COMPUTER INTRUSION INVESTIGATIONS

Similar documents
U. S. Attorney Office Northern District of Texas March 2013

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

How To Protect Your School From A Breach Of Security

Advanced Persistent Threats

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

The Protection Mission a constant endeavor

September 20, 2013 Senior IT Examiner Gene Lilienthal

1B1 SECURITY RESPONSIBILITY

APT Advanced Persistent Threat Time to rethink?

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Working with the FBI

Security and Privacy

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

Incident Response Plan for PCI-DSS Compliance

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Digital Evidence and Threat Intelligence

Cyber Security and Critical Information Infrastructure

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Protecting Your Organisation from Targeted Cyber Intrusion

Who s Doing the Hacking?

Common Cyber Threats. Common cyber threats include:

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

WRITTEN TESTIMONY OF

05 June 2015 A MW TLP: GREEN

UNCLASSIFIED. General Enquiries. Incidents Incidents

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

User Documentation Web Traffic Security. University of Stavanger

How to Secure Your Environment

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Network/Cyber Security

RSA Security Anatomy of an Attack Lessons learned

Seven Strategies to Defend ICSs

Data Management Policies. Sage ERP Online

RSA Security Analytics

Incident Reporting Guidelines for Constituents (Public)

CSIS/DOJ Active Cyber Defense Experts Roundtable March 10, 2015

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Questions You Should be Asking NOW to Protect Your Business!

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Thank You To Our Sponsors

Effective Methods to Detect Current Security Threats

CSI/FBI 2000 COMPUTER CRIME AND SECURITY SURVEY

Information Security Policy

Defending Against Data Beaches: Internal Controls for Cybersecurity

Detailed Description about course module wise:

Critical Controls for Cyber Security.

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Surviving the Ever Changing Threat Landscape

INCIDENT RESPONSE CHECKLIST

Incident Response. Six Best Practices for Managing Cyber Breaches.

The FBI and the Internet

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

PwC Cybercrime US Center of Excellence

Presented by: Mike Morris and Jim Rumph

Incident Response 101: You ve been hacked, now what?

The Department of Homeland Security The Department of Justice

Supplier Vigilance: A Critical Layer of Defense

Standard: Information Security Incident Management

Information Security Services

Advanced & Persistent Threat Analysis - I

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

FACT SHEET: Ransomware and HIPAA

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Top Ten Cyber Threats

Effective Methods to Detect Current Security Threats

Current Threat Scenario and Recent Attack Trends

What is Management Responsible For?

Department of Homeland Security

Franchise Data Compromise Trends and Cardholder. December, 2010

All Information is derived from Mandiant consulting in a non-classified environment.

Teradata and Protegrity High-Value Protection for High-Value Data

Practical Steps To Securing Process Control Networks

SANS Top 20 Critical Controls for Effective Cyber Defense

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Firewall and Router Policy

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Data Security Incident Response Plan. [Insert Organization Name]

INFORMATION SECURITY INCIDENT RESPONSE GUIDE

FERPA: Data & Transport Security Best Practices

Additional Security Considerations and Controls for Virtual Private Networks

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

What keep the CIO up at Night Managing Security Nightmares

Responsible Access and Use of Information Technology Resources and Services Policy

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Comprehensive Advanced Threat Defense

`DEPARTMENT OF VETERANS AFFAIRS VA SOUTHEAST NETWORK Automated Information System User Access Notice

Section 12 MUST BE COMPLETED BY: 4/22

Network Security Policy

Jumpstarting Your Security Awareness Program

NETWORK SECURITY GUIDELINES

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

CompTIA Security+ (Exam SY0-410)

Transcription:

FBI San Francisco Division Counter Intelligence Computer Intrusion COMPUTER INTRUSION INVESTIGATIONS John B Chesson Special Agent FBI

Investigative Challenges Victim preparedness and incident response capabilities Volatility of uncollected digital evidence Volume of digital evidence analysis Speed of legal process for compelled disclosures Reliable attribution capabilities

Attribution Challenges Web Proxy Services Onion Routers Botnets Compromised hosts computers Foreign ISPs Encryption attacker ` victim

Cyber Attack Vectors Perimeter Vulnerability Exploitation Firewall/IDS by-pass attacks DMZ server attacks Perimeter By-pass Email or Web Surfing Wireless AP VPN stolen credentials User mobile device exploit Smart phones Laptops Readable media Trojans (i.e. CD, DVD, Thumb Drive)

Cyber Threat Actors Script kiddies Hacktivist Groups Organized Crime Advanced Persistent Threat (APT)

Advanced Persistent Threats (APT) State sponsored actors targeting Businesses with global market advantage US Gov t classified projects Suspected State goals Gain competitive edge for global business Steal research and intellectual property Use your trusted relationships to propagate compromises in and outside your company

APT indicators What is normal for your environment? Beaconing out to Dynamic DNS domains Data exfiltration spikes during odd times Commonly open ports with uncommon protocols (like FTP on port 80) User login geo-location & temporal conflicts Is a user logged in from two locations? Reconnaissance activities from systems inside your domain Is someone casing the joint?

APT Methodology Reconnaissance open source info on target Social Engineering - email Exploit System - malware Establish Control - beacon Escalate Privilege dump the hash Maintain Access back doors Explore for Sensitive Data use network shares Exfiltrate the Goods

Internet ISP Patient 0 Local IT Admin CFO Financials Remote Office Net HQ Corp Net Production Net

DON T BE PATIENT 0: Tips to reduce your vulnerability Personal computer use habits: Don t use Administrative User Account When Internet surfing or checking emails Disable scripts when using a web browser Always virus scan email attachments Don t update software away from home Social Media site habits: Be selective with what you share Frequently review privacy settings International Travel habits: Don t take your phone or laptop

Good Victims have: Incident Response Plan Preparation Detection Containment Eradication Recovery

Key Preparation Points Out of band communications plan No VOIP & No Email Warning Banners Allows LE Monitoring Management support Trained team members Documentation and Evidence collection Liaison contact with local FBI InfraGard

Warning Banner Sample This system is restricted solely to COMPANY NAME authorized users for legitimate purposes only. The actual or attempted access, use, or modification of this system is strictly prohibited by COMPANY NAME. Unauthorized users are subject to company disciplinary proceedings and/or criminal and civil penalties under state, federal, or other applicable domestic and foreign laws. The use of this system may be monitored, searched, and recorded for administrative and security reasons. Anyone accessing this system consents to such monitoring and search, and disclosure to law enforcement officials. All users must comply with COMPANY NAME corporate instructions regarding the protection of COMPANY NAME and customer assets.

How to notify the FBI Suspected Computer intrusions Local FBI notification (SF FBI 415-553-7400) Call main number and ask for Computer Intrusion Squad if not immediately available: Provide duty agent basic information and request immediate call back from Cyber Squad Non-intrusion can be reported to www.ic3.gov

Situational Awareness Join InfraGard: www.infragard.net members only: https://infragard.org/ National Terrorism Advisory System: www.dhs.gov/alerts MS-ISAC: www.msisac.org/index.cfm IT-ISAC: https://www.it-isac.org ES-ISAC: www.esisac.com/ FS-ISAC: www.fsisac.com/ US CERT: www.us-cert.gov/nav/t01/

Questions? John B. Chesson Special Agent Federal Bureau of Investigation San Francisco Division, San Jose Resident Agency Counter Intelligence Computer Intrusion Squad (CY-4) (408) 558-1065 john.chesson@ic.fbi.gov San Francisco Bay InfraGard Chapter www.sfbay-infragard.org

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information