SlideShare a Scribd company logo

Računalna forenzika i automatizirani odgovor na mrežne incidente

Download as PPTX, PDF
Damir Delija
Damir Delija
Education
1 of 21
sigurnost integrirana Computer Forensic and Automated IR Damir Delija Dr.Sc.E.E
Presentation plan 2 - Introduction into computer forensic and incident response • what it is • legal and organisational issues - EnCase approach • Arhitecture, tools, methods • approach forensic and incident response • How it is done
Computer Forensic – a Definition 3 - A practical definition: - “Computer Forensics is simply the application of computer investigation and analysis techniques in the interest of determining potential legal evidence (Judd Robbins).”
Legal Definition of Forensics 4 - Daubert/Frye: The most important decisions governing the use of scientific evidence in court are those of Daubert(Federal)/Frye(California). - There are four primary factors according to Daubert/Frye that should be considered before ruling on the admissibility of scientific evidence: • Whether the theory or technique has been reliably tested; • Whether the theory or technique has been subjected to peer review and publication; • What is the known or potential rate of error of the method used; • Whether the theory or method has been generally accepted by the scientific community.
Role of the EnCase suite 5 - EnCase Suite - Guidance Software www.guidancesoftware.com - Central point in the system security, other usual security related tools are subordinates (feeds and actuators) - Act as standalone or as enterprise wide tool - It is supposed to react on incidents or to control system, both in same sound digital forensic way - Examiner wokstation is a workplace for incident responder, examiner, auditor, controler - all in same consitent manner, legaly acceptable - Predefined roles, ranges, users and events - Use other parts of incident response infrastructure like ticketing system, help desk, IPS, IDS, etc ...
What are our threats? 6 Others (Unknown) Regulatory compliance IP theft (eg. external consultant Classified Disgruntled employees Data leakage Human error Client Competitors Fraud Virus outbreaks Inappropriate content Unauthorised software Deliberate attack (hackers)
Integrating Forensic into IR 7 What is an incident to you? How do you respond? - Virus outbreak? - Manual processes? - Stolen laptop? - Take Computers off the - Inappropriate usage? network? - Legal requirement for - Suspend Employees? electronic data? - External investigative - Unauthorised software? consultancy? - Inappropriate content? - Outsource data collection? - Classified data appearing in - Press release / PR? the wrong environments? - Hope and Pray? - Data leakage? - Ignore? - IP theft? - Disgruntled employee?
Latest analytics (1) 8 Who is behind data breaches? - 73% resulted from external sources - 18% were caused by insiders - 39% implicated business partners - 30% involved multiple parties How do breaches occur? - 62% were attributed to a significant error - 59% resulted from hacking and intrusions - 31% incorporated malicious code - 22% exploited a vulnerability - 15% were due to physical threats Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
Latest analytics (2) 9 What commonalities exist?  66% involved data the victim did not know was on the system  75% of breaches were not discovered by the victim  83% of attacks were not highly difficult  85% of breaches were the result of opportunistic attacks  87% were considered avoidable through reasonable controls Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
Latest analytics (3) 10 Nine out of 10 data breaches incidents involved one of the following: • A system unknown to the organization (or business group affected) • A system storing data that the organization did not know existed on that system • A system that had unknown network connections or accessibility • A system that had unknown accounts or privileges Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
How do we deal with these threats today? 11 Reactively •We manually investigate incidents, which is time consuming •We employ 3rd party consultancies to collect data for compliance •We quarantine computers from the network (disrupting operations) •We need multiple tools to investigate and solve problems •We have to wait for our AV vendor to supply signatures for new outbreaks Proactively •We cannot search the network for IP or other sensitive data •We cannot search for unauthorised software or malicious code •We cannot forensically remove data or malicious processes •We don’t have time to investigate disgruntled employees •We can’t identify potential risks comprehensively
Implement Incident Response infrastructure 15 - Implement Encase Enterprise as a core • define additional funcionalities and plugins for Encase • trainig, testing, support, etc - Integrate it with other tools • IDS, IPS, network management, physical security, system administration, etc... • Help Desk system, trouble ticketing system - Develop lifecycle for effcient Incident Response System • policies, controls, reports, tests etc... • keep IR system proactive, healty and efficient
Anti-Forensics 16 Anti-forensics is any and all actions taken by an unauthorized intruder to conceal evidence securely deleting critical log files is • considered an antiforensic technique. - discovered use of antiforensics in 39% cases - this will be a trend to watch over the next years Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM
Incident Response Recommendations 18 - Align process with policy - Achieve “essential” then worry about “excellent” - Secure business partner connections - Create a data retention plan - Control data with transaction zones - Monitor event logs - Create an incident response plan - Increase awareness - Engage in mock incident testing
IT security dependencies 19 - IT security depends on core competencies: • People - skill and knowledge problem • Process - there are standards and best practices • Technologies - control of usage and fuctions - This can be achived by • developing enterprise investigative infrastructure • use of forensics technologies as core part of IR
EnCase Enterprise (EE) Platform 20 Key capabilities   Covertly investigate across the network on live machines  Bit level analysis able to uncover deleted and hidden data  Also able to analyse volatile data in RAM  Sweep enterprise for hacker code like key loggers & root kits  Court validated as forensically sound  Role based access control and encrypted data flow Business benefits   Respond to HR/IT requests much faster  Conduct many more investigations with the same resource  Rules employees in or out of investigations covertly  Collects court validate evidence of wrong doing
EnCase Incident Response 21 Key capabilities  Can integrate directly with IDS and SIM solutions  Automatically collects volatile data at point of attack or infection  Threat can be killed immediately on target machine  Scan and kill threat across entire network very quickly Business benefits  Acts on intelligence provided by SIM  Guarantees collection of intelligence 24x7x365  Removes threat from entire estate without disrupting operations  Helps enhance defences by offering real actionable intelligence  Drives the true value out of IDS and SIM solutions  An effective way to counter “Day Zero” attacks !
Case Review IR 22 A professional Malicious attacker tries to penetrate your network and you have netForensics deployed.  The SIM (netForensics) & other perimeter defence products throw up hi-priority alerts  Alert passed on to EnCase Enterprise  Automatic Snapshot of target machine retrieved (all processes running in RAM of target)  Your SIRT team analyse snapshot results to determine malicious processes  Process can be killed remotely and forensically wiped on target node  Malicious/Rogue process hashed and enterprise sweep carried out to determine extent of breach. Can be remotely wiped on all “infected” nodes to clean network
Kill Malicious Process – options 23 Choice of deleting the process file, or deleting and wiping from hard drive
Global Market Leaders across industries rely on Guidance Software 24
Pitanja 25 damir.delija@insig2.hr

