SlideShare a Scribd company logo

Incident Response and Data Auditing Evolution

Download as PPTX, PDF
T
TechBiz Forense Digital

Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados" Jim Butterworth - Senior Cybersecurity Director Guidance Software Inc. Brasília, 04 de agosto de 2010

1 of 79
A New Era in Incident Response and Data Auditing (cont.) The Case for Cyberforensics
[object Object],(CFE/EnCE/GCIA/GSNA/GREM) ,[object Object],Certified: ,[object Object]
Computer Forensic Examiner(Hex Junkie)
Intrusion Analyst (Packet Junkie)
Reverse Engineer (Code Junkie)
Systems and Network Auditor (Audit Junkie)
Superior Court Forensic Expert (Expert Witness Junkie)Experience: ,[object Object], - Electronic/Information/Cyber Warfare & SIGINT ,[object Object]
Commercial Intrusion and Forensic Expert to US NAVY HQ [CACI]
6 years in the cyber trenches on dirty networks (All Industries & International)© 2010 Guidance Software, Inc. All Rights Reserved. Speaker
Intellectual Property Theft Information Warfare/Cyber Forensics for USSTRATCOM/US NAVY eDiscovery for Federal and State Departments Sabotage of Critical Infrastructure (Oil/Water/Gas) Network Sabotage to secure contracts Malware Analysis & 0-Day Incident Containment Phishing and PII theft Employee Misuse of assets/access for personal gain Field Experience in IR
Evolution of Threats Timeline
Primary Attack Vectors Digital insider attacks previously compromised systems Client-side applications (applications running on desktop / end-user systems, including email readers, web browsers, media players, instant messengers, productivity tools such as MS Office, etc.) Operating systems Web applications Wireless networks
2009 Trends in Attacks Against .GOV SQL Injection and Cross-site Scripting Island Hopping-Unisys/DHS Remote User Compromise-VPN Attacks-Client Side Attacks PKI Compromise--Private Key Theft Zero-Day Attacks/Drive By Downloads Automated Attack Tools Digital Insider Attacks
Keeping Up Technical Challenges: High profile attacks – Good vectors need concealment C2 of malware is sophisticated, landscape changes We’re not looking for a single file, many artifacts dropped Designed to evade detection Designed to persist defensive techniques We’re trying to find the needle in the haystack No Magic Pill to take or Silver Bullet to shoot Analysis is considered heavy lifting Malware exists a Tactical level, yet analyzed at Strategic level. But: “k0d3R2 r LA2y” (Coders are Lazy) – They reuse code… 
Evolving Threats Perimeter defense won’t stop it New Technologies bring new Exploits Threats can be Outside-In & Inside-Out A determined hacker will find a way (high end) Hacking has become “Productized” (low end) Nasty stuff is memory resident only Better QA in some malware than COTS Designed to be Resilient and Persistent!
Points to Ponder Incident Response: Actions taken AFTER an event has been detected This is D/BDA (Digital/Battle Damage Assessment) Concentrates on restoral and damage control Intelligence Preparation of the Cyber Battlefield Surveillance & Recon Planning – What you bring… Terrain & Weather – What technology brings… Digital Order of Battle – What the enemy brings… Enemy Capability to impact or influence your operations Cyber Denial & Deception? Cyber Psyops?
“We originally thought of EnCase Enterprise as an e-forensic tool only. However, Guidance Software’s solutionaddresses virtually every aspect of information security and eDiscovery.”Litigation Counsel, Dell EnCase® Enterprise – The Industry Standard Platform for Conducting Network Investigations
How it WorksEnCase Software Components Utilizes exact same 800K endpoint service as EnCase Enterprise and EnCase eDiscovery ,[object Object]
128- bit AES encryption used for secure communication between components,[object Object]
IntroducingEnCase Cybersecurity You’ve been hacked—now what? Your data is leaving the building… Where was the malware? Where is it now? What’s it look like? ,[object Object],How do you stay in a trusted state? How do you ensure sensitive data is kept in check? Against “gold build” Regular scheduled assessments Anomalies become events Remediate
EnCase Cybersecurity provides… Network-enabled incident response Cyberforensic triage and analysis, attack attribution analysis, and remediation System deviation assessments Expose system integrity issues caused by anomalous or unknown threats Data policy enforcement Identify and wipe PII/IP/Classified data from unauthorized endpoints Why Risk Compromising Your Data?
Network-enabled Incident Response How it Works You’ve Been Compromised!EnCase Cybersecurity collects data from potentially affected machines for analysis… …Which are then compared to the appropriate pre-defined system profiles …And further culled down by comparison to included whitelist database The resulting confirmed malware is used as a basis for exact and near match scans in order to locate and remove the threat network-wide. This is where Entropy takes charge… The resulting set is analyzed against potentially relevant running processes Leaving a small set of highpriority binaries for deep analysis 100110101
EnCase Enterprise vs. EnCase Cybersecurity – High Level Overview Legend Manual Process Automated Process Not Included Included ü * ** *** ü * No PST/NST Output ** Includes PST/NST Output *** Limited SharePointsearch capabilities ü
EnCase Cybersecurity How it Works…
