Digital Forensics: Tracking Cyber- Criminals and Hackers

Similar documents
Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Why Device Fingerprinting Provides Better Network Security than IP Blocking. How to transform the economics of hacking in your favor

Mobile security and your EMR. Presented by: Shawn Tester & Allen Cornwall

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Incident Response. Six Best Practices for Managing Cyber Breaches.

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

Critical Security Controls

Covert Operations: Kill Chain Actions using Security Analytics

THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS

White Paper. PCI Guidance: Microsoft Windows Logging

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Software that provides secure access to technology, everywhere.

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

KEY STEPS FOLLOWING A DATA BREACH

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

Cisco Advanced Malware Protection for Endpoints

Cisco Advanced Malware Protection

"This is a truly remarkable attack, but not. just in its scope hackers successfully. penetrated one of the most secure

Fighting Advanced Threats

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

After the Attack. The Transformation of EMC Security Operations

Franchise Data Compromise Trends and Cardholder. December, 2010

Advanced Threats: The New World Order

Basics of Internet Security

Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Into the cybersecurity breach

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Unknown threats in Sweden. Study publication August 27, 2014

Log Management for the University of California: Issues and Recommendations

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Network Security Policy

InfoSec Academy Forensics Track

EC-Council Ethical Hacking and Countermeasures

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Online Cash Manager Security Guide

Protecting Your Organisation from Targeted Cyber Intrusion

September 20, 2013 Senior IT Examiner Gene Lilienthal

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Information Security Threat Trends

EITC Lessons Learned: Building Our Internal Security Intelligence Capability

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

"This is a truly remarkable attack, but not. just in its scope hackers successfully. penetrated one of the most secure

Content Security: Protect Your Network with Five Must-Haves

Breach Found. Did It Hurt?

Agenda , Palo Alto Networks. Confidential and Proprietary.

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

A practical guide to IT security

Endpoint Security - HIPS. egambit, your defensive cyber-weapon system. You have the players. We have the game.

Performing Advanced Incident Response Interactive Exercise

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Incident Response. Proactive Incident Management. Sean Curran Director

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

SPEAR PHISHING UNDERSTANDING THE THREAT

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

End-user Security Analytics Strengthens Protection with ArcSight

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

CYBERSECURITY INESTIGATION AND ANALYSIS

Understanding and Responding to the Five Phases of Web Application Abuse

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Cyber Security for SCADA/ICS Networks

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Security strategies to stay off the Børsen front page

Understanding and Responding to the Five Phases of Web Application Abuse

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

Certified Cyber Security Analyst VS-1160

Global Partner Management Notice

Penetration Testing //Vulnerability Assessment //Remedy

DYNAMIC DNS: DATA EXFILTRATION

I ve been breached! Now what?

Website Defacements. Krishna Kumar B

Linux Server Support by Applied Technology Research Center. Proxy Server Configuration

Inspection of Encrypted HTTPS Traffic

Cisco Advanced Malware Protection for Endpoints

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Presented by Evan Sylvester, CISSP

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

Case Study: Hiring a licensed Security Provider

Computer Hacking Forensic Investigator v8

Metric Matters. Dain Perkins, CISSP

Certified Cyber Security Analyst VS-1160

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

How To Manage Security On A Networked Computer System

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Ed Ferrara, MSIA, CISSP Fox School of Business

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Don t Fall Victim to Cybercrime:

Transcription:

Digital Forensics: Tracking Cyber- Criminals and Hackers Welcome to the Battlefield Presented by Damian Donaldson CISSP CISM

Know thy self, know thy enemy. A thousand battles, a thousand victories. - Sun Tzu : The Art of War

We're at war? Corporate networks face attacks every day (malware, network intrusion attempts, unauthorized access to resources, social engineering, etc.) Outsiders are trying to get access in order to spy, commit fraud or disrupt operations Insiders may also spy, commit fraud, abuse privilege, misuse resources, seek to sabotage operations. Corporate technology teams have the task of protecting the organization's information assets from these all threats. Yes, we are at war.

The Corporate Perspective Why track Cyber-Criminals and Hackers? If the source/origin of an attack is known, measures may be put in place to stop the attack. Need to know what the attackers have done so that risk can be managed and problems fixed. To hold persons accountable for their actions (criminal prosecution, civil litigation, internal disciplinary action)

How do you track Cyber-Criminals and Hackers? Gather information about the attacks and attackers Analyse the information and compile evidence Follow the evidence Digital Forensics helps to fuel much of these investigations

Digital Forensics Digital Forensics is the scientific process of data acquisition, analysis and reporting which supports the investigation of computer technology related incidents. Data can come from different sources and devices, hence there are different branches of Digital Forensics computer forensics, network forensics, mobile device forensics, database forensics etc.

Digital Forensic Process Acquire data how this is done will depend on the kind of devices/systems being targeted and the kind of data being gathered. However it is key that the acquisition process does not alter the data being gathered or else evidence will be compromised. Once data is gathered chain of custody must be preserved.

Digital Forensics Process Analyze data examine gathered data to identify evidence which sheds light the incident being investigated. Look for clues to help answer the what, when, where, why and who questions.

Digital Forensics Process Report Findings The report on findings articulates what the investigation has found. This is key to support building a good case (for legal matters) as well as to facilitate learning and strengthening of the organizations defences.