Recommended

Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And SecurityConstantine Karbaliotis
 
Select idps
Select idpsSelect idps
Select idpsInfo-Tech Research Group
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Computing safety
Computing safetyComputing safety
Computing safetytitoferrus
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical ControlsMLG College of Learning, Inc
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 

Recommended

Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And SecurityConstantine Karbaliotis
 
Select idps
Select idpsSelect idps
Select idpsInfo-Tech Research Group
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Computing safety
Computing safetyComputing safety
Computing safetytitoferrus
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical ControlsMLG College of Learning, Inc
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetijctet
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Soc
SocSoc
SocMukesh Chaudhari
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cyclepenetration Tester
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Chris Hammond-Thrasher
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlienVault
 
what is security
what is securitywhat is security
what is securityDedi Dwianto
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response FunctionResilient Systems
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
encase enterprise
encase enterprise encase enterprise
encase enterprise Damir Delija
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 

More Related Content

What's hot

Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetijctet
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlienVault
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response FunctionResilient Systems
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 

What's hot (20)

Incident Response
Incident Response Incident Response
Incident Response
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 dataset
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Soc
SocSoc
Soc
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligence
 
what is security
what is securitywhat is security
what is security
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
Incident response
Incident responseIncident response
Incident response
 
8. operations security
8. operations security8. operations security
8. operations security
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 

