Your SlideShare is downloading. ×
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2


Published on

Published in: Education

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Encase Cybersecurityand proactiv corporate IT securityDamir DelijaINSIG2
  • 2. Agenda» Security, Threats, Incidents , tools» The Foundation — EnCase Enterprise» EnCase Cybersecurity» Benefits and Features of EnCase Cybersecurity
  • 3. Worms Remain Top Threat to Enterprise» SANS NewsBites Vol. 11 Num. 87According to Microsofts Security Intelligence Report, Conficker was thetop threat to enterprise computers during the first half of 2009. Worminfections overall doubled between the second half of 2008 and the firsthalf of this year; worms rose from the fifth most prevalent cyber threatto the second most prevalent. Worms are not as big a security concernto home users; the most prevalent cyber security threat in the homeenvironment during the first half of 2009 was miscellaneous Trojans,including rogue security software. The volume of phishing was fourtimes higher in May and June of this year than in the preceding 10months due to concentrated attacks on social networking sites.» cio/security/showArticle.jhtml?articleID=221400323» wArticle.jhtml?articleID=221500012&subSection=Attacks/breaches» 330e-4457-a52c-5b085dc0a4cd&displaylang=en
  • 4. What are our threats? Others (Unknown) Regulatory compliance IP theft (eg. external consultants) Classified Disgruntled employees Data leakageHuman error Client Competitors Fraud Virus outbreaksInappropriate content Unauthorised software Deliberate attack (hackers)
  • 5. How do we deal with these threats today?Reactively•We manually investigate incidents, which is time consuming•We employ 3rd party consultancies to collect data for compliance•We quarantine computers from the network (disrupting operations)•We need multiple tools to investigate and solve problems•We have to wait for our AV vendor to supply signatures for new outbreaksProactively•We cannot search the network for IP or other sensitive data•We cannot search for unauthorised software or malicious code•We cannot forensically remove data or malicious processes•We don’t have time to investigate disgruntled employees•We can’t identify potential risks comprehensively
  • 6. What is Incident ?» What is an incident to you? » How do you respond?- Virus outbreak? - Manual processes?- Stolen laptop? - Take Computers off the- Inappropriate usage? network? - Suspend Employees?- Legal requirement for electronic data? - External investigative- Unauthorised software? consultancy? - Outsource data collection?- Inappropriate content? - Press release / PR?- Classified data appearing in the wrong environments? - Hope and Pray?- Data leakage? - Ignore?- IP theft?- Disgruntled employee?
  • 7. Some Analytics (1)» Who is behind data breaches?- 73% resulted from external sources- 18% were caused by insiders- 39% implicated business partners- 30% involved multiple parties- How do breaches occur?- 62% were attributed to a significant error- 59% resulted from hacking and intrusions- 31% incorporated malicious code- 22% exploited a vulnerability- 15% were due to physical threats Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
  • 8. Some Analytics (2)» What commonalities exist? 66% involved data the victim did not know was on the system 75% of breaches were not discovered by the victim 83% of attacks were not highly difficult 85% of breaches were the result of opportunistic attacks 87% were considered avoidable through reasonable controls- Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
  • 9. Some Analytics (3)» Nine out of 10 data breaches incidents involved one of the following: • A system unknown to the organization (or business group affected) • A system storing data that the organization did not know existed on that system • A system that had unknown network connections or accessibility • A system that had unknown accounts or privileges⧖ Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
  • 10. Sample of 2009 Data Breaches» Check Free Corp January 6 160,000 - 5,000,000 credit card records exposed to a web site hosted in the Ukraine» Heartland Payment Systems January 20 100M transaction/month for several months routed by malicious software» Federal Aviation Administration February 9 48,000 records of employee information compromised» US Army March 12 PII of 1,600 soldiers potentially breached» University of California, Berkeley May 7 PII of 160,000 students and alumni (including SSIs and medical records) compromised in hack» Aviva June 3 Account information of 550 customers compromised by malware
  • 11. EnCase® Enterprise – The Industry Standard Platform for Conducting Network Investigations “We originally thought of EnCase Enterprise as an e-forensic tool only. However, GuidanceSoftware’s solution addresses virtually every aspect of information security and eDiscovery.‖ Litigation Counsel, Dell
  • 12. EnCase Enterprise and EnCase Cybersecurity» EnCase Enterprise › Reactive investigations ~ HR Matters ~ Fraud ~ Network Breaches › Manual processes › ―We need to be able to investigate internal matters‖» EnCase Cybersecurity › Proactive security auditing and system recovery › Automated processes tailored to the challenge › ―We need to protect our IP‖ › ―We need technology that can keep up with emerging threats‖ › ―We need to take a more proactive stance in regards to information security‖
  • 13. .
