FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting - My training experience

I got the chance to attend the SANS 508 training last week. A big thanks to the company I work for for letting me attend the training. It is an expensive training and I definitely would not have been able to pay for it on my own.

I thoroughly enjoyed the training. I had some familiarity with the tools that were discussed and also with some of the forensic and incident response techniques. I learned these reading books, blogs and incidents I have responded to at work. However, I was totally blown away by what I learned in the 6 days of the training.

For me the things that stood out and made me write about it are -

1. The trainers Nick Klein and Josh Lemon were amazing. They brought so much experience and were able to talk about how different tools and the artifacts that we look at helped them in real cases. Real world examples make a big difference (at least for me) as they help me remember the tool or the artifact. 
2. There is a lot of stress on the process or methodology and not the tool. The training discusses the different tools available to extract and examine a particular artifact, but came back to a select core tools that were used to their full effect throughout the course. 
3. The challenge on the last day was really tough. For me it highlighted areas that I was strong in and areas that I need to practice more. I was good at timeline analysis and analysing the memory forensics tool output. But when it came to extracting contents, dumping files and volume shadow copies, etc. I fell short. All these were things I had read about but I had never used the techniques until the course.
4. The other students at the course came from different backgrounds and they all had different ways of approaching the incident. It was good to see and hear how others are approaching incidents and the different tools and techniques that they are applying.

At the end of each day of the training my head hurt from all the things covered during the day. At the end the course after completing the challenge (which is the first I have ever attempted) I am confident that I have the skills to apply a good process that will definitely help the organisation I work for currently and any other organisation I work for in the future.

Audit Weak Passwords

To enable SSO, many organisations expose their ADFS proxy servers to the internet. These ADFS proxies can be used to brute force domain accounts. Based on your lockout policies, this will lockout users. But what if someone tries only a few attempts per day to ensure that the accounts are not locked out. 

Users will choose passwords that will conform with your password policy but which are easy to remember. In a recent password audit using the DSInternals powershell module, I found that some of the most common passwords that meet the password policy can be easily guessed. 

The standard password policy which requires three of the following four requirements is pretty common - 

• uppercase 
• lowercase
• number
• special character
• minimum 8 characters

Passwords such as Winter17, Summer17, Monday01, Monday02 conform to the above policy. These are also very easy to guess. The ones I found most common are Monday##. This could be because most users start their employment on a Monday and its easy to increment the last number whenever you need to change the password next. The other common passwords are a variation of the initial password that the service desk may set. Unless the service desk uses some random password and you have a mechanism to stop such easy passwords, expect users to use them. 

Your awareness sessions may talk about passphrases or similar options to create longer passwords which are easy the remember and difficult to guess. It may help a handful of users who read the newsletter and like the idea. For the others, auditing the accounts regularly and letting users know that they are using poor passwords is the only option. 

Some things that you should do before you go down the path the password cracking - 

• Make sure you have permission to do this activity
• Figure out what you intend to do once you discover weak passwords - do you have a standard email template to use? 
• Raise the awareness or ensure you have first sent out information on how to create strong passwords or turn on MFA if that is an option. Its easier to point users to this information later.
• If you can use tools like DSInternals to crack passwords on the network then others can as well (if they have the right permissions). Can you detect when someone uses tools like these? See what events are generated on your DC when you run these tools and then make sure you have alerts whenever these events occur.

There was a specific need for the initial password audit, but seeing how common weak passwords are, I think its prudent to do this activity regularly.