Similar to Računalna forenzika i automatizirani odgovor na mrežne incidente

Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9Amanda Case
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackamrutharam
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attackAndreanne Clarke
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
Cyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowCyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowkCura_Relativity
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Detecting Unknown Attacks Using Big Data Analysis
Detecting Unknown Attacks Using Big Data AnalysisDetecting Unknown Attacks Using Big Data Analysis
Detecting Unknown Attacks Using Big Data AnalysisEditor IJMTER
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics SlidesVarun Sehgal
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)Shawn Tuma
 
Computer Security: Principles of Information Security
Computer Security: Principles of Information SecurityComputer Security: Principles of Information Security
Computer Security: Principles of Information Securityelipanganiban15
 

Similar to Računalna forenzika i automatizirani odgovor na mrežne incidente (20)

encase enterprise
encase enterprise encase enterprise
encase enterprise
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPS
 
Cyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowCyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to Know
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Detecting Unknown Attacks Using Big Data Analysis
Detecting Unknown Attacks Using Big Data AnalysisDetecting Unknown Attacks Using Big Data Analysis
Detecting Unknown Attacks Using Big Data Analysis
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics Slides
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
 
Computer Security: Principles of Information Security
Computer Security: Principles of Information SecurityComputer Security: Principles of Information Security
Computer Security: Principles of Information Security
 

More from Damir Delija

6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...Damir Delija
 
6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...Damir Delija
 
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Damir Delija
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftDamir Delija
 
Ecase direct servlet acess v1
Ecase direct servlet acess v1Ecase direct servlet acess v1
Ecase direct servlet acess v1Damir Delija
 
Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1Damir Delija
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Damir Delija
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draftDamir Delija
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Damir Delija
 
Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations Damir Delija
 
Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Damir Delija
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection Damir Delija
 
Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Damir Delija
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation Damir Delija
 
Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Damir Delija
 
Usage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsUsage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsDamir Delija
 
Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Damir Delija
 
Aix workload manager
Aix workload managerAix workload manager
Aix workload managerDamir Delija
 

More from Damir Delija (20)

6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...
 
6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...
 
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draft
 
Ecase direct servlet acess v1
Ecase direct servlet acess v1Ecase direct servlet acess v1
Ecase direct servlet acess v1
 
Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draft
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
 
Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations
 
Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection
 
Ocr and EnCase
Ocr and EnCaseOcr and EnCase
Ocr and EnCase
 
Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
 
Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013
 
Usage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsUsage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics tools
 
Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt
 
Ibm aix wlm idea
Ibm aix wlm ideaIbm aix wlm idea
Ibm aix wlm idea
 
Aix workload manager
Aix workload managerAix workload manager
Aix workload manager
 

Recently uploaded

How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsNbelano25
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxmarlenawright1
 
Personalisation of Education by AI and Big Data - Lourdes Guàrdia
Personalisation of Education by AI and Big Data - Lourdes GuàrdiaPersonalisation of Education by AI and Big Data - Lourdes Guàrdia
Personalisation of Education by AI and Big Data - Lourdes GuàrdiaEADTU
 
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfUGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfNirmal Dwivedi
 
Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfstareducators107
 
Model Attribute _rec_name in the Odoo 17
Model Attribute _rec_name in the Odoo 17Model Attribute _rec_name in the Odoo 17
Model Attribute _rec_name in the Odoo 17Celine George
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxDr. Ravikiran H M Gowda
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
AIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptAIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptNishitharanjan Rout
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...Amil baba
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...EADTU
 
SPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesSPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesPeter Brusilovsky
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
Michaelis Menten Equation and Estimation Of Vmax and Tmax.pptx
Michaelis Menten Equation and Estimation Of Vmax and Tmax.pptxMichaelis Menten Equation and Estimation Of Vmax and Tmax.pptx
Michaelis Menten Equation and Estimation Of Vmax and Tmax.pptxRugvedSathawane
 
What is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptxWhat is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptxCeline George
 

Recently uploaded (20)

