Mass Triage during an incident is not an option, but a need. In the course of an incident, the IR team will have to retrieve files from a number of machines in a forensically sound manner. The initial main goal of the team is identifying infected or touched machines, as well as, scoping the size of the incident. But to achieve this goal in a way that ensure speed and accuracy, traditional approaches are strongly dependent on the availability of specific technologies such as RSA NetWitness Endpoint, Carbon Black or Fidelis. These technologies are expensive, complex to distribute during an incident and require experienced personnel to manage them. Another issue is that most of these tools are written for the Windows OS. It is difficult to support multiple tools and methods across the environment heterogeneous environment consisting of Windows and *NIX. We have developed a mass triage approach relying on a small set of open source tools that is easily customizable. The approach relies heavily on ClamAV antivirus as a mass triage scanner and a set of custom IOCs. ClamAV allows for scanning a heterogeneous environment where the results can be parsed through scripts that could highlight the match of specific malware or actor sign, in one or more machines. Any machines with identified with positive hits can then be added to the list of boxes needing triage. Our method can be applied in hybrid approaches where part of the machines is analyzed through Endpoint technologies and the remaining systems, not compatible with these technologies, can be analyzed using the methods we outline. In the end the goal remains the same: find the attacker and removing him from the environment. Keven and Stefano will present the method and the results in specific case studies where it has been used to fight Advanced Persistent Threats. The presentation will show the methodology and the customizations needed to transform a free Antivirus in a powerful Mass Triage tool.

Keven is an Principal Consultant for the IR Practice in RSA. He is an experience IR analyst focused on forensics analysis, network analysis, and malware analysis. Before RSA, Keven worked for General Dynamics Land Systems, CSC, and other companies. He has written several opensource forensics tools and enjoys blogging for the SANS Computer Forensics Blog. Stefano is an Principal Consultant for the IR Practice in RSA. He is an experience IR analyst focused on malware analysis, network analysis and reverse engineering. He has a deep knowledge of the hacker,s underground scene and he is an active member of several security communities focused on knowledge sharing and early warning. Prior to RSA, Stefano worked for Digital, HP, Cisco and other companies worldwide. In his career as Incident Analyst and Researcher he has successfully faced a number of complex engagements spanning from attacks against SCADA systems to cyberespionage and frauds. In recent years he has focused his interest in East European underground scene and cybercriminal/state sponsored activities helping banks and public or private companies protecting their assets or responding to attacks

Back to BSides Detroit 2018 video list