EE Command Center Architecture
Sample Deployment Topology WAN Main Office A Main Office B Target Node Target Node SAFE Examiner Target Node Target Node Target Node Target Node Target Node Aggregation Database Target Node Examiner SAFE Target Node Target Node Target Node Target Node Examiner Branch Office Target Node Company Headquarters
How EnCase® Enterprise and EnCase Cybersecurity Integrate With the Network
Current Product Capabilities Proactive Data Security & Compliance Auditing PII, PCI, etc. data leakage and risks Reveal & detect internal threats Identify & validate external threats (including polymorphic malware) Reactive “Cyber forensic endpoint” incident response Responding to & remediating advanced malware & Zero-day attacks Reducing/minimize information security workflow complexity Integration with SIEM tools, IDS/IPS systems, etc. Leverages investment in existing EnCase Infrastructure Built as an application on top of EnCase Enterprise Built using ECC application framework
EnCase Cybersecurity provides… System deviation assessments Expose system integrity issues caused by anomalous or unknown threats Create Profiles of known good machines Static (on disk) Dynamic (in runtime) Integrate with Bit9 database for Application Whitelisting Enables proactive scheduled scans for system deviations Trusted Computing Environments
How do you make the unknown known? Deviation assessments capture running processes Up to 10,000 nodes per hour! Compare against trusted baseline and whitelist Analyze resulting set of unknown processes Identify unapproved process or malware Update baseline(s) Introducing EnCase® CybersecuritySystem Deviation Assessment
System Deviation AssessmentHow It Works System Deviation AssessmentRegularly scheduled, rapid scans for anomalies across a range of endpoints Running processes are gathered at lightning speed – up to 10,000 nodes per hour …And are then compared to the appropriate customer defined profiles …And further culled down by comparison to included whitelisting database Good processes can be added to the trusted profile(s). Unapproved processes can be remediated. Leaving a small set of processesfor further analysis 100110101
How it WorksStay in a Trusted State Profile: Baseline a “trusted” configuration for each endpoint, using optional Bit9 databases to pinpoint suspicious content Audit: Automatically search out sensitive IP and PII from any system on your network, exposing risk and enabling clean-up Restore: Return drifting or compromised configurations to a trusted state by deleting malware, inappropriate data, and unauthorized software Enforce and collect: Apply policies and remotely retrieve sensitive data capturing its metadata for evidence
System Deviation AssessmentHow do You Expose the Unknown? Assess: Scan endpoints against baselines to expose unknowns Detect: Unknowns become events Secure: Restore systems to baseline through remediation, update baseline(s) Respond: Analyze unknowns, identify malware or unapproved processes
How it Works…Maximize Operational Resources Code Analysis Further analysis of the malicious code to determine the full extent of the threat to the enterprise. Calculate Entropy value to find polymorphic iterations and remediate the threat Triage After basic analysis confirms the activity of the suspicious code, core functionality is used to further investigate the incident. (What? When? Who? How?) RAM Analysis If code is found to be out of profile, Snapshot and other analysis is done to determine if suspicious code is a threat System Profile and Analysis with Bit9 Alert comes in and first response is to see if any code is out of profile on system(s) -- (RUN THIS DAILY)
MALWARE Detection and Mitigation ,[object Object]
Integration with Bit9 (Whitelist/blacklist)
Disregard known good files and processes from incident investigation
Uncover undiscovered/unknown files and processes
Integration with HBGary (Memory Analysis)
Code and behavioral analysis of running RAM or a single process
Provides intelligence on how any given process “does its thing”
Can determine if a piece of Malware is polymorphic, if it can transfer files, etc.
Identify capabilities of unknown processes,[object Object]
Malware’s Intended Consequence You are always vulnerable to the unknown… It is impossible to achieve impenetrability If I can get you knocked of the grid, is that a mission kill? We like “Point & Click” & “Idiot Proofed” Automated Solutions that are easy to operate and subsequently, easy to circumvent. (Plug & Pray) Appliance based sensors that you just set and forget… (Plug and Prey) Puts you in perpetual catch up mode It is called a “0-Day” for a reason They know you can’t patch against the unknown…
Current Methods for Finding Malware Hashing MD5/SHA Formats Context Triggered Piecewise Hashing (ie, rolling hash) “Fuzzy Hashing” Easy to fool Signature based detection Relies on Hashes or other Code fragments Computationally expensive, takes time Deep Packet Inspection / Stream Analysis Checking it coming in and going out
Traditional Detection Methods Antivirus software has been around since the dawn of the computer virus Traditional methods – signature based ,[object Object]
Antivirus software scans files using these signature(s).
Considered simple “Static Analysis”
In traditional methods signature is mostly “syntactic”, i.e., fixed artifactHow to find signature? ,[object Object]
