BIG DATA TRIAGE & DIGITAL FORENSICS

Transcription

1 BIG DATA TRIAGE & DIGITAL FORENSICS Lead by Professor John Walker FRSA FBCS CITP ITPC CRISC MFSoc INTERGRAL SECURITY XSSURANCE LTD

2 WHAT IS DATA TRIAGE & DIGITAL FORENSICS? Triage is a process used to assess the criticality of a problem; predominantly used in the medical profession to help prioritise the importance of a condition The process used in the digital world is not that dissimilar to the process used by medical practitioners We use a structured process to discover, assess, determine and prioritise any exposures found. These exposures could lead to hacks or threats. Using specialist forensic techniques we look to discover digital footprints We assess and evaluate the criticality of the exposure We determine the priority of each exposure; Critical, Severe or Moderate The evaluation and severity of the prioritised exposures are then reported on

3 WHAT IS FOOTPRINTING? Footprinting is the method used to identify the nucleic acid sequence that binds with proteins In the digital world, footprinting is the process of accumulating data regarding a specific network environment, usually for the purpose of finding ways to intrude into the environment. Footprinting can reveal system vulnerabilities and improve the ease with which they can be exploited Digital footprint analysis is where most hackers will start to help build up the intel needed to plan an attack

4 WHAT IS FOOTPRINTING CONT? Footprinting begins by determining the location and objective of an intrusion. Once this is known, specific information about the organisation is gathered using non-intrusive methods. For example, the organisation's own Web page may provide a personnel directory or employee bios, which may prove useful if the hacker needs to use social engineering to reach the objective. Conducting a whois query on the Web provides the domain names and associated networks related to a specific organisation. Other information obtained may include learning the Internet technologies being used; the operating system and hardware being used; IP addresses; addresses and phone numbers; and policies and procedures.

5 WHY IS IT AN ISSUE? Know it or not, we all leave footprints or digital shadows of our activities on the internet an imprint of where we ve been and what we ve been doing. The more we use the net, the more footprints we leave behind. Leave enough and you can soon create a picture of your activities, information about your points of access/entry (IP & addresses for example) or even information about your own identity Much information about an individual or organisation can be found on the web as a result of your footprints; if you know where and how to look for it this is one of the first steps a hacker takes to build a picture to complete the jigsaw puzzle. This allows the hacker to locate easy points of access to attack and infiltrate the network and can even take over the identity of individual employees

6 WHAT ARE THE BENEFITS? Most organisations don t know what digital footprints exist or can be found, and therefore don t know the severity of the exposures that could lead to attacks By having the knowledge and access to this information allows you to take the appropriate course of action to ensure you are less exposed and more secure our reports and recommendations will guide you through the necessary processes

7 THE DATA TRIAGE SERVICE The ISX data triage service is a unique offering of passive in-depth analytics, utilising advanced search engine techniques. The service is used to uncover hidden exposures and vulnerabilities that lead to threats. We use specialist techniques and tools that are completely non-intrusive. The service is performed remotely and has no time impact on your staff or IT team. Specialist applications and systems are used to locate, interrogate, acquire and conduct analysis. The objective of footprinting both single and multiple targets is to identify actual or inferred security anomalies, which may expose the environments or domain to exploitation. The service is constructed of 5 phases; Investigative Phase, Acquisition Phase, Analysis Phase, Discovery Phase and Reporting Stage

8 THE DATA TRIAGE PHASES Investigative Phase: This Phase will initiate the process of mining the elements of public records and other associated big data in order to identify any objects or information of interest to the assignment. Acquisition Phase: Following on from Phase 1, the process will then seek to acquire any information or objects of interest. Analysis Phase: In this phase the acquired artifacts will be subject to deep analysis. Discovery Phase: Following on from Phase 3, the process will then seek to discover any deep items of information or metadata, which may be relevant to the focus of the activity. Reporting Stage: This Stage will document the findings of the 4 previous Phases and outline both the direct and indirect threats. Once we have arrived at the conclusions stage we make recommendations, offering mitigations for negating the exposure to the located areas of vulnerabilities.