  • 14. EnCase Enterprise – basicelements» Safe › central communication/authorisation» Examiner station(s) › workstation for forensic actions ( automated or byhand)» Servelet(s) › remote agent» Snapshots and connenctions» Scripts and tools integration
  • 15. EnCase Enterprise vs. EnCase Cybersecurity– High Level OverviewCapability EnCase CybersecurityMultiple Machine Analysis AutomatedMachine Tracking AutomatedPreservation of Files AutomatedSearch Status & Interrupted Search Recovery AutomatedStatic Message File Processing AutomatedNetwork Shares & SharePoint Search AutomatedLive Messaging Servers Collection AutomatedMaster Database for Tracking and Reporting AutomatedProcessing: Secondary Culling and De-duplication NoProcessing: Attorney Review Platform Load File Creation NoPre-Collection File Sampling Included
  • 16. The Problems to Solve» Difficulty of identifying and recovering from polymorphic threats › i.e. Conficker» Undiscovered threats to the network › Heartland breach cost Heartland $12.9 million…so far (100 million records) › TJX settled for $9.75 million (50 million records) › Organizations can experience millions of events/day ~ Most just harmless probes, however…» Inability to efficiently analyze and address risk presented by sensitive data › Customer records ~ SSNs etc › Intellectual property ~ Source code ~ Schematics etc
  • 17. The Pain — Heartland PaymentSystems» In February of this year, it was made public that Heartland experienced a breach that exposed a record setting 100 million credit card accounts.» Heartland was certified PCI compliant at the time» The malware responsible had been present on their network since November of last year, investigation has learned.» So far, has cost Heartland $12.5 million» MasterCard imposing addition fine of
  • 18. The Pain — PolymorphicMalware» Malware that changes each time it replicates › Evades any attempt at signature based detection ~ Changes encryption key ~ Repacking ~ Random elements built into code such as using a random registry key each time it drops» Conficker — Polymorphic worm» Swizzor — Polymorphic Adware» Stration — up to 300 variations a day
  • 19. Common IT Security Challenges» Proactively identifying and addressing undiscovered threats › Determining the threat level and purpose of unknown files or running processes › Identifying and recovering from polymorphic malware (e.g., Conficker) ~ Signature-based detection tools are insufficient when faced with code that morphs to evade detection › Quickly triaging and containing an identified threat» Locating and rapidly responding to data leakage (PII, IP, etc.) › Compliance with data protection and breach notification laws
  • 20. EnCase® Cybersecurity» Identify undiscovered threats: patent-pending technology gives IT Security the advantage against new threats: › Polymorphic Malware › Packed files › Other advanced hacking techniques» Complete visibility into endpoint risk with the ability to target static and live data to locate sensitive information» Find and remediate malware: risk mitigation by wiping sensitive information, malware and malware artifacts from hard drives, RAM and the Windows Registry» Powerful investigative capabilities allow organizations to audit for PII (e.g., credit card numbers, account numbers, etc.), and perform internal investigations such as those dealing with fraud, HR matters and data breaches» For information security personnel and response teams whose task is to protect sensitive information and proactively identify and respond to network threats 24/7» Identify, analyze, triage, respond to and recover from internal and external threats to the network, ensure endpoints remain in a trusted state and protect/secure sensitive information
  • 21. EnCase Cybersecurity Employs a Comprehensive Approach to Risk Management Covert malware identification & recovery Endpoint Security Data Risk assessment; Digital Targeted search & Discovery Investigations remediation & ProtectionBreach investigations;Fraud investigations;Malware investigationsEtc.