Binary is scanned structurally and reverse engineered
Code is analyzed to find an unique characteristics to be used as a signature ,[object Object]
Polymorphic Code When creating a new instance, the malware uses code encryption to encrypt its body (Payload) Different keys are used in different instances so body is different sequence of bytes Simple signatures that are just sequences of bytes in the body are fooled Polymorphic Decryption Several algorithms Uses Code obfuscation Signature changes constantly.
Detection of Polymorphic Code Commercial Antivirus Software is challenged to detect polymorphic malware (viruses and trojans) in real time Signature is created to detect MUTEX code segments (vendors may take days…) Virtualization is used to Command & Control code execution to find a detectable sequence in the body APT Malware employs anti-reversing techniques to defeat code analysis (Detection of sandbox & virtualization = Morph) Polymorphic worms Cyber speed is expressed in milliseconds
Current Methods for Finding Malware (including polymorphic) Hashing MD5/SHA Formats Context Triggered Piecewise Hashing (ie, rolling hash) “Fuzzy Hashing” Easy to fool Signature based detection Relies on Hashes or other Code fragments Computationally expensive, takes time Deep Packet Inspection Indexing DOESN’T scale to Enterprise Code mutation used to change malware attributes makes identification difficult
Behavioral Detection Behavior based detection is mostly dynamic analysis based Static analysis may be combined (Streams) Sandboxed code execution Some malware exhibit identifiable run-time behavior, for example Spyware that hijack browser Bot programs that access C2 server Adware that may show popups and ads Principle Define “templates” of bad behavior Use run-time monitoring to find match Run-time monitoring is mostly system call, API or an observable behavior
Traditional Hash Algorithms Take an unlimited number of bytes and construct a fixed size digest AB 15 73 2F DE CB 3C 2A 14 7B 34 FF File Contents FF DE CB 15 73 2F 3C 2A 14 7B DE 2F 3C CB 15 73 2A 14 2F 3C CB 15 73 2A Hash Algorithm Hash Value 2F3CF732F3CFFDECB152A147B2F3CF56
Hash Properties Two files with the same hash will almost certainly have the same contents and size Great for detecting exact file matches If a singe byte changes, the hash value changes completely Actually 50% on average The hash value has no “meaning” One cannot infer information about the file from the value of the hash Good for security Examples CRC32, MD5, SHA1, SHA256
What is entropy? Ordered System Unordered System Low Entropy High Entropy
What about for files? Ordered File Unordered File 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 019283784736284725104816351947164823264583264612864836413743 385713091470450913497583048913408975013876473465132409873443 847251048163519471648232645832648913408975013876473465137103 891340897501387647346513837847368472510481635194716482326454 847251048163519471648232645832648913408975013876473465137103 385713091470450913497583048913408975013876473465132409873443 010101018472510481635194716482326489134089750138764734651363 837847362847251048163519471648232645832646128648364137433857 385713091470450913497583048913408975013876473465132409873443 Low Entropy High Entropy
Entropy value range (bits per byte) Blank 0.0 Text EXE Picture Compressed Encrypted Random 8.0
Commanding MALWARE remotely
Using Entropy to find Polymorphism
Network-enabled Incident ResponseUsing Entropy to Detect Advanced Threats ,[object Object],[object Object]
Data is the Lifeblood of Government Intellectual Property ClassifiedInformation Government Data Epicenter of Risk Personnel Data Schematics Human Resources Budgetary Defense Contracts
Cyber Criminals are after Your Data ,[object Object]
$600 Billion IP Theft a Year Globally
Across all industries, data loss is a growing challenge,[object Object]
Its not always on purpose
There is no shortage either…
This network had just undergone a survey… Some of the spill data was over 5 years old… Network had undergone a “technology refresh” 3 yrs previously How do you transfer files from one server to the next? Drag & Drop Backup tapes Copy to removable drives So, classified data was migrated… However, in the interest of full disclosure… #1 - No TS on UNCLAS #2 - Only 2 real scary leaks #3 - Unit tool swift action to contain & report Real Life Example #1 (cont.)
Performing large enterprise sweep during Intrusion Find malicious code on machines Look at naming convention of machine Indicates machine is(was) on class network Was machine improperly connected to domain? Was machine wiped and never renamed? Good news… IT personnel reapportioned asset, removed HDD Renaming was done via sticker on top of computer… Real Life Example #2
containing leakage Exfiltration techniques Store to USB Thumb drive Email it to the “other” account XOR the data (Bit Shifting) Encrypt it Collect and compress (ZIP/RAR) Covert Tunnel it using proprietary packers On a network share, how do you know who accessed a compromised file? Link file analysis Matching files search If you clean a shared repository, have you adequately contained? Can a user save a file to their own desktop?
Creating your expressions ,[object Object]
Formatted message traffic
Typical Office type documents
Video of classified operations
Email communications
Photos and imagery
Reference material

