💬 Slack

These are primarily my course notes from Slacking on insider threat by Magnet Forensics. Thank you, guys, for sharing! I will put a quote paragraph with a 💡at the beginning whenever I have some ideas or thoughts along the way.

Instant messaging with channels and file sharing. Also, provides logs and eDiscovery.

Cloud-based, collection is not enough (non reviewable format), your plan matters, tons of functionality.

• Workspaces
• Channels
• DMs

With certain settings users of workspace can override retention settings. It’s recommended to turn this feature off, so that all logs are preserved.

Best practices:

• eDiscovery mechanism before the incident
• Have a plan for Review
• Know you Slack plan and understand different export plans
• Check data retention settings

Basic shifts in security is towards cload-based services, how much people are sharing and also that insider threats are becoming more dangerous because of this.

Slack Plan Explorts

1. Standart (Public channels content only, including deleted data)
2. Corporate (DM + groups + private channels + links to files)
3. eDiscovery and DLP (all of the above)

Worspace owner can apply for corporate export if needed. Export on monthly basis -> S3 bucket

Retention

• Message
  • Let members override settings
  • Delete messages/edits/deletes
  • Keep messages - don’t track edits or deletes
  • Keep all
• File
  • Keep for N days
  • Keep all

Autdit API

eDiscovery API -> Audit API.

Only available for Enterprise plan. RESTful API -> JSON. Can be incorporated into SIEM. Actions monitored:

• Logins
• Exports (channels, files)
• Changing retention policies
• Users joining, leaving channels etc
• Channels created/deleted/privielges changed
• Guest behaviour

❗️ Does not track message content. For this use eDiscovery solution. For inappropriately used info (credit cards, SSN etc) -> DLP.

❗️ max 9999 event per request.

Threat Modelling

You can process it with some third party of custom scripts.

1. Insider threats
   1. channel created (public_channel_created or private_channel_created)
   2. user added to channel (user_channel_join)
   3. file downloaded (file_downloaded)
   4. User account reactivated (user_reactivated)
2. External threats
   1. guest added (guest_created)
   2. guest added to channel (guest_channel_join)
   3. file uploaded (file_uploaded)
   4. user’s role changed to admin (role_changed_to_admin)

user_login and user_logout, user_channel_join and `user_channel_leave

Accounts:

• Account created user_created or guest_created
• Account deleted user_deactivated or guest_deactivated
• Reactivation user_reactivated or guest_reactivated

Links:

• Audit API logger https://github.com/eoghanmckee/slack-auditapi-logger
• Docs https://api.slack.com/admins/audit-logs
• Slack JSON viewer https://github.com/hfaran/slack-export-viewer

❗ API tracks user actions, not message content!!! 9999 request max. Only for Enterprise users. No review of message or file content. Can’t prevent problems.Cannot categorize suspect acrivity. Limited support for events related to private messaging. Used as a part of investigatin Slack, not the whole.

If the target of inquire is exporting data (messages, files) -> eDeiscovery API

If there are concerns that the target has leaked some info -> DLP

Identifying Key Actors

• Log in/out times (user_login, user_logout)
• Join/leave channel (user_channel_join and user_channel_leave)
• Account management
  • Created (user_created guest_created)
  • Deleted (user_deactivated, guest_deactivated)
  • Reactivation (user_reactivated, guest_reactivated)

Slack Investigative Framework

1. Retrieve the audit data
2. Identify key actors
3. Identify communication methods
   1. public channels
   2. private channels
   3. relevant files
   4. individual and group chats
4. Aquire content
5. Audit events related to identified communication methods
6. Diff between legitimate and illegitimate behavior
   1. creation of new or unusual private channels
   2. adding new or unneeded people to restricted channels
   3. downloading of files
   4. unusual logons

Live Acquisitions vs Export

You need user creds to pull data, and creds to each acc in question. With exporting - multi-user context.

💡 Exporting everything is too much. Go from the smallest amount of data and if nothing is found there, widen the circle.

❗️Exports are available only for 10 days after they are intitally downloaded and they don’t include attachments. For downloading attachments you need corresponsing tokens that were generated when the export took place. However, if those have been revoked (after 10 days), oops, no way to download the files.

References