Investigative Trees – Converting
Attack Trees into Guides for Incident
Response
Rodney Caudle
December 2009
GIAC GSEC, GCIA, GCIH, GCFA, GSNA,
GCPM, GLDR, GSLC, GSPA
SANS Technology Institute - Candidate for Master of Science Degree
1
1
Objective
•
•
•
•
•
Setting the Stage
Basics of Investigative Trees
Rules for Building Investigative Trees
Example: Corporate E-Mail Espionage
Demo: iTree.pm
SANS Technology Institute - Candidate for Master of Science Degree
2
Setting the Stage
• Multi-Site Corporation
• Information Leakage Suspected
• Insider Suspected
• Factor: Outsourced IT
• You’re the objective third party
SANS Technology Institute - Candidate for Master of Science Degree
3
Investigative Trees
• Designed to answer one question:
Given a fixed amount of resources,
what investigation will yield the results
with the most confidence for a given
outcome?
SANS Technology Institute - Candidate for Master of Science Degree
4
Building a Tree
• Ask a question
• Split into smaller questions that can be
answered until the questions are small
enough to act upon
• Build procedures to answer questions.
There may be multiple ways to answer
• Add parameters to provide perspectives
SANS Technology Institute - Candidate for Master of Science Degree
5
Rules for iTrees
• Root node is the goal or outcome
• Leaf nodes represent conditions of
meeting the parent node or goal
– “OR” leaf nodes
– “AND” leaf nodes
• All nodes should be Boolean in
nature
SANS Technology Institute - Candidate for Master of Science Degree
6
Rules (cont’d.)
• Additional parameters can be added to
provide perspectives
• Leaf nodes may become root nodes of a
sub-tree that can be saved as a library
SANS Technology Institute - Candidate for Master of Science Degree
7
General Parameters
•
•
•
•
•
Confidence – level of trust
Confidencei – level of trust (impacted)
Impacted – True or false
Weight – comparison to neighbor nodes
Category – label for organization
SANS Technology Institute - Candidate for Master of Science Degree
8
Other Parameters
•
•
•
•
Cost
Time
Rate
Units
•
•
•
•
•
•
Dependency
Early Start
Early Finish
Late Start
Late Finish
Slack Time
SANS Technology Institute - Candidate for Master of Science Degree
9
Example: Corporate E-Mail
• Root Question: Can we verify the vector
for delivering the e-mails?
• Need to define the leaf nodes or subgoals
SANS Technology Institute - Candidate for Master of Science Degree
10
Leaf Nodes (OR)
• Were the e-mails sent
Exchange method?
• Were the e-mails sent
OWA method?
• Were the e-mails sent
method?
• Were the e-mails sent
gateway?
via the Outlookvia the web-based
via a mobile device
via SMTP through a
SANS Technology Institute - Candidate for Master of Science Degree
11
Continue Expanding
• Were the e-mails sent via SMTP
through a gateway?
– Can we verify the presence of SMTP
headers in the original e-mail?
– Can we verify the presence of
e-mail(s) in the log events from the
SMTP gateway server?
SANS Technology Institute - Candidate for Master of Science Degree
12
Add Steps to Get the Answers
• Can we verify the presence of SMTP
headers in the original e-mail?
– Can we recover the presence of SMTP
headers in the original e-mail?
• Can we recover a copy of the original e-mail
from the desktop or laptop?
• Does the e-mail contain SMTP headers
(RFC821)?
SANS Technology Institute - Candidate for Master of Science Degree
13
Demo: iTree.PM
• Perl module to automate the
investigation tree creation process
SANS Technology Institute - Candidate for Master of Science Degree
14
Summary
•
•
•
•
Investigative Trees = good investment
Design supports KB natively
Easy to expand and share information
Perl Modules available for creation and
automation
www.investigativetrees.com
SANS Technology Institute - Candidate for Master of Science Degree
15