Cyber War Stories presented at CarolinaCon11 2015

by Andrew Shumate,

Summary : Have you ever been involved in an incident response and thought while going through the network that you were living in an episode of Hoarders? Have you ever approached the systems personnel and asked if these tools were theirs only to be met with blank stares and the occasional twitch? During an incident Response engagement, this cyber warrior and many members of the incident response team spent several hours asking about multiple dual use tools known to be used by the threat actor. These tools were located throughout the network, and there was no way for the incident responders to know which tools were there for legitimate purposes and which might have been placed there by the intruder, or if the intruder was simply being opportunistic in using them.
To counter this problem, a ‘Tool Control Program’ could be put in place at the enterprise level. This program is simply the centralization, standardization and documentation of tools and utilities used. Though this process any dual use tool that is found on the network can easily be identified as either a legitimate tool used for network operations or as an indicator that an intruder has copied it over for nefarious purposes.