How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf arts
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Personalisation of Education by AI and Big Data - Lourdes Guàrdia
Personalisation of Education by AI and Big Data - Lourdes GuàrdiaPersonalisation of Education by AI and Big Data - Lourdes Guàrdia
Personalisation of Education by AI and Big Data - Lourdes Guàrdia
 
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfUGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
 
Including Mental Health Support in Project Delivery, 14 May.pdf
Including Mental Health Support in Project Delivery, 14 May.pdfIncluding Mental Health Support in Project Delivery, 14 May.pdf
Including Mental Health Support in Project Delivery, 14 May.pdf
 
Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdf
 
Model Attribute _rec_name in the Odoo 17
Model Attribute _rec_name in the Odoo 17Model Attribute _rec_name in the Odoo 17
Model Attribute _rec_name in the Odoo 17
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
AIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptAIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.ppt
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
 
SPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesSPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code Examples
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Michaelis Menten Equation and Estimation Of Vmax and Tmax.pptx
Michaelis Menten Equation and Estimation Of Vmax and Tmax.pptxMichaelis Menten Equation and Estimation Of Vmax and Tmax.pptx
Michaelis Menten Equation and Estimation Of Vmax and Tmax.pptx
 
What is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptxWhat is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptx
 

Računalna forenzika i automatizirani odgovor na mrežne incidente

  • 1. sigurnost integrirana Computer Forensic and Automated IR Damir Delija Dr.Sc.E.E
  • 2. Presentation plan 2 - Introduction into computer forensic and incident response • what it is • legal and organisational issues - EnCase approach • Arhitecture, tools, methods • approach forensic and incident response • How it is done
  • 3. Computer Forensic – a Definition 3 - A practical definition: - “Computer Forensics is simply the application of computer investigation and analysis techniques in the interest of determining potential legal evidence (Judd Robbins).”
  • 4. Legal Definition of Forensics 4 - Daubert/Frye: The most important decisions governing the use of scientific evidence in court are those of Daubert(Federal)/Frye(California). - There are four primary factors according to Daubert/Frye that should be considered before ruling on the admissibility of scientific evidence: • Whether the theory or technique has been reliably tested; • Whether the theory or technique has been subjected to peer review and publication; • What is the known or potential rate of error of the method used; • Whether the theory or method has been generally accepted by the scientific community.
  • 5. Role of the EnCase suite 5 - EnCase Suite - Guidance Software www.guidancesoftware.com - Central point in the system security, other usual security related tools are subordinates (feeds and actuators) - Act as standalone or as enterprise wide tool - It is supposed to react on incidents or to control system, both in same sound digital forensic way - Examiner wokstation is a workplace for incident responder, examiner, auditor, controler - all in same consitent manner, legaly acceptable - Predefined roles, ranges, users and events - Use other parts of incident response infrastructure like ticketing system, help desk, IPS, IDS, etc ...
  • 6. What are our threats? 6 Others (Unknown) Regulatory compliance IP theft (eg. external consultant Classified Disgruntled employees Data leakage Human error Client Competitors Fraud Virus outbreaks Inappropriate content Unauthorised software Deliberate attack (hackers)
  • 7. Integrating Forensic into IR 7 What is an incident to you? How do you respond? - Virus outbreak? - Manual processes? - Stolen laptop? - Take Computers off the - Inappropriate usage? network? - Legal requirement for - Suspend Employees? electronic data? - External investigative - Unauthorised software? consultancy? - Inappropriate content? - Outsource data collection? - Classified data appearing in - Press release / PR? the wrong environments? - Hope and Pray? - Data leakage? - Ignore? - IP theft? - Disgruntled employee?
  • 8. Latest analytics (1) 8 Who is behind data breaches? - 73% resulted from external sources - 18% were caused by insiders - 39% implicated business partners - 30% involved multiple parties How do breaches occur? - 62% were attributed to a significant error - 59% resulted from hacking and intrusions - 31% incorporated malicious code - 22% exploited a vulnerability - 15% were due to physical threats Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