9 OUR EXPERT TRIAGE INVESTIGATOR As well as being ISX s Director of CSIRT & Cyber Forensics, John Walker is a Visiting Professor at the School of Computing and Informatics, Nottingham Trent University (NTU), owner and CTO of SBLTD, a specialist Contracting/Consultancy in the arena of IT Security & Forensics and Analytics. He is also actively involved with supporting the countering of ecrime, efraud, and on-line Child Abuse, an ENISA CEI Listed Expert, an Editorial Member of the Cyber Security Research Institute (CRSI), the Chair of the ISACA London SAG. In July 2012 John was appointed Member of the ISACA International Guidance & Practices Committee (GPC) and is a Fellow of the British Computer Society (BCS). John is also a practicing Expert Witness in the area of IT, and the originator and author of a CPD/MSc Module, covering Digital Forensics and Investigations.

10 POST TRIAGE SERVICES To follow on from the Triage service, ISX has developed and created a cost effective suite of services and tools. The suite delivers a range of services including cyber security training, vulnerability assessments, specialist security software, various policy and process based documentation and optional continuous support through our board of advisors. Modular Cyber Training Course Knowledge transfer & practical training Cyber Toolkit A collection of services and tools to deliver an immediate, secure & resilient network Vulnerability Testing Analyse other areas of exposure, test the effectiveness of security tools and report and recommend E-Disclosure Workshop An all encompassing course specifically created to aid with the new European parliamentary e-disclosure policy Liability & Loss Mitigation Insurance advise on what to cover, how best to secure and reduce premiums

11

12

13 ISX SERVICE OVERVIEW Our services have been developed over a number of years by highly skilled individuals (members of our team regularly consult the UK government and International Intelligence Agencies and are frequently requested and commissioned to write or comment on behalf of some very well known security based publications) we provide you with a specialist toolkit that helps to combat many issues in one single hit; in essence either replacing the need to constantly use new tools or replace existing out-of-date systems that are no longer effective. We will help to implement the most robust solutions possible, whilst constantly checking and verifying their usefulness. We will update the internal security team with each new known threat and again offer guidance and support all the way. Our service is about baselining the environment, plugging the exposures (through the use of people skills and tools) and giving on-going support via a knowledge share service, helping you to implement the necessary changes and tweaks in order to remain secure.

14 WHY IS ISX ANY DIFFERENT TO OTHER PROVIDERS? ISX take a different approach to network security - instead of simply checking the security tools you have in place and assessing their effectiveness (*attack and penetration test), we take the view of a hacker and look at a far more granular level. We look to identify and disclose all points of vulnerability in order to give an accurate assessment of the gaps. We show you how to close those gaps, making the environment immediately more secure and less exposed to future attacks. As part of this approach ISX offer an all-encompassing cyber security service, a complete lifecycle of services ranging from security foot-printing and triage to forensic investigations and training (how to handle attacks and what processes to follow when they do occur).

15 WHY CONSIDER INTEGRAL Integral brings a wealth of experience in the cyber security and risk management domain. As part of our information security work with private and public organisations in all industries, we have been delivering comprehensive risk assessments for many years. All our consultants are qualified and experienced practitioners. We have an advisory board of heavyweight security experts with over 60 years experience of executive education and containment of cyber threats. The board has developed a suite of cyber education workshops and tools underpinned by an analytics platform. Organisations benefit from an independent assessment of their blended framework, sustainability advice, peace of mind surrounding emerging threats and the evidence to strengthen negotiations for insurance premium reduction.

16 WHY CONSIDER INTEGRAL An effective and different approach The benefits to our approach: A visionary approach - an inside knowledge on how the hacker thinks Key industry knowledge - published and highly regarded white papers and articles Understanding - the ability to inform and educate clients Proven track record - to access and manage risks & attacks Agility - to react quickly to new threats and help protect clients Comfort - ensuring clients have the level of protection they need