Aaron LeMasters & Michael Murphy: Rapid Enterprise Triaging
About: magine this scenario - routine log analysis uncovers suspicious activity dating back several months, and active beaconing reveals a backdoor channel in an outdated piece of production software on your network. Anti-Virus did not catch it - updated IDS signatures reveal dozens of compromised machines, all buried beneath a hierarchy of domain controllers and NATed subnets across different autonomous organizations throughout a globally distributed network. What do you do without the necessary infrastructure and tools to respond?
Large-scale response efforts are expensive, inefficient and dangerous. What is worse, most companies are not typically resourced or prepared to respond. As a result, they are forced to either purchase a service contract or acquire the tools to respond internally. Neither response is a complete solution and often ends in disaster. More importantly, these approaches ignore the persistent threat at hand, and proprietary company data and resources remain exposed throughout the effort. To add insult to injury, you just spent your entire IT security budget for a one-time fix.
Our methodology of rapid enterprise triaging (RETRI) embraces a macro-approach to the Incident Response process. Rather than focusing on individual network segments or hosts, our approach prioritizes broad network isolation to contain the threat and ensures core business functions remain operable. The result is less strain on your IT staff and no downtime for your users.
Additionally, to help alleviate enormous costs of enterprise Incident Response tools, we will be releasing a free tool named Codeword that complements our approach. Codeword is similar in functionality to commercial agent-based forensic tools, but focuses on the needs of management and analysts during rapid triaging. These needs typically include an estimate of the spread of infection; an ability to search hosts for malware with constantly evolving indicators; a thorough evidence-collecting capability; and advanced, seamless reporting. These capabilities are implemented in a server-agent framework. Codeword is composed of several modules: the Handler that administrators use to generate custom MSI installers; the scanner binary contained in the MSI installer which includes a user-mode agent and a kernel-mode driver; and a report viewing component for analysts to easily aggregate and correlate evidence as it is reported from deployed agents. Codeword also boasts advanced rootkit detection and kernel integrity checking capabilities.