Practical training in pentest laboratories. Part 4

“Corporate laboratories” is a training program in the field of information security, consisting of theoretical (webinar courses) and practical training (work in pentest laboratories). This article will consider the content of the practical base, which constitutes about 80% of the total training program. The article contains a brief analysis of one of the tasks of practical training.

Often, information security specialists may be faced with the task of neutralizing the effects of hacking; system integrity assessment; understanding how the attack occurred and what it affected; collection of evidence and risk assessment.
')

Forensic

Forensic is an applied science about the disclosure of crimes related to computer information, the study of digital evidence, methods of searching, obtaining and securing such evidence. Forensic is a subdivision of forensics.

Unfortunately, in the Russian Federation this direction is developed rather weakly, which imposes certain imprints on the specifics of the work. In the role of “security guards”, in most cases, system administrators act as fulfilling their functions and “protecting” the infrastructure. However, in the event of a security incident, they are usually not ready for the correct and balanced actions to counter threats, they do not have procedures and plans for responding to incidents.

Response

A well-designed plan helps in a stressful situation (of course, there are different situations, and the operator’s actions should be adequate) not to think and carry out a standard set of responses. You can not attack an attacker in response - it is against the law. Collect information about the attacker - you can. But if you are collecting information for the purpose of the subsequent submission of this data in court, then it is necessary to observe the “chain-of-custody” (chain of evidence) - a logical chain of reasoning and conclusions about some fact that is beyond doubt.

First of all, it is necessary to fix the “entry point” to the network or so-called. “Patient zero”, for example, where the viral epidemic came from. If there is no direct threat to the integrity of the network and data or access to critical areas - in no case should not interfere with the actions of the attacker. The more digital traces he leaves, the broader the evidence base and the ability to determine the target, depth and affected objects of the attack.

At this stage it is necessary to try to fix all the actions of the attacker, not letting him know that he was found. For example, an attacker could deliver a malicious file to the system under attack and monitor services such as virustotal.com, malwr.com, etc. for the appearance of this sample there - then most likely his attack or actions were detected and countermeasures introduced.

Example

Modern attacks often use socio-technical methods of delivering malicious code to the system under attack, for example, using phishing e-mail messages. Here the actions of the employee are quite simple: fixing the incident (for example, after the anti-virus program is triggered by the message), removing the malicious attachment, analyzing the service headers of the letter.

There are even more sophisticated attacks that can be fixed after the fact, for example, in the form of an illegitimate outgoing connection with one of the machines inside the infrastructure to the external environment. In this case, the attackers with the help of specialized tools can be organized so-called. payload that allows you to make a remote connection to the attacker's host to perform any action. This is done to make it difficult to define an attack, a Firewall bypass or NAT. The attacker creates meterpreter-session, which is in RAM and does not manifest itself on the hard disk of the attacked system. Meterpreter is a load that was conceived in the context of the Metasploit Framework as a flexible, extensible, full-featured and unified framework for post-operation, as an alternative to classic shellcodes. To bypass the anti-virus protection system, tools like Veil-Evasion are used to make it difficult to detect malicious code. After an attack on any process, dll-injection technology is used. First, the shellcode to load meterpreter is executed as a dll, then placing this process in the address space and launching it as a new thread for execution. Further, several more stages of a multi-stage load can be performed, for example, the Kerberos Golden Ticket attack to compromise a domain controller.

Data retrieval

Thus, all the digital evidence of the attack is in the RAM (except for the traffic dump of the connection with the attacker's host) of the attacked system and is rather complicated to retrieve. To properly make a complete image of the RAM, various expansion cards or, for example, a FireWire port are used. Also in theory, you can physically remove the memory while preserving data by fast freezing. There is a “hot” reboot option in the live distribution, for example, Ubuntu CyberPack. But at the same time, part of the memory will be overwritten by the live OS data itself (a little more than 100 MB). If we are talking about virtual machines (and now virtualization is quite popular), then almost all of them allow you to capture an image from a lively working system (although sometimes for this, the virtual machine must initially be started with the debug option).

It is possible to take a memory dump while on the system itself, using, for example, FTK Imager . This is useful when analyzing a malware or an activity that is not displayed on the physical disk. In the RAM dump, open connections, loaded modules, processes and everything else will be visible.

For analysis, you can use the Volatility Framework , which contains many plug-ins (aimed mainly at Windows systems). Using the dlllist plugin, you can get a list of loaded DLLs, and the dlldump plugin can unload the contents of a specific DLL from memory for analysis. The full list of plugins is available here .

Digital evidence

Digital evidence is very fragile, so you must always follow a few rules, both technical and legal:

1. Admissibility. This is essentially proof that you obtained these facts legally (for example, without attacking intruders to obtain evidence).
2. Credibility The facts that you voice should be directly relevant to the case.
3. Completeness.
4. Reliability.

Willingness to record actions and areas of responsibility, as well as competent response to security incidents are among the fundamental factors in the protection of network infrastructure.

---

Practical training in pentest laboratories. Part 1
Practical training in pentest laboratories. Part 2
Practical training in pentest laboratories. Part 3
Practical training in pentest laboratories. Part 5