Recommended

Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Futureamiable_indian
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondogglePriyanka Aash
 
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionCloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionWei-Yu Chen
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsPriyanka Aash
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attackintegritysolutions
 

Recommended

Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Futureamiable_indian
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondogglePriyanka Aash
 
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionCloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionWei-Yu Chen
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsPriyanka Aash
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attackintegritysolutions
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for SecurityGabrielle Knowles
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using HadoopDataWorks Summit
 
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitSplunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitErin Sweeney
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainPriyanka Aash
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protectionPriyanka Aash
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0Shah Sheikh
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseRahul Neel Mani
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsPriyanka Aash
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility InfrastructureDragos, Inc.
 
Infocyte Mid-market Threat and Incident Response Report Webinar
Infocyte Mid-market Threat and Incident Response Report WebinarInfocyte Mid-market Threat and Incident Response Report Webinar
Infocyte Mid-market Threat and Incident Response Report WebinarInfocyte
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Tim Wright
 
Digital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryDigital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryInfocyte
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)Andrew Case
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentInfocyte
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber AnalyticsNovetta
 
Ata srp 015 2010 v1 - marinha - netwitness
Ata srp 015 2010 v1 - marinha - netwitnessAta srp 015 2010 v1 - marinha - netwitness
Ata srp 015 2010 v1 - marinha - netwitnessTechBiz Forense Digital
 
Portfolio extended-felicia-nitu
Portfolio extended-felicia-nituPortfolio extended-felicia-nitu
Portfolio extended-felicia-nituFeliciaNitu7
 

More Related Content

What's hot

Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using HadoopDataWorks Summit
 
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitSplunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitErin Sweeney
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainPriyanka Aash
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protectionPriyanka Aash
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0Shah Sheikh
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseRahul Neel Mani
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsPriyanka Aash
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility InfrastructureDragos, Inc.
 
