Everand Logo

Welcome to Everand!

  • Explore 1.5M+ audiobooks & ebooks free for 30 days

    From $11.99/month after trial. Cancel anytime.

    How to Investigate Like a Rockstar: Hacking the Planet
    How to Investigate Like a Rockstar: Hacking the Planet
    How to Investigate Like a Rockstar: Hacking the Planet
    Ebook256 pages1 hourHacking the Planet

    How to Investigate Like a Rockstar: Hacking the Planet

    By sparc Flow

    ()

    Read preview

    About this ebook

    "There are two kinds of companies: those that have been breached and those that do not know it yet."


    The company calling us just discovered an anomaly on their most critical systems. Our job is to conduct a deep forensic analysis, perform threat assessment, and uncover all malware programs left by hackers.

    Digital Forensics
    We follow the attacker's footprint across a variety of systems and create an infection timeline to help us understand their motives. We go as deep as memory analysis, perfect disk copy, threat hunting and malware analysis while sharing insights into real crisis management.

    Rebuilding systems
    Finally, we tackle the most important issues of any security incident response: how to kick the attackers out of the systems and regain trust in machines that have been breached.

    For those that read hacking books like the "Art of Exploitation" or "How to Hack Like a Pornstar", you finally get to experience what it feels like to be on the other side of the Firewall!

    LanguageEnglish
    Publishersparc Flow
    Release dateAug 14, 2017
    ISBN9781386926276
    How to Investigate Like a Rockstar: Hacking the Planet
    Read preview

    Related to How to Investigate Like a Rockstar

    Titles in the series (6)

    View More
    View More

    Related ebooks

    Internet & Web For You

    View More
    View More

    Related podcast episodes

    Related categories

    Reviews for How to Investigate Like a Rockstar

    0 ratings

    0 ratings0 reviews

    What did you think?

    Tap to rate

    Review must be at least 10 words

      Book preview

      How to Investigate Like a Rockstar - sparc Flow

      Foreword

      There are two kinds of companies: those that have been breached and those that do not know it yet. And when they finally find out – if they are that lucky – a violent panic sets in that quickly escalates to the executive level.

      This book describes in detail such an incident inspired by real life events, from the first doubtful call made by a bank to the height of tension caused by preliminary forensic analysis.

      We will go as deep as memory analysis, perfect disk copy, threat hunting and data carving while sharing insights into real crisis management: how to steer people in the right direction, what are the crucial reflexes of a first responder, what to say and do in the first minutes of a security incident, and how to address the inevitable challenge of security versus business continuity.

      Finally, we will tackle the most important issue of all: how to rebuild a trusted and secure information system.

      We will find out how we can regain trust in machines that have been breached, and how we can make sure attackers will not come back to exact a bitter revenge.

      Note: Custom scripts and special commands documented in this book are publicly available at www.hacklikeapornstar.com.

      Important disclaimer

      The examples in this book are entirely fictional. The tools and techniques presented are open-source, and thus available to everyone. Investigators and pentesters use them regularly in assignments, but so do attackers. If you recently suffered a breach and found a technique or tool illustrated in this book, this neither incriminates the author of this book in any way nor implies any connection between the author and the perpetrators.

      Any actions and/or activities related to the material contained within this book is solely your responsibility. Misuse of the information in this book can result in criminal charges being brought against the persons in question. The author will not be held responsible in the event any criminal charges are brought against any individuals using the information in this book to break the law.

      This book does not promote hacking, software cracking, and/or piracy. All of the information provided in this book is for educational purposes only. It will help companies secure their networks against the attacks presented, and it will help investigators assess the evidence collected during an incident.

      Performing any hack attempts or tests without written permission from the owner of the computer system is illegal.

      http://amzn.to/2jiQrzY

      http://amzn.to/2iwprf6

      https://amzn.to/2uWh1Up

      http://amzn.to/2gadyea

      Content table

      Foreword

      The first call

      Action plan

      Preliminary diagnosis

      Further probing

      The culprit

      Collecting artifacts

      Analyzing data

      Memory analysis

      Bigger picture

      Round two

      Disk analysis

      IP analysis

      Linux analysis

      Kill or cure

      Closing note

      The first call

      To pity distress is but human; to relieve it is Godlike.

