Cyber Analysis Tools:

Transcription

1 Cyber Analysis Tools: The State of the Union August 26, 2014 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time 1

2 Generously sponsored by: #ISSAWebConf 2

3 Welcome Conference Moderator Matt Mosley Product Management, Threat Track Security August 26, 2014 Start Time: 9am US Pacific /12 noon US Eastern/5pm London Time

4 Agenda Speaker Introduction Russ McRee Director, Threat Intelligence & Engineering, Microsoft Online Services Security & Compliance Dipto Chakravarty EVP of Engineering and Products Jason Sabin Vice President of Research and Development, DigiCert Open Panel with Audience Q&A Closing Remarks 4

5 A Toolsmith Take: Knowledge Before Application Russ McRee Director, Threat Intelligence and Engineering, Microsoft Online Security &

6 6

7 7

8 8

9 9

10 10

11 11

12 Thank you! Russ McRee Russ 12

13 Cyber Forensic Tools Dipto Chakravarty EVP of Engineering and Products 18

14 Forensics 101 STEP 1:Preparation Identifies the purpose and resources STEP 2: Acquisition Pinpoints the sources of evidence STEP 3: Analysis Extracts, collects and analyze evidence STEP 4: Reporting Documents and presents the evidence Cyber Forensics is the practice of analyzing digital information in form of evidence that is legally admissible. For example, Sony s PlayStation network experienced a DDoS on August 25, 2014, and will undergo digital and cyber forensics to ensure the safety of its 53 million users personal information. 15

15 Types of Cyber Forensics 16

16 Cyber Forensics: s s are like footprints in the snow. Deleting an doesn t mean it erases the records. The work is similar to conventional detective work. MiTec Viewer Reads Outlook Express, Windows Live Mail with search and filtering capabilities PST-OST Viewer Allows you to view Outlook files without MS Exchange 17

17 Cyber Forensics: Data Data mirroring is key in cyber forensics. Exact copy is created without alteration. Live View Creates a VM of a physical disk. Allows us to view the data blocks with a user persona and full UX. DumpIt Creates executable on USB for rapid IR needs. 18

18 Cyber Forensics: Disk Disk imaging in cyber forensics involves recovery of hidden and erased files. Exact copy is created without alteration. Recuva Free tool. Recovers deleted files from disks as well as SD cards, flash drives and cameras EDD For rapid IR, it is used as an encrypted disk detector. It checks for encrypted volumes, and tells which transient evidences need to be saved. 19

19 Cyber Forensics: Registry R Forensics is about extracting contextual metadata more than the data or the user. MuiCache Views the list in the MuiCache. (It is the Registry key that stores list of every application installed on the Windows o.s) USBDview Lists all USBs connected to the computer (now or earlier!) For each USB, it cites dev type, S No, vendor id, date, etc. 20

20 Cyber Forensics: Network N Forensics is about monitoring traffic, i.e, data in motion with the intent to collect evidence/samples. Wireshark Popular tool, with both hackers and law enforcements. Inspects frames captures packets displays user-data in its own GUI for analysis Network Miner Windows-specific tool to detect open ports of network hosts. Popular tool for network forensics analysis. 21

21 Cyber Forensics: Browser B Forensics is all about scanning the session trail left behind in the browser cache. Note that almost every browser uses a cache to expedite internet surfing. MyLastSearch Scans the cache and browser history files looking for searches you ve made with popular search engines and social networking sites. ChromeCacheView Reads the cache folder to display cached files, URLs, access time, file type, etc. Similar tools exist for other browsers. 22

22 Cyber Forensics: Apps A Forensics comprises of reading the app-specific log files without knowing the application password. SkypeLogView Displays details of incoming/outgoing calls, chat messages, and file transfers made by the Skype account. Y! Messenger Decoder Views the chat sessions, sms, private messages, including emoticons without knowing the password. Similar tools exist for other browsers. 23

23 General Tools for Forensics Investigation 1. SANS SIFT 2. Linux dd 3. Xplico 4. The Sleuth Kit 5. Hex Editor Neo 6. Oxygen Forensic Suite 24

24 SANS Sift Investigative Forensic Toolkit 25

25 Linux dd Investigative Uses Available on almost all Linux o.s distributions Used for multifarious forensic tasks, including Forensically wiping a drive dd if=/dev/zero of=/dev/drv1 bs=1024 where if = input file, of = output file, bs = byte size Creating raw image of a drive dd if=/dev/drv1 of=/home/diptoc/newimage.dd bs=512 conv=noerror,sync where bs = byte size, conv = conversion option Very powerful tool Handle with care. Old is gold! I ve been using dd since

26 Xplico Investigative Uses Open source tool for network forensic analysis Extracts application data from the net traffic, e.g. Live capture of stream from SMTP traffic Replay from PCAP files read from Wireshark 27

27 Summarizing Cyber Forensics Assess user activity w.r.t usage patterns Analyze data remnants in transient states Audit logs to unravel stealth data that s encrypted Assert usage of content and contextual artifacts Answer the hard stuff: the known knowns Facts the known unknowns Questions the unknown knowns Intuitions the unknown unknowns Exploration 28

28 Thank You! Dipto Chakravarty On LIn, Tw: dipto On G+, Y!: diptoc 29

29 Types of Forensics Forensics PST-OST Viewer MiTec Mail Viewer Data Forensics DumpIt Live View Disk Forensics Recuva Encrypted Disk Detector Registry Forensics Proc Monitor Regshot USBDeview MuiCache View Network Forensics Wireshark Network Miner Internet Forensics MyLastSearch Password Fox ChromeCache View MozillaCookies View Application Forensics SkypeLogView Y! Messenger Decoder 30

30 Thank you! Dipto 31

31 SSL Analysis & Tools Jason Sabin Vice President of Research & Development, DigiCert 33

32 SSL: What can we do better? 51% of enterprises do not know all of the keys and certs on their network*. About 2 in 3 enterprises still use ciphers vulnerable to BEAST. Still seeing 1024-bit key sizes or lower. Only 6% of SSL certificates on the web use SHA-2. Heartbleed in hardware and statically compiled applications. Certificate Transparency * Based on research by Ponemon Institute

33 Improper implementation Some high profile stories: Heartbleed Goto Fail BEAST, CRIME, BREACH, etc. Weak cipher suites Weak algorithms Weak private keys

34 Is your network secure? What do most potential exploits have in common? They rely on improper SSL implementation.

35 SSL best practices Always-On SSL Secure Cookies HSTS (Http Strict Transport Security) Disable Weak Cipher Suites Secure Renegotiation Disable TLS Compression Perfect Forward Secrecy

36 <SSL Labs screenshot>

37

38

39 Whynopadlock screenshot

40 Thank You! Jason Sabin Vice President of Research & Development SSL Analysis Tools

41 Open Panel with Audience Q&A Russ McRee Director, Threat Intelligence and Engineering, Microsoft Online Security & Compliance Dipto Chakravarty EVP of Engineering and Products, Threat Track Security Jason Sabin Vice President of Research & Development, DigiCert #ISSAWebConf 44

42 Join us on Thursday, Sept. 11, :00 PM - 2:00 PM EDT ISSA Annual State of the Association Discussion ISSA 2014 Annual Members Meeting Webinar Space is limited. Reserve your Webinar seat now at: 45

43 Closing Remarks Thank you Citrix for donating the Webcast service #ISSAWebConf 46

44 CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link via to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. On-Demand Viewers Quiz Link information: Cyber-Analysis-Tools-The-State-of-the-Union #ISSAWebConf 47