TimeSketch - Forensic Timeline Analysis
Developing timeline of forensic artifacts is a great practice. There are several tools like log2timeline, Plaso, commercial tools etc will develop a timeline for you. Today, we are going to discuss about another tool called Timesketch.
Here is the GitHub repo: https://github.com/google/timesketch
The easiest way to get up and running is by using Docker Image. Fortunately, there is already an image of TimeSketch in docker: https://hub.docker.com/r/ilyaglow/timesketch
Another way it to compose docker image on the host itself:
Timesketch will be up and running on http://127.0.0.1:5000
It'll give you a nice option to upload a CSV file or a Plaso Dump file.
This tool was written by Christian Wojner for finding Malware on an infected system. The tool will basically look for the density of the code of the each file and present it in the descending order.
It's a pretty handy tool for identifying malicious files. This is just and indicator - don't completely rely on the results of density scout. Run is data by couple of other tools like PEscan and Sigcheck etc.
In case if the traditional forensics/IR tool fails to identify a malware. This is one of the good methods to run the image/mounted volume though density scout and get a list of suspicious binaries with lower score, run and MD5 and check in Virus total.
In case if you don't have forensic tools on your machine or you are using a Mac machine. You can use a SIFT docker container to perform the action.
Docker SIFT Image: https://hub.docker.com/r/gourav5660/sans_sift_forensics
Once you have docker image pulled run following command:
Cyber Kill Chain Model - Lookheed Martin
Cyber kill chain is another way to look at the incident response process. Think from the attacker perspective.There are 7 Phases in this model:
1) Reconnaissance: Gather information about the organization by using all the tools at disposal. Other hard to detect and distinguish from the normal user activity.
2) Weaponization: In this phase an adversary will decide things like what malware to use, word doc or something else, shell code or power-shell script, etc.
3) Delivery: The intruder will decide how to deliver the payload for example phishing or not phishing, exploiting some vulnerability etc.
4) Exploitation: In this phase, the software, human or hardware vulnerabilities are exploited
5) Installation: The adversary will establish the foothold in this phase by moving laterally and establishing persistence etc.
6) Command and Control: The communication channel will be established between the payload and the control channel.
7) Action on Objective: The intruder will execute his/her objective. It may be data exfiltration, it may be denial of service etc.
mnemonic: Rob wrestled Dave everyday in the common area
Threat Hunting is a proactive method. It's a way of looking for adversaries actively, identifying known malware, performing anomaly detections, and utilizing the threat intelligence information.
Incident Response is reactive, and the process starts after the team received an alert or notification. Majority of the organization starts from reactive (IR) and slowly moves to the Threat Hunting as they mature. Threat Intelligence plays a crucial role in the success of the IR and TH Programs in any organization.