"Offensive forensics is an attack technique hackers use to capture non-static data that can be useful in performing further attacks," says Joe Sremack, Principal, Berkeley Research Group, LLC, a computer forensics and e-discovery firm.
In an offensive forensics procedure, the hacker captures non-static, in-memory data in order to acquire the passwords, encryption keys, or active network session data living there, which can aid them in gaining unrestrained access to precious data.
To illustrate, a simple example of an offensive forensics attack is one that captures the Windows clipboard, a place where less-than-savvy users often copy and paste their secure passwords. Hackers typically mount this type of attack through vulnerabilities in Flash.
"There are exploits that read through Flash plug-ins in browsers in combination with weak or misconfigured settings to read the full browser content, including in-memory passwords," says Sremack.
Awareness is the first step in defeating offensive forensic tricks and techniques; action is the second step.
Purpose and Methods
Hackers use offensive forensics to gain credentials such as user names and passwords that allow them to access sensitive data while concealing their identity, delaying attack discovery, and covering their tracks.
"They also want to prolong the time that they have access to a system and the time that any stolen data remains undetected, which increases its value," says Scott Hazdra, Principal Security Consultant, Neohapsis, a security and risk management firm.
Hackers look for this kind of dynamic / non-static data in some semi-permanent form in-memory such as in RAM memory or a swap file.
"A Windows temp file, a Windows or Mac clipboard, unencrypted login data from a Telnet or FTP application, and web browser caches are all non-static data targets," says Sremack.
Once the hacker gains user IDs and passwords, which may be stored temporarily in clear text, they can get to the next level of access, reaching resources such as internal intranet sites, document management systems, and SharePoint sites, Sremack explains.
"This is basically a method for hackers to get what they otherwise would retrieve using a keylogger, but without the keylogger," says Sremack.
This is important to hackers because anti-virus and anti-malware tools can detect and remove keyloggers. Instead, they run tools that look through the clipboard, the registry, or wherever the computer would store this data in clear text.
These tools, which enable hackers to do these things in real-time are free and readily available on the Internet. While there are tools available to do this on Linux, the people who typically make the kinds of mistakes (storing passwords in clear text on the clipboard) that make offensive forensics possible are end-users working on workstations, which most often run operating systems such as Windows and Mac.
Some of the specific tools hackers use include script tools available for the Metasploit framework.
"There is also a wide assortment of other tools for these purposes, both free and premium, like FTK Imager, RedLine, Volatility, CAINE, and HELIX3," says Hazdra.
Enterprise Response
"Offensive forensics is difficult to counter because the files in the compromised machine may be secure, but intruders have access to the machine and can grab memory--even though traditional standards would declare that system secure," says Sremack.
Approaches to foiling offensive forensics include running security utilities that mask and protect in-memory data. Examples of these kinds of applications include KeePass and KeeScrambler. KeePass is an encrypted clipboard utility that automatically clears the clipboard history. KeeScrambler encrypts browsing history.
"Every time a user types a letter into the browser, it encrypts it to prevent hackers from reading data resident in memory," explains Sremack. There is a free version of KeeScrambler available; the paid version also defeats keyloggers.
Best practices dictate that an enterprise also log systems activities on a separate machine on the network, making it harder for hackers to reach in and erase their tracks. In addition, the enterprise should use file system features that mark files as "append" only (no deleting or overwriting existing data) so that not even the systems administrator of that machine can erase what is written unless the machine enters an offline maintenance mode, explains TK Keanini, CTO, Lancope.
In the larger picture, the enterprise must have a certain amount of readiness in order to field effective incident responses to offensive forensics attacks. There are three levels at which an enterprise should be ready to aid incident response, says Keanini, with each level adding a dimension that compliments the others.
"Even if the attackers can evade one of these levels, they are going to show up on the others," says Keanini.
The first level is end-point telemetry. Each endpoint should have some system level process accounting for all actions on the device.
"While you can never be 100-percent accurate with this, zero-percent is not acceptable," says Keanini.
The second level is gateway and access point telemetry. At the ingress and egress of the network(s), some technology should be recording inbound and outbound connections. This will provide for internetworking evidence for detection and network forensics.
The third level is infrastructure telemetry.
"All networking infrastructure should exhibit unsampled Netflow/IPFIX," says Keanini. IT / security collects this data set using a tool that tracks all network traffic at the meta data level.
"This data set acts as the network's general ledger and offers the most complete picture of activity on your network," says Keanini.
When an enterprise arms itself with all three levels of telemetry, there is nowhere that an attack or attacker can hide.
"More importantly," says Keanini, "while they will get in with some form of exploit, they still need to go undetected while performing other phases of the attack."
During this operational phase, the enterprise can detect the attackers with these telemetry levels and deploy countermeasures before they complete their objectives.
Enterprises need to be aware that offensive forensics, like other attack techniques, will continue to evolve. Criminal hackers will use any tool available to get the job done, even if the tool is by itself benign and they are using it other than as its creator originally intended.
CSOs and CISOs need to continually educate their IT and security teams to keep them current on new threats and techniques. Most security teams will eventually need new tools to detect offensive forensics attacks, says Hazdra.
High-value assets need new modes of protection in order for security teams to detect and prevent hacker use of forensic tools against enterprise data, says Hazdra.
"The unauthorized use of these types of tools likely occurs in a blind spot for most organizations as they may monitor things like network traffic, file integrity, intrusion detection and unauthorized attempts at access, for example, but may not have tools in place to detect someone performing a memory dump on a system or whether the person using a forensic tool is on their security team or is an attacker," Hazdra explains.