Infocyte Mid-market Threat and Incident Response Report Webinar
Infocyte Mid-market Threat and Incident Response Report WebinarInfocyte Mid-market Threat and Incident Response Report Webinar
Infocyte Mid-market Threat and Incident Response Report WebinarInfocyte
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Tim Wright
 
Digital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryDigital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryInfocyte
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)Andrew Case
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentInfocyte
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber AnalyticsNovetta
 

What's hot (20)

Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
 
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitSplunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protection
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
 
Infocyte Mid-market Threat and Incident Response Report Webinar
Infocyte Mid-market Threat and Incident Response Report WebinarInfocyte Mid-market Threat and Incident Response Report Webinar
Infocyte Mid-market Threat and Incident Response Report Webinar
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
 
Digital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryDigital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - January
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
 

Viewers also liked

Ata srp 015 2010 v1 - marinha - netwitness
Ata srp 015 2010 v1 - marinha - netwitnessAta srp 015 2010 v1 - marinha - netwitness
Ata srp 015 2010 v1 - marinha - netwitnessTechBiz Forense Digital
 
Portfolio extended-felicia-nitu
Portfolio extended-felicia-nituPortfolio extended-felicia-nitu
Portfolio extended-felicia-nituFeliciaNitu7
 
Writ340 sa
Writ340 saWrit340 sa
Writ340 sanpham87
 
C:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarC:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarTechBiz Forense Digital
 
En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...
En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...
En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...TechBiz Forense Digital
 

Viewers also liked (7)

Ata srp 015 2010 v1 - marinha - netwitness
Ata srp 015 2010 v1 - marinha - netwitnessAta srp 015 2010 v1 - marinha - netwitness
Ata srp 015 2010 v1 - marinha - netwitness
 
Portfolio extended-felicia-nitu
Portfolio extended-felicia-nituPortfolio extended-felicia-nitu
Portfolio extended-felicia-nitu
 
Writ340 sa
Writ340 saWrit340 sa
Writ340 sa
 
Access data
Access dataAccess data
Access data
 
C:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarC:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud Webinar
 
Palantir
PalantirPalantir
Palantir
 
En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...
En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...
En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...
 

Similar to Incident Response and Data Auditing Evolution

endpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfendpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfOlufemi37
 
Dhishant -Latest Resume
Dhishant -Latest ResumeDhishant -Latest Resume
Dhishant -Latest ResumeDhishant Abrol
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity InnovationPete Burnap
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introductionjagadeesh katla
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solutionmatthew.maisel
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!Priyanka Aash
 
Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
Eximbank security presentation
Eximbank security presentationEximbank security presentation
Eximbank security presentationlaonap166
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsAdeo Security
 

Similar to Incident Response and Data Auditing Evolution (20)

endpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfendpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdf
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Dhishant -Latest Resume
Dhishant -Latest ResumeDhishant -Latest Resume
Dhishant -Latest Resume
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity Innovation
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solution
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!
 
Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced Threats
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
Eximbank security presentation
Eximbank security presentationEximbank security presentation
Eximbank security presentation
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat Analytics
 

More from TechBiz Forense Digital

10 atributos que o seu firewall precisa ter
10 atributos que o seu firewall precisa ter10 atributos que o seu firewall precisa ter
10 atributos que o seu firewall precisa terTechBiz Forense Digital
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
Verisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence ServicesVerisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
Artigo velasquez (combate a crimes digitais)
Artigo velasquez (combate a crimes digitais)Artigo velasquez (combate a crimes digitais)
Artigo velasquez (combate a crimes digitais)TechBiz Forense Digital
 
Avanços tecnológicos em perícia computacional e resposta a incidentes
Avanços tecnológicos em perícia computacional e resposta a incidentesAvanços tecnológicos em perícia computacional e resposta a incidentes
Avanços tecnológicos em perícia computacional e resposta a incidentesTechBiz Forense Digital
 
Manual de aplicação de marca - TechBiz Forense Digital
Manual de aplicação de marca - TechBiz Forense DigitalManual de aplicação de marca - TechBiz Forense Digital
Manual de aplicação de marca - TechBiz Forense DigitalTechBiz Forense Digital
 

More from TechBiz Forense Digital (19)

Casos de sucesso
Casos de sucessoCasos de sucesso
Casos de sucesso
 
Cases forense[2]
Cases forense[2]Cases forense[2]
Cases forense[2]
 
Cnasi sp apresentação marcelo souza
Cnasi sp apresentação marcelo souzaCnasi sp apresentação marcelo souza
Cnasi sp apresentação marcelo souza
 
10 atributos que o seu firewall precisa ter
10 atributos que o seu firewall precisa ter10 atributos que o seu firewall precisa ter
10 atributos que o seu firewall precisa ter
 
Insa cyber intelligence_2011-1
Insa cyber intelligence_2011-1Insa cyber intelligence_2011-1
Insa cyber intelligence_2011-1
 