      Horace Mann

      Like most major security incidents, our story begins with a distress call at 6 am:

      Hello, this is LeoStrat Inc. I am trying to reach the Computer Emergency Response Team to report unusual activity on our mainframe. We have reason to believe malicious actors have attempted to access sensitive banking information, and we would like you to assist us in conducting an investigation.

      Very well. Please do not perform any actions on the machine until we are on-site.

      Given the nature of the incident, we quickly dispatch a first responder to assess the severity and sophistication of the attack. Are we talking about a classic malware, a rootkit or a targeted attack? What kind of evidence do we have? Which other machines are infected?

      The small detail that troubles us, though, is the nature of the machine reportedly impacted. How can there be malware on a mainframe? These systems do not even have public vulnerabilities listed on popular websites¹.

      Actually, we are surprised that the attacker even bothered to target this legacy machine in the first place.

      In any case, in preparation for going on-site we arrange our regular toolkit:

      Laptop with both Linux Kali and Windows for analysis purposes. Some like to use SIFT² virtual machine, which comes with pre-installed forensic tools.

      A few empty external hard drives. There are never enough of these, so we take as many as we can.

      A bootable USB key containing a Debian distribution.

      A USB key containing classic forensic tools, and also clean versions of Linux and Windows binaries (cmd.exe, bash, etc.).

      Multiple screwdrivers in case we need to deal with physical machines.

      Physical write blocker to perform forensically sound copies (more on this later).

      Miscellaneous equipment: RJ45 USB adapter, USB hub, USB-C to USB adapter, male to female USB cable and SATA to USB adapter…

      Action plan

      We arrive on LeoStrat’s main site at 7 am and request the same three items we always ask for in an investigation:

      A fresh update on the situation

      All documents describing the network and system architecture

      Contact information of every key IT component inside the company (network admins, mainframe admins, Linux admins, Windows admins, security officer, CTO, etc.)

      People tend to believe that a forensic investigator is some kind of wizard who can instantly ward off evil with his magic wand. This could not be further from the truth.

      It is a challenge to dive into an unknown ecosystem and deal with its intricate complexities. That is why it is crucial to both get as many documents as possible and also to quickly identify key people who can assist us in the investigation by mapping critical machines, extracting logs, creating accounts, contacting personnel, etc.

      While LeoStrart is building its crisis team and setting up shifts, we get a description of the incident by a mainframe admin (also called sysadmin or sysprog):

      We noticed an unusual spike in the CP workload around 4 am. Our sysprog checked the JES SPOOL and found a JOB consuming almost all I/O. The JOB was submitted by an unknown account called G09861.³

      Before asking what the heck a JES SPOOL is, we start with a somewhat naïve question:

      So, we understand that some banking data was leaked? Precisely what kind of data are we talking about?

      Oh, on the Z machine we have client accounts, pension funds, balance files, personal information, tax returns… you name it.

      And that’s when it hits us! The mainframe is not their good ol’ legacy machine; it’s where almost all of their core business is processed! This is promising.

      Now that they have our attention, let us break down what just happened on their mainframe.

      Let’s start with the machine itself. A mainframe is a big Iron machine that powers up to 20 billion transactions per day without breaking a sweat⁴: wire transfers, money withdrawals, flight bookings, etc. Its Z series by IBM is used by 75% of Fortune 500 companies and is without question the foundation of our modern business economy.

      Think of it this way, when you flag a ride on Uber for instance, you trigger a mainframe transaction.

      These machines can have several operating systems running on top. The main one is z/OS, a product developed by IBM. Both the software and hardware are actively maintained with security updates, new releases, etc. – hardly a legacy.

      The licensing model of a mainframe is somewhat different than that of other machines. Companies pay millions of dollars every year to IBM based on their Central Processor (CP) usage.

      Enjoying the preview?
      Page 1 of 9