  • 9. Latest analytics (2) 9 What commonalities exist?  66% involved data the victim did not know was on the system  75% of breaches were not discovered by the victim  83% of attacks were not highly difficult  85% of breaches were the result of opportunistic attacks  87% were considered avoidable through reasonable controls Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
  • 10. Latest analytics (3) 10 Nine out of 10 data breaches incidents involved one of the following: • A system unknown to the organization (or business group affected) • A system storing data that the organization did not know existed on that system • A system that had unknown network connections or accessibility • A system that had unknown accounts or privileges Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
  • 11. How do we deal with these threats today? 11 Reactively •We manually investigate incidents, which is time consuming •We employ 3rd party consultancies to collect data for compliance •We quarantine computers from the network (disrupting operations) •We need multiple tools to investigate and solve problems •We have to wait for our AV vendor to supply signatures for new outbreaks Proactively •We cannot search the network for IP or other sensitive data •We cannot search for unauthorised software or malicious code •We cannot forensically remove data or malicious processes •We don’t have time to investigate disgruntled employees •We can’t identify potential risks comprehensively
  • 12. Implement Incident Response infrastructure 15 - Implement Encase Enterprise as a core • define additional funcionalities and plugins for Encase • trainig, testing, support, etc - Integrate it with other tools • IDS, IPS, network management, physical security, system administration, etc... • Help Desk system, trouble ticketing system - Develop lifecycle for effcient Incident Response System • policies, controls, reports, tests etc... • keep IR system proactive, healty and efficient
  • 13. Anti-Forensics 16 Anti-forensics is any and all actions taken by an unauthorized intruder to conceal evidence securely deleting critical log files is • considered an antiforensic technique. - discovered use of antiforensics in 39% cases - this will be a trend to watch over the next years Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM
  • 14. Incident Response Recommendations 18 - Align process with policy - Achieve “essential” then worry about “excellent” - Secure business partner connections - Create a data retention plan - Control data with transaction zones - Monitor event logs - Create an incident response plan - Increase awareness - Engage in mock incident testing
  • 15. IT security dependencies 19 - IT security depends on core competencies: • People - skill and knowledge problem • Process - there are standards and best practices • Technologies - control of usage and fuctions - This can be achived by • developing enterprise investigative infrastructure • use of forensics technologies as core part of IR
  • 16. EnCase Enterprise (EE) Platform 20 Key capabilities   Covertly investigate across the network on live machines  Bit level analysis able to uncover deleted and hidden data  Also able to analyse volatile data in RAM  Sweep enterprise for hacker code like key loggers & root kits  Court validated as forensically sound  Role based access control and encrypted data flow Business benefits   Respond to HR/IT requests much faster  Conduct many more investigations with the same resource  Rules employees in or out of investigations covertly  Collects court validate evidence of wrong doing
  • 17. EnCase Incident Response 21 Key capabilities  Can integrate directly with IDS and SIM solutions  Automatically collects volatile data at point of attack or infection  Threat can be killed immediately on target machine  Scan and kill threat across entire network very quickly Business benefits  Acts on intelligence provided by SIM  Guarantees collection of intelligence 24x7x365  Removes threat from entire estate without disrupting operations  Helps enhance defences by offering real actionable intelligence  Drives the true value out of IDS and SIM solutions  An effective way to counter “Day Zero” attacks !
  • 18. Case Review IR 22 A professional Malicious attacker tries to penetrate your network and you have netForensics deployed.  The SIM (netForensics) & other perimeter defence products throw up hi-priority alerts  Alert passed on to EnCase Enterprise  Automatic Snapshot of target machine retrieved (all processes running in RAM of target)  Your SIRT team analyse snapshot results to determine malicious processes  Process can be killed remotely and forensically wiped on target node  Malicious/Rogue process hashed and enterprise sweep carried out to determine extent of breach. Can be remotely wiped on all “infected” nodes to clean network
  • 19. Kill Malicious Process – options 23 Choice of deleting the process file, or deleting and wiping from hard drive
  • 20. Global Market Leaders across industries rely on Guidance Software 24
  • 21. Pitanja 25 damir.delija@insig2.hr