GuardYoo - Forensic Framework
Red Teaming has long been using a framework to automate the chronological stages of researching and testing for vulnerabilities.
In a time when attacks are coming thick and fast, the amount of resources and time dedicated to cyber forensics and investigations is intensifying due to the mounting volume of data available for analysis.
In some cases, cybersecurity applications are so focused on trying to stop a breach, they put forward terabytes of log data for analysis, as they see every “blip” as a potential threat.
This leads to “Alarm Fatigue” and wastes valuable time and resources.
We at GuardYoo are developing a framework approach to forensic analysis of data which will save cybersecurity research teams weeks that are usually spent studying terabytes of information.
The GuardYoo framework allows cybersecurity professionals to automate the analysis of all event logs, which are rich with valuable information including Artifacts stored in Registry Branches, WMI repositories, and other valuable Telemetry data.
GuardYoo has developed sophisticated algorithms to convert this previously unusable data into a powerful source of forensic data allowing cybersecurity teams better understand their infrastructure, as well as reducing the time to implement solutions such as SIEM.
What’s the GuardYoo way?... The first step is to fully understand how your network is operating.
Take our short quiz to test your knowledge of your own network
- How many Domain or Enterprise Administrator accounts are in your infrastructure?
- Will your Administrators be able to distinguish their own actions from the actions of hackers, if their own accounts are compromised?
- Do Administrators use their highly privileged accounts solely for the tasks for which they were created, or do they allow themselves violations?
(Reading mail, installing free software, unnecessarily accessing other hosts on the network)
- How many active GUEST accounts do you have in your infrastructure?
- How many active local Administrator accounts do you have in your infrastructure using an unrestricted password?
- How many active Local Administrator accounts do you have in your infrastructure using the same password?
- How many active Local Administrator accounts do you have in your infrastructure that do not have any password requirements?
- How many active accounts are included in the Administrators group in your infrastructure?
- Have all users proven themselves to be trustworthy/responsible employees or are there active accounts for users that have displayed risky behaviour in the past?
- How many hosts are actively using software with remote access capabilities? (TeamViewer, LogMeIn)
- Are anti-virus tools installed, working, and updated on all hosts and servers?
If your answers have raised any concerns about your cybersecurity posture, please read on as we highlight some techniques criminals may use to exploit vulnerabilities associated with our quiz above.
The Technical Bit…
Antivirus companies can claim to be 99% effective against known malware but cannot commit to 100% as this would be impossible. Current figures, estimate 600,000+ new viruses are released daily.
This 1% gap is important as one piece of malware is enough to allow attackers to infiltrate an infrastructure. If penetration cannot be prevented, the only option is to safely manage any anomalies identified within the infrastructure and to create as many barriers for attackers as possible, because it’s not only the good guys that study infrastructure log data, criminals also use log data to understand how they can quickly and stealthily gain control of the infrastructure.
Once attackers understand how they can “hide in plain sight” they begin to create “backdoors” and “sleeping agents.” (Developing tunnels using TV, VNC, DAMEWARE, etc. whilst also creating accounts similar in name to the legitimate ones)
As per the quiz above it’s crucial that companies wholly know and understand their infrastructure and not rely on just deploying cybersecurity solutions in the hope that they will do all the work for them.
Contrary to popular belief, deploying a SIEM solution does not prevent incidents from happening.
A SIEM is only effective if you know where to focus its processing power (which is quite difficult to achieve in this age of dynamic infrastructures).
A poorly thought out SIEM deployment only plays into the hands of cybercriminals.
To give an example, Mimikatz is an open-source malware program regularly used by hackers and penetration testers to gather credentials on Windows devices. Any obtained credentials can then be used to access sensitive information or to enable lateral movement attacks.
The main danger Mimikatz poses is dumping the LSASS process in order to extract passwords stored in the memory of this process.
To do this, the hacker must access the memory of this process and for this, they must request an access mask containing the value 0x10
(masks can be of different types, for example, 0x1010 or 0x1410).
This feature is used by cybersecurity teams when determining rules for SIEM systems (in addition to the obvious ones - the process name, but this information is stored in the logs only in the case of extended logging).
Few people realise that when a request for a list of processes is submitted (via WMI query or simply "task manager" start) you will receive the same type of request - (with mask 0x1010 or 0x1410).
So it can be extremely difficult to get an accurate picture of behaviour within the system.
The only reliable way to determine which tools are needed to remove the LSASS dump is full monitoring at both the process level and at the file system level, which in turn places a heavy load on the system and dramatically reduces the depth of available logs.
To reduce the load on the system and increase the storage time of data within the logs (without increasing the size of the logs), administrators will decide to decrease the number of events being logged.
This is a bad idea as they will inadvertently lose out on recording potential key evidence meaning their zone that is under control and monitored is getting smaller and smaller.
Meanwhile, intruders will focus on gaining “legitimate” access by compromising existing user accounts. Once within the system, they will analyse logs for a better understanding of how the infrastructure operates and will mimic the actions of legitimate users actions.
- Every Account on the system should be assigned to someone;
this means that every account in infrastructure has an owner who is responsible for the account.
Regular audits of all active accounts should be carried out with account owners signing off on the validity of the accounts they are responsible for.
If, after any audit accounts are identified that do not have an owner assigned, these accounts should be validated and if found to be bogus or not needed.
- Delete this account and monitor the host on which the account was found
- limit privileges for this account and monitor any activity to establish its origin
- No “personal” users accounts should be used for business-critical processes
- A network Service Account should be restricted to the process for which it was created, and used only by a dedicated service or process (but not by a person, except when configuring or monitoring).
Service accounts are a special type of non-human privileged account used to execute applications and run automated services, virtual machine instances, and other processes. Service accounts can be privileged local or domain accounts, and in some cases, they may have domain administrative privileges.
- Carry out regular audits on all accounts (especially local ones) and on all resources within the infrastructure - without exception
- Administrative Accounts (especially accounts of domain or enterprise administrators) should only be used for routine maintenance in exceptional cases (each instance must be recorded and approved). In no circumstance should Administrative Accounts be used for routine tasks such as reading mail, installing free software, browsing the internet.
- To gain access to highly privileged accounts, instead of logging in as a superuser, or placing a user account in a group that provides privileged access, utilise the operating system feature “Run As” which allows for temporary elevation of privileges. https://security.berkeley.edu/MSSND/privileged-accounts-guidelines
Remote access software:
- Track usage of TeamViewer, VNC, LogMeIn, etc. as these are applications attackers use to create tunnels to maintain control over the infrastructure.
- Monitor utilities such as PSEXEC being used to access multiple hosts, it is through these utilities that hackers distribute malware that allows them to gain control of the infrastructure, they will distribute "sleeping agents" and create hidden tasks in the task scheduler.
- If a breach occurs and critical resources need to be restored, it is necessary to make sure that the restored version does not contain "sleeping agents" or hidden tunnels, since attackers will deliberately wait until a compromised system will be backed up, and only then will proceed to next phase of their attack. This way, they will be able to maintain control over the infrastructure after systems are restored.
The above recommendations may sound like the ramblings of someone with extreme paranoia, but they do present many problems for attackers because they create a difficult-to-repeat infrastructure profile.
As outlined earlier, there are many cybersecurity attack frameworks available, however, there is no forensic investigation framework in existence yet.
The GuardYoo Forensic Investigation Framework helps to link seemingly legitimate (but adversarial) events into a chain of events - which can then be represented in a timeline as an attack.
If you would like to learn more about how GuardYoo can help organisations to reduce network vulnerabilities, please contact us here to set up a call.