  • 22. EnCase® Cybersecurity Values» Identify and recover from polymorphic and metamorphic malware» Proactively identify and recover from undiscovered threats › Determine threat level of endpoints › Analyze process code › Remediate registry entries, files, processes» Proactively audit for sensitive data and recover from data spillage» Triage incidents across worldwide networks» Combat insider threats» Maintain endpoints in a trusted state» Ensure IAVA compliance
  • 23. Benefits & Features BENEFIT FEATUREProactively identify and recover from covert network threat level analysis, memory analysisthreatsFind similar files over the network Patent-pending bit transition analysis methodProactively identify and recover from data leakage Targeted search and remediationEnsure endpoints remain in a trusted state Hash database comparison, system profilingAccurately triage an incident anywhere in the world Network-enabled, security protocolsfrom a central locationCombat insider threat by proactively identifying and Log file analysis, Snapshot, core EEinvestigating suspicious activity functionalityView all data on a hard drive, even what the OS Operates at the kernel level, seescannot see what the OS cannotDetermine the extent of data breaches Log file analysis, memory analysis, core functionality
  • 24. EnCase CybersecurityComponents» Data Audit & Policy Enforcement» System Profiling & Analysis» Attribution Set Manager» EnCase Code Analyzer» EnCase Bit9 Analyzer» Configuration Assessment» Source Processor
  • 25. Data Audit» Organizations have a need to perform full networks audits for sensitive information for the following purposes … › Risk assessment and mitigation › IP/PII theft prevention › Data spillage › Compliance with laws mandating the security of PII › Regulatory requirements» Payment Card Industry Data Security Standard» Records retention enforcement
  • 26. Data Audit Key Benefits» Reduce the threat and risk of data loss from the endpoints by identifying sensitive information and removing it from unauthorized locations across the enterprise…» Reduce the cost of eDiscovery and electronic storage with the ability to enforce records retention policies» Understand where sensitive data is located across the enterprise in order to more effectively design compliance initiatives
  • 27. Case Study Global 100 Entertainment Software Company EnCase Cybersecurity Situation Solution Results» Global 100 computer » EnCase Data Audit & Policy » Targeted audit of over 50 entertainment company Enforcement implemented devices in one day including; suspected IP leakage across in 24 hours at a central site laptops, desktops, servers, the network » EnCase identified the email accounts, USB’s and» Need to search global suspect had access to internet histories network spanning 91 numerous other workstations » Zero disruption to the countries & servers across the network business» Goal was to identify source, » Audit performed overnight » Entire investigation took 2 all instances of leaked IP, on all endpoints, including a 4 weeks from start to finish identify the trail to external terabyte server, to find files with significant cost savings sites, preserve evidence, and » v1.0 version of video-game vs. outsource options remediate identified in several » EnCase Data Audit deployed» Process required significant locations and matched as part of a standard IP & HR stealth so as to not alert version leaked to public sites audit process company-wide employees“The non-disruptive element of EnCase minimized the financial, commercial and operationalimpact of the leaked IP and accelerated the successful resolution of this incident.” CEO & President - European Operations, Global Entertainment Software Co.
  • 28. System Profiling & Analysis» Drivers › Challenge of controlling what software is on company computers» Use › Compare network endpoints to a trusted build of hashes» Value/Use › Ensure employees are not running unapproved/harmful software ~ File sharing software ~ Unapproved communication clients ~ Vulnerable software › Help triage for malware by exposing unknown files › Do not need to visit each node to return to trusted state
  • 29. Keeping Up» Technical Challenges: › High profile attacks - Good vectors need concealment › Malware becoming more sophisticated, landscape changes › We’re not looking for a single file, many artifacts dropped › Designed to evade detection › Designed to persist defensive techniques › We’re trying to find the needle in the haystack › No Magic Pill to take or Silver Bullet to shoot
  • 30. Use Cases for Attribution SetManager» Polymorphic and Metamorphic malware identification › Rely on commonalities to morph/adapt» Other types of undiscovered malware» ―Packed‖ file detection» Data Auditing › Intellectual property › Embedded files» Attribution