Sources of Forensic Data in the corporate environment Usually the first and most important source of data for forensic investigation in the corporate environment are event log files. Event Logs capture details about events which have taken place. Event Logs are generated automatically by various systems, applications and devices (Operating Systems eg. Windows, Financial applications, Security systems, network devices). There are different types of Event logs which capture different kinds of information about events which have taken place (eg. error logs, audit logs, debug logs, authentication and access logs). Event logs are a very rich source of forensic data and can help tremendously in the understanding of what has happened and who did it.

Sources of Forensic Data in the Corporate environment Data stored on storage devices (hard disks, computer memory etc.) Compromised systems may have evidence of the compromise stored on that systems storage facilities (hard disks, SAN, NAS, memory etc.) There may be suspicious files or folders (eg. new executable programs), missing files or folders, data modified from expected norms (eg. changed configuration files) etc.

Sources of Forensic Data in the Corporate environment Network traffic and network traffic monitoring data The monitoring of network traffic allows for the potential of identifying and tracking network attacks and attackers in real time. Most corporate networks are TCP/IP networks. Network traffic flows like little letters in envelopes which must have source and destination addresses stamped on them. Monitoring network traffic can allow you to determine where attacks are coming from and potentially, who is attacking your network.

Actually catching the bad guy Scenario: Somebody has tried to hack your corporate Internet website. They have taken control of your server (you got Pwned) and have uploaded various programs to it with the intent to use that as a springboard to gain access to the rest of your network. Your security systems have detected the attack and have alerted you. You shut down all internet and internal network access to the compromised server to stop the attack and contain the activities of the attacker. You forensically image the storage device of your server to have forensically sound replica you can do analysis on for the purpose of evidence collection. You find evidence of the malicious programs uploaded document the evidence You review the servers event logs. Your server log files have captured the IP address from which the hacker has connected to your server from. You are able to block that IP address at your firewall and stop future attacks from that address. You are also able identify who that IP address is registered to by doing a Domain Registration query (Whois lookup).

Actually Catching the Bad Guys You contact law enforcement, make a report to them, and turn over the reports of your findings to them as well as your forensically acquired data (maintaining chain of custody). Law enforcement does their own investigation. Law enforcement makes contact with the registered owner of the IP address (in this case, it s an Internet Service Provider). Law enforcement works with the Internet service provider to identify which of their customers was issued that IP address during the time of the attack. The real identity and address of the customer who had that address is identified. Law enforcement gets the necessary clearance to monitor the internet activity of the suspect and works with the ISP to do this.

Actually Catching the Bad Guys The suspect is observed engaging in suspicious activity similar to the attack which triggered this investigation. Law enforcement raids the address of the suspect, arrests him, and confiscates all computer equipment on the premisis. Law enforcement conducts their own digital forensic examination of all the seized equipment and finds evidence of connection to the victim s server at the time of the attack (web browser history), hacking tools, and copies of the same malicious programs which were uploaded to the victims web server in the attack. They have found the smoking gun! The suspect is charged, tried and found guilty, thanks largely to the forensic evidence collected by the victim and law enforcement.

The End Yaaaay!

Enter Anti-Forensics : Because nothing in life is ever really that easy All warfare is based on deception Sun Tzu: The Art of War

Know thy enemy You cannot fight what you cannot see. If you don t know you ve been attacked, you can t investigate. Elite hackers are stealthy. They have techniques for evading security systems such as intrusion detection systems They leave little evidence of their presence and they remove of whatever evidence does exist after they have done their work. They plant evidence to distract investigators. They have you looking over there when they were really over

Anti-forensics Tradecraft Use encryption to avoid scrutiny from network intrusion detection systems. Use obfuscation techniques and encryption to keep anti-malware programs from detecting your malicious code Use encryption to hide the existence of attack tools and other incriminating evidence on the attackers own computer systems so that there is little or no evidence available to prosecute them. Many security systems are signature based they can only detect what they know about. Bad guys use polymorphism (shape shifting) to make their malicious programs look different every time they deploy it. Security systems won t recognize it and thus won t be able to detect it. Modify event log data. Erase all records of bad guy s activities on the system. Can you trust the event log data stored on a compromised system? Hide information (attack tools and programs, stolen data) in plain sight using techniques such as steganography (putting data in image files), alternate data streams methods not detectable by regular detective methods. Replace regular system programs and functions with evil versions designed to hide the truth about the state of the system after the bad guy has compromised it aka The Root Kit Anonymize network (Internet) connectivity. Make it so that the IP address the bad guy appears to be connecting from cannot ultimately lead to the revelation of his real identiy and location (use proxy servers, TOR network, wardrive open WiFi hotspots, botnets and compromised end user computers).

So now what? Accept the fact that it is war, and there is an arms race. Know the enemy s tactics and plan your defence with those tactics in mind. Implement defence in depth. Do not just rely on one method of defence or detection. Do not rely on just one source of data for investigation. Architect your environment to allow for reliable and convenient practice of sound digital forensic processes.

Examples? Protect log data. Implement centralized remote logging to secure log management platforms so that if a system is compromised, its log data is securely stored on another system which has not been compromised. Trust in the logs is thus preserved. Use Change detection systems to monitor files and resources on critical systems for unauthorized changes. Some of these systems can gather forensic data from the systems they protect and store them remotely on secure systems and thus aide in sound forensic investigation. Monitor networks in real time. Know your network. Understand what is normal behaviour so you can identify attacks based on anomalies. Pull it all together. Look into implementing Security Information and Event Management systems and processes to allow for correlation of the various sources of security and event data in your environment so that you can more readily detect security incidents, and investigate them.

The End For real this time. Thank you.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information