Apresentação SegInfo
Apresentação SegInfoApresentação SegInfo
Apresentação SegInfo
 
Online fraud report_0611[1]
Online fraud report_0611[1]Online fraud report_0611[1]
Online fraud report_0611[1]
 
Road Show - Arcsight ETRM
Road Show - Arcsight ETRMRoad Show - Arcsight ETRM
Road Show - Arcsight ETRM
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecurity
 
Verisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence ServicesVerisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence Services
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
 
01 11- alexandre atheniense
01 11- alexandre atheniense01 11- alexandre atheniense
01 11- alexandre atheniense
 
16 03 - institucional
16 03 - institucional16 03 - institucional
16 03 - institucional
 
Artigo velasquez (combate a crimes digitais)
Artigo velasquez (combate a crimes digitais)Artigo velasquez (combate a crimes digitais)
Artigo velasquez (combate a crimes digitais)
 
Avanços tecnológicos em perícia computacional e resposta a incidentes
Avanços tecnológicos em perícia computacional e resposta a incidentesAvanços tecnológicos em perícia computacional e resposta a incidentes
Avanços tecnológicos em perícia computacional e resposta a incidentes
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Manual de aplicação de marca - TechBiz Forense Digital
Manual de aplicação de marca - TechBiz Forense DigitalManual de aplicação de marca - TechBiz Forense Digital
Manual de aplicação de marca - TechBiz Forense Digital
 
Institucional TechBiz Forense Digital
Institucional TechBiz Forense DigitalInstitucional TechBiz Forense Digital
Institucional TechBiz Forense Digital
 

Incident Response and Data Auditing Evolution

  • 1. A New Era in Incident Response and Data Auditing (cont.) The Case for Cyberforensics
  • 2.
  • 6. Systems and Network Auditor (Audit Junkie)
  • 7.
  • 8. Commercial Intrusion and Forensic Expert to US NAVY HQ [CACI]
  • 9. 6 years in the cyber trenches on dirty networks (All Industries & International)© 2010 Guidance Software, Inc. All Rights Reserved. Speaker
  • 10. Intellectual Property Theft Information Warfare/Cyber Forensics for USSTRATCOM/US NAVY eDiscovery for Federal and State Departments Sabotage of Critical Infrastructure (Oil/Water/Gas) Network Sabotage to secure contracts Malware Analysis & 0-Day Incident Containment Phishing and PII theft Employee Misuse of assets/access for personal gain Field Experience in IR
  • 12. Primary Attack Vectors Digital insider attacks previously compromised systems Client-side applications (applications running on desktop / end-user systems, including email readers, web browsers, media players, instant messengers, productivity tools such as MS Office, etc.) Operating systems Web applications Wireless networks
  • 13. 2009 Trends in Attacks Against .GOV SQL Injection and Cross-site Scripting Island Hopping-Unisys/DHS Remote User Compromise-VPN Attacks-Client Side Attacks PKI Compromise--Private Key Theft Zero-Day Attacks/Drive By Downloads Automated Attack Tools Digital Insider Attacks
  • 14. Keeping Up Technical Challenges: High profile attacks – Good vectors need concealment C2 of malware is sophisticated, landscape changes We’re not looking for a single file, many artifacts dropped Designed to evade detection Designed to persist defensive techniques We’re trying to find the needle in the haystack No Magic Pill to take or Silver Bullet to shoot Analysis is considered heavy lifting Malware exists a Tactical level, yet analyzed at Strategic level. But: “k0d3R2 r LA2y” (Coders are Lazy) – They reuse code… 
  • 15. Evolving Threats Perimeter defense won’t stop it New Technologies bring new Exploits Threats can be Outside-In & Inside-Out A determined hacker will find a way (high end) Hacking has become “Productized” (low end) Nasty stuff is memory resident only Better QA in some malware than COTS Designed to be Resilient and Persistent!
  • 16. Points to Ponder Incident Response: Actions taken AFTER an event has been detected This is D/BDA (Digital/Battle Damage Assessment) Concentrates on restoral and damage control Intelligence Preparation of the Cyber Battlefield Surveillance & Recon Planning – What you bring… Terrain & Weather – What technology brings… Digital Order of Battle – What the enemy brings… Enemy Capability to impact or influence your operations Cyber Denial & Deception? Cyber Psyops?
  • 17. “We originally thought of EnCase Enterprise as an e-forensic tool only. However, Guidance Software’s solutionaddresses virtually every aspect of information security and eDiscovery.”Litigation Counsel, Dell EnCase® Enterprise – The Industry Standard Platform for Conducting Network Investigations
  • 18.
  • 19.
  • 20.
  • 21. EnCase Cybersecurity provides… Network-enabled incident response Cyberforensic triage and analysis, attack attribution analysis, and remediation System deviation assessments Expose system integrity issues caused by anomalous or unknown threats Data policy enforcement Identify and wipe PII/IP/Classified data from unauthorized endpoints Why Risk Compromising Your Data?
  • 22. Network-enabled Incident Response How it Works You’ve Been Compromised!EnCase Cybersecurity collects data from potentially affected machines for analysis… …Which are then compared to the appropriate pre-defined system profiles …And further culled down by comparison to included whitelist database The resulting confirmed malware is used as a basis for exact and near match scans in order to locate and remove the threat network-wide. This is where Entropy takes charge… The resulting set is analyzed against potentially relevant running processes Leaving a small set of highpriority binaries for deep analysis 100110101
  • 23. EnCase Enterprise vs. EnCase Cybersecurity – High Level Overview Legend Manual Process Automated Process Not Included Included ü * ** *** ü * No PST/NST Output ** Includes PST/NST Output *** Limited SharePointsearch capabilities ü
  • 25. EE Command Center Architecture
  • 26. Sample Deployment Topology WAN Main Office A Main Office B Target Node Target Node SAFE Examiner Target Node Target Node Target Node Target Node Target Node Aggregation Database Target Node Examiner SAFE Target Node Target Node Target Node Target Node Examiner Branch Office Target Node Company Headquarters
  • 27. How EnCase® Enterprise and EnCase Cybersecurity Integrate With the Network
  • 28. Current Product Capabilities Proactive Data Security & Compliance Auditing PII, PCI, etc. data leakage and risks Reveal & detect internal threats Identify & validate external threats (including polymorphic malware) Reactive “Cyber forensic endpoint” incident response Responding to & remediating advanced malware & Zero-day attacks Reducing/minimize information security workflow complexity Integration with SIEM tools, IDS/IPS systems, etc. Leverages investment in existing EnCase Infrastructure Built as an application on top of EnCase Enterprise Built using ECC application framework
  • 29. EnCase Cybersecurity provides… System deviation assessments Expose system integrity issues caused by anomalous or unknown threats Create Profiles of known good machines Static (on disk) Dynamic (in runtime) Integrate with Bit9 database for Application Whitelisting Enables proactive scheduled scans for system deviations Trusted Computing Environments
  • 30. How do you make the unknown known? Deviation assessments capture running processes Up to 10,000 nodes per hour! Compare against trusted baseline and whitelist Analyze resulting set of unknown processes Identify unapproved process or malware Update baseline(s) Introducing EnCase® CybersecuritySystem Deviation Assessment
  • 31. System Deviation AssessmentHow It Works System Deviation AssessmentRegularly scheduled, rapid scans for anomalies across a range of endpoints Running processes are gathered at lightning speed – up to 10,000 nodes per hour …And are then compared to the appropriate customer defined profiles …And further culled down by comparison to included whitelisting database Good processes can be added to the trusted profile(s). Unapproved processes can be remediated. Leaving a small set of processesfor further analysis 100110101
  • 32. How it WorksStay in a Trusted State Profile: Baseline a “trusted” configuration for each endpoint, using optional Bit9 databases to pinpoint suspicious content Audit: Automatically search out sensitive IP and PII from any system on your network, exposing risk and enabling clean-up Restore: Return drifting or compromised configurations to a trusted state by deleting malware, inappropriate data, and unauthorized software Enforce and collect: Apply policies and remotely retrieve sensitive data capturing its metadata for evidence
  • 33. System Deviation AssessmentHow do You Expose the Unknown? Assess: Scan endpoints against baselines to expose unknowns Detect: Unknowns become events Secure: Restore systems to baseline through remediation, update baseline(s) Respond: Analyze unknowns, identify malware or unapproved processes
  • 34. How it Works…Maximize Operational Resources Code Analysis Further