  • 31. Polymorphic and MetamorphicMalware Defined» Polymorphic (adj.) - Literally meaning having more than one form. Able to have several shapes or forms Polymorphic code (e.g., malware) can exist in a number of ―physical‖ forms, each outwardly different yet retaining all of the original/intended functionality. The changes are notably spontaneous and follow no discernable pattern while still functioning exactly as they did in the original or previous form(s).» Metamorphic (adj.) – Having been changed from one form to another by the application of an external force – as in metamorphic rocks: A rock that has been changed from its original form by subjection to heat and/or pressure In contrast to polymorphic code, metamorphic code needs to have some external impetus in order to change its form. This could be a conscious (manual) change to the code, a date or time triggered event, movement from one operating system to another, and etc. These changes
  • 32. Current Methods forFinding Polymorphic Malware» Hashing › MD5/SHA Formats › Context Triggered Piecewise Hashing (ie, rolling hash) ~ ―Fuzzy Hashing‖ ~ Easy to fool» Signature based detection › Relies on Hashes or other Code fragments › Computationally expensive, takes time» Deep Packet Inspection › Indexing DOESN’T scale to Enterprise Code mutation used to change malware attributes makes identification difficult
  • 33. How is the Use of EntropySuperior?» Speed › No pre-processing or ―pre-hashing‖ required › Can compute thousands of entropy values in minutes» Accuracy › Based comparing smaller units against each other ~ Byte transitions versus ―logical sections‖ ~ Foreign languages ~ Not just limited to text» Network-enabled › Other methods require source and target repository be stored locally
  • 34. Using Entropy» What is? › Entropy is ―randomness‖ › Entropy expressed as value of 1-8 (ie, 4.59087346598796) › Like file types have same Entropy value ~ Compressed/packed files have high (ie, +7.0) Entropy ~ Binary files are very structured, similar Entropy
  • 35. EnCase Cybersecurity Combats Polymorphic MalwareListed below are six iterations of the same malware: signature-based detection (top six) doesn’t help, but EnCase Cybersecurity shows the most similar binaries (bottom section) for a computer or network
  • 36. Using Entropy for Intellectual Property» All are derivatives of the declaration of independence › Hashes all different, Entropy values real close › Use Entropy threshold to mine likeness; not percentageSource Match ToleranceDeclaration_of_Independence.doc Single 0 FilesDeclaration_of_Independence.docDeclaration_of_Independence_new_pasted.doc Single 0.00431 FilesDeclaration_of_Independence.docDeclaration_of_Independence_new_pasted_three_quarte Single 0.222825rs_file.doc FilesDeclaration_of_Independence.doc
  • 37. EnCase Code Analyzer» Powered by HBGary Responder Professional integration › Threat Analyzer ~ Canned & user defined threat criteria - i.e. processes that can change registry entries ~ Returns 0 (no threat) to 100 (severe threat) based on total of all identified matches to threat criteria among processes ~ Very fast execution ~ High level ―Gut Check‖ › Memory Analyzer ~ Code and behavioral analysis of running RAM or a single process ~ Provides intelligence on how any given process ―does its thing‖ ~ Can determine if a piece of Malware is polymorphic, if it can transfer files, etc.
  • 38. EnCase Bit9 Analyzer» Powered via integration with Bit9 Global Software Registry › 6 Billion records’ ~ Known good and bad files, processes and applications › Grows at rate of 20 million files every day › Screen out known to find unknown › Scan for known malware › Scan for out of date or unapproved executables» Adds value to every component of EnCase Cybersecurity
  • 39. Configuration Assessment» DoD specific EnScript › Used to audit against the DISA STIG xml database ~DoD mandated configuration settings
  • 40. EnCase Source Processor» Collection of time saving utilities that comes with every order launched from an easy to use interface for common tasks › Used only to analyze & report; no file collection  EXIF Viewer*  Personal Information Inquiry  Extension Report Module*  Protected File Finder*  Snapshot Module  Link File Parser*  Scan Registry*  Linux Initialize Case*  Recycle Bin Info Finder*  Linux Syslog Parser*  Windows Event Log Parser  Linux Event Log Parser  Mac Initialize Case Module*  Windows Initialize Case*  WTMP-UTMP Log File Parser *Available in second release of EnCase Cybersecurity
  • 41. The whole is much morepowerful than the individual parts» Scan suspect machines using the Threat Analyzer module of EnCase Code Analyzer» Utilize System Profiling & analysis and EnCase Bit 9 Analyzer to exclude all known good files & processes (and identify any known bad) from a machine with a Severe Threat» Capture an identified unknown process with EnCase Code Analyzer, using the Memory Analyzer module to perform code and behavioral analysis of the unknown process» After determining an unknown process has the ability to morph, utilize Attribution Set Manager to identify like binaries on the network» Once all iteration of the polymorphic malware is identified, utilize Data Audit & Policy Enforcement and core functionality to remediate associated files, processes and
  • 42. Key Differentiators» Single solution, many applications» Threat and Memory Analytics» Leverages worlds largest hash database» Patented “Entropy Analysis” method» Certifications (Federal Space) › DIACAP › FIPS 140-2 › Common Criteria EAL-2» Optimized distributed search» Forensic backbone ensures activity remains transparent» Does not rely on active monitoring or AV signatures» Remediation
  • 43. Questions ?