Cb Integrations: Cb Response Timeliner

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

(Editor’s Note: This post originally appeared on StillzTech.com and is being republished with permission from the author.)

 
Incident Response is a challenging career. As responders, we must do our best to keep up to date with the latest attack trends, malware and forensic techniques. Throughout my career as a responder, I’ve had the privilege to use many third party solutions to aid in responding. One of these solutions I’ve spent the last 3+ years working with, developing new tools and push the limits of has been Cb Response. A few main reasons this is possible is due to their awesome developer network and their extensive APIs, including documentation. As a responder, time is everything.

From the moment you get a phone call at 2am about a customer being compromised, to the first indicator of compromise identified. Being able to respond quickly, at scale without melting endpoints while ensuring data integrity and security are a must with any IR toolset. It is because of these reasons I write scripts that leverage the CBR APIs to aid in my response efforts and automate as much as possible. I have a saying: “spend less time fighting technology and more time fighting bad guys!

 
In this blog, I’ll be open sourcing a tool called CBR Timeliner. In future posts, i’ll be open sourcing additional tools for CBR, so stay tuned! These are very simple tools, and while the code is far from perfect, I feel the concepts are what matters most. 

CBR Timeliner

Carbon Black has a nice feature called Investigations. Their implementation of investigations is very simple, you tag events identified in real time process data and the core fields of the event are collected and stored into an investigation, tracked by a incremental ID starting at 1. Per their documentation page, you will find CBR has 6 core event types you can tag and save into your investigation. I’ve listed the 6 types below:
  • Modload
  • Netconn
  • Regmod
  • Childproc
  • Crossproc
  • Filemod
Additional information on these event types can be found here:
The main purpose of CBR Timeliner is to organize the tagged events for a specific investigation ID into  a formal timeline (basically a super timeline for tagged CB events) or export the events by type. With this tool responders leveraging CBR can use this simple script to generate timelines based on an given investigation ID. The image below outlines the 7 output files produced by this script:

 
As an added benefit, I also included the ability to export timelines at a per host level. The main concept behind these timelines are as follows:
  1. Identify gaps in your timeline where you may have missed a key event, lateral movement, malware, exfil, etc.
  2. Identify gaps in your timeline where an attacker has gone dark (maybe the attacker took a day off during a non-USA holiday?)
  3. Understand the flow of an attacker from host to host, how they moved laterally, processes they executed, staging directories, times in which the attacker was active, initial point of ingress, common TTP overlap with past incidents/attackers, etc.
  4. Hold individual analysts accountable for an investigation performed on a given host. For larger IR cases, you typically need to divide up investigations per endpoint to other consultants and keep track of the level of analysis performed on which host, by which analyst. This also helps teach newer consultants how to perform IR at scale with CBR in addition to understanding the artifacts we collect per operating system and why they are relevant, not just throwing tools at systems hoping to get results.
  5. Combine artifacts from CBR (real time process metadata) with live forensic evidence to complete the story. While real time process information is amazing when you have a live attacker in your environment, you should always reach down to key endpoints and collect/analyze evidence such as registry hives (NTUSER/USRCLASS.DAT), MFT, appcompat, amcache, event logs, prefetch, bitmap cache, etc.. Without some of these keys artifacts, you may not get the entire story.
Here’s a quick output example of a master timeline:
 
Another example of a single event type timeline (childproc):
 
 
Acknowledgements
Special thanks to Mike Scutt (@OMGAPT), Jason Garman and the CB team for all the help (3 years and counting).

Tools: APT Simulator: https://github.com/NextronSystems/APTSimulator

The post Cb Integrations: Cb Response Timeliner appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
85 Followers
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel