Cyber Analysis Tools:

Similar documents

Network Security Testing

EC-Council Ethical Hacking and Countermeasures

SSL BEST PRACTICES OVERVIEW

Big Data Trust and Reputation, Privacy Cyber Threat Intelligence

Is Your SSL Website and Mobile App Really Secure?

Digital Forensic Techniques

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Information Technologies and Fraud

Open Source Security Tool Overview

Hands-On How-To Computer Forensics Training

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Chapter 14 Analyzing Network Traffic. Ed Crowley

DoD Cyber Crime Center

Incident Response. Six Best Practices for Managing Cyber Breaches.

EAC Decision on Request for Interpretation (Operating System Configuration)

Loophole+ with Ethical Hacking and Penetration Testing

GoToMyPC Corporate Advanced Firewall Support Features

Internet Banking System Web Application Penetration Test Report

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

Computer Hacking Forensic Investigator v8

Description: Objective: Attending students will learn:

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Retrieving Internet chat history with the same ease as a squirrel cracks nuts

REPORT & ENFORCE POLICY

Tracking Anti-Malware Protection 2015

February Considerations When Choosing a Secure Web Gateway

"This is a truly remarkable attack, but not. just in its scope hackers successfully. penetrated one of the most secure

Computer Forensic Capabilities

The Information Leak Detection & Prevention Guide

INFORMATION SECURITY TRAINING CATALOG (2015)

Malicious Network Traffic Analysis

MSc Computer Security and Forensics. Examinations for / Semester 1

Encryption-The Dark Side:

DigiCert: Trusted Business for the Enterprise and Its Customers

Incident Response and Computer Forensics

Security Testing Guidelines for mobile Apps

State of the art of Digital Forensic Techniques

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Policy and Profile Reference Guide

Overview of Computer Forensics

Using Foundstone CookieDigger to Analyze Web Session Management

Topics in Network Security

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

BUILT FOR YOU. Contents. Cloudmore Exchange

Analysis of Evidence in Cloud Storage Client Applications on the Windows Platform

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Chapter 7 Transport-Level Security

Certified Digital Forensics Examiner

HIPAA Privacy & Security White Paper

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1

information security and its Describe what drives the need for information security.

Computer Networking LAB 2 HTTP

Reporting and Incident Management for Firewalls

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

Concierge SIEM Reporting Overview

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

December P Xerox App Studio 3.0 Information Assurance Disclosure

Ethical Hacking Course Layout

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Introduction to Network Security Lab 2 - NMap

How To Use Attix5 Pro For A Fraction Of The Cost Of A Backup

WiFi Security Assessments

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

Law Conferencing uses the Webinterpoint 8.2 web conferencing platform. This service is completely reservationless and available 24/7.

1. Amendment of Section I. Invitation to Bid item no. 6 and 7 are hereby amended as follows: From:

SECURITY DOCUMENT. BetterTranslationTechnology

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Web Conferencing Glossary

SSL and Browsers: The Pillars of Broken Security

Certified Secure Computer User

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

PCI Compliance Considerations

Configuring Outlook for IMAP. Creating a New IMAP Account. Modify an Existing Account

DPI and Metadata for Cybersecurity Applications

A Day in the Life of a Cyber Tool Developer

Networks & Security Course. Web of Trust and Network Forensics

FORBIDDEN - Ethical Hacking Workshop Duration

Citrix NetScaler 10 Essentials and Networking

Enterprise level security, the Huddle way.

Transcription:

Cyber Analysis Tools: The State of the Union August 26, 2014 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time 1

Generously sponsored by: #ISSAWebConf 2

Welcome Conference Moderator Matt Mosley Product Management, Threat Track Security August 26, 2014 Start Time: 9am US Pacific /12 noon US Eastern/5pm London Time

Agenda Speaker Introduction Russ McRee Director, Threat Intelligence & Engineering, Microsoft Online Services Security & Compliance Dipto Chakravarty EVP of Engineering and Products Jason Sabin Vice President of Research and Development, DigiCert Open Panel with Audience Q&A Closing Remarks 4

A Toolsmith Take: Knowledge Before Application Russ McRee Director, Threat Intelligence and Engineering, Microsoft Online Security & Compliance @holisticinfosec

6

7

8

9

10

11

Thank you! Russ McRee Russ McRee @holisticinfosec russ@holisticinfosec.org 12

Cyber Forensic Tools Dipto Chakravarty EVP of Engineering and Products dchakravarty@gmp4.hbs.edu 18

Forensics 101 STEP 1:Preparation Identifies the purpose and resources STEP 2: Acquisition Pinpoints the sources of evidence STEP 3: Analysis Extracts, collects and analyze evidence STEP 4: Reporting Documents and presents the evidence Cyber Forensics is the practice of analyzing digital information in form of evidence that is legally admissible. For example, Sony s PlayStation network experienced a DDoS on August 25, 2014, and will undergo digital and cyber forensics to ensure the safety of its 53 million users personal information. 15

Types of Cyber Forensics 16

Cyber Forensics: Emails Emails are like footprints in the snow. Deleting an email doesn t mean it erases the records. The work is similar to conventional detective work. MiTec Viewer Reads Outlook Express, Windows Live Mail with search and filtering capabilities PST-OST Viewer Allows you to view Outlook files without MS Exchange 17

Cyber Forensics: Data Data mirroring is key in cyber forensics. Exact copy is created without alteration. Live View Creates a VM of a physical disk. Allows us to view the data blocks with a user persona and full UX. DumpIt Creates executable on USB for rapid IR needs. 18

Cyber Forensics: Disk Disk imaging in cyber forensics involves recovery of hidden and erased files. Exact copy is created without alteration. Recuva Free tool. Recovers deleted files from disks as well as SD cards, flash drives and cameras EDD For rapid IR, it is used as an encrypted disk detector. It checks for encrypted volumes, and tells which transient evidences need to be saved. 19

Cyber Forensics: Registry R Forensics is about extracting contextual metadata more than the data or the user. MuiCache Views the list in the MuiCache. (It is the Registry key that stores list of every application installed on the Windows o.s) USBDview Lists all USBs connected to the computer (now or earlier!) For each USB, it cites dev type, S No, vendor id, date, etc. 20

Cyber Forensics: Network N Forensics is about monitoring traffic, i.e, data in motion with the intent to collect evidence/samples. Wireshark Popular tool, with both hackers and law enforcements. Inspects frames captures packets displays user-data in its own GUI for analysis Network Miner Windows-specific tool to detect open ports of network hosts. Popular tool for network forensics analysis. 21

Cyber Forensics: Browser B Forensics is all about scanning the session trail left behind in the browser cache. Note that almost every browser uses a cache to expedite internet surfing. MyLastSearch Scans the cache and browser history files looking for searches you ve made with popular search engines and social networking sites. ChromeCacheView Reads the cache folder to display cached files, URLs, access time, file type, etc. Similar tools exist for other browsers. 22

Cyber Forensics: Apps A Forensics comprises of reading the app-specific log files without knowing the application password. SkypeLogView Displays details of incoming/outgoing calls, chat messages, and file transfers made by the Skype account. Y! Messenger Decoder Views the chat sessions, sms, private messages, including emoticons without knowing the password. Similar tools exist for other browsers. 23

General Tools for Forensics Investigation 1. SANS SIFT 2. Linux dd 3. Xplico 4. The Sleuth Kit 5. Hex Editor Neo 6. Oxygen Forensic Suite http://www.nist.gov/itl/ssd/cs/forensics-tool-testing.cfm 24

SANS Sift Investigative Forensic Toolkit 25

Linux dd Investigative Uses Available on almost all Linux o.s distributions Used for multifarious forensic tasks, including Forensically wiping a drive dd if=/dev/zero of=/dev/drv1 bs=1024 where if = input file, of = output file, bs = byte size Creating raw image of a drive dd if=/dev/drv1 of=/home/diptoc/newimage.dd bs=512 conv=noerror,sync where bs = byte size, conv = conversion option Very powerful tool Handle with care. Old is gold! I ve been using dd since 1984 26

Xplico Investigative Uses Open source tool for network forensic analysis Extracts application data from the net traffic, e.g. Live capture of email stream from SMTP traffic Replay from PCAP files read from Wireshark 27

Summarizing Cyber Forensics Assess user activity w.r.t usage patterns Analyze data remnants in transient states Audit logs to unravel stealth data that s encrypted Assert usage of content and contextual artifacts Answer the hard stuff: the known knowns Facts the known unknowns Questions the unknown knowns Intuitions the unknown unknowns Exploration 28

Thank You! Dipto Chakravarty On LIn, Tw: dipto On G+, Y!: diptoc dchakravarty@gmp4.hbs.edu 29

Types of Forensics Email Forensics PST-OST Viewer MiTec Mail Viewer Data Forensics DumpIt Live View Disk Forensics Recuva Encrypted Disk Detector Registry Forensics Proc Monitor Regshot USBDeview MuiCache View http://resources.infosecinstitute.com/computer-forensic-tools-laymen/ Network Forensics Wireshark Network Miner Internet Forensics MyLastSearch Password Fox ChromeCache View MozillaCookies View Application Forensics SkypeLogView Y! Messenger Decoder 30

Thank you! Dipto Chakravarty dchakravarty@gmp4.hbs.edu @dipto 31

SSL Analysis & Tools Jason Sabin Vice President of Research & Development, DigiCert 33

SSL: What can we do better? 51% of enterprises do not know all of the keys and certs on their network*. About 2 in 3 enterprises still use ciphers vulnerable to BEAST. Still seeing 1024-bit key sizes or lower. Only 6% of SSL certificates on the web use SHA-2. Heartbleed in hardware and statically compiled applications. Certificate Transparency * Based on research by Ponemon Institute

Improper implementation Some high profile stories: Heartbleed Goto Fail BEAST, CRIME, BREACH, etc. Weak cipher suites Weak algorithms Weak private keys

Is your network secure? What do most potential exploits have in common? They rely on improper SSL implementation.

SSL best practices Always-On SSL Secure Cookies HSTS (Http Strict Transport Security) Disable Weak Cipher Suites Secure Renegotiation Disable TLS Compression Perfect Forward Secrecy

<SSL Labs screenshot>

Whynopadlock screenshot

Thank You! Jason Sabin Vice President of Research & Development jason.sabin@digicert.com 801-701-9647 SSL Analysis Tools https://www.ssllabs.com https://www.digicert.com/cert-inspector.htm http://www.whynopadlock.com/

Open Panel with Audience Q&A Russ McRee Director, Threat Intelligence and Engineering, Microsoft Online Security & Compliance Dipto Chakravarty EVP of Engineering and Products, Threat Track Security Jason Sabin Vice President of Research & Development, DigiCert #ISSAWebConf 44

Join us on Thursday, Sept. 11, 2014 12:00 PM - 2:00 PM EDT ISSA Annual State of the Association Discussion ISSA 2014 Annual Members Meeting Webinar Space is limited. Reserve your Webinar seat now at: https://www2.gotomeeting.com/register/622368642 45

Closing Remarks Thank you Citrix for donating the Webcast service #ISSAWebConf 46

CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. On-Demand Viewers Quiz Link information: http://www.surveygizmo.com/s3/1778276/issa-web-conference-aug- 2014-Cyber-Analysis-Tools-The-State-of-the-Union #ISSAWebConf 47