR and hunt rapidly within 24h after the latest CTI or alert occurred (or new vulnerability); rapid improvement with the threat informed defense approach

During this presentation, we will navigate through the intriguing world of continuous Purple Teaming, shedding light on how it can transform your incident response and forensic practices. Whether you're seeking to optimize proactive threat hunting, streamline incident handling, or improve digital forensics, this presentation offers practical guidance and actionable insights.

This session builds upon Erik van Buggenhout's thought-provoking RSA Conference talk, focusing specifically on incident response and forensics within the continuous Purple Teaming framework. Prepare to be inspired and equipped with the knowledge to integrate Purple Team methodologies and tooling into your DFIR operations.

We unlock the potential of continuous Purple Teaming and empower your incident response and forensic teams to tackle cyber threats with confidence. Discussing real-world experiences and gaining the tools you need to embrace to establish Always-On Purple Team in your organization.

Main key takeaways for this presentation are:

• The concept and benefits of continuous Purple Teaming, blurring the lines between red and blue teams for collaborative defense and offense capabilities.
• How to establish an Always-On Purple Team that fortifies your cybersecurity defenses while maintaining team morale.
• The integration of DFIR with the Purple Team approach, leveraging a creative mindset to enhance incident response and digital forensics.
• Proactive threat-hunting techniques, effective incident handling, and leveraging threat intelligence within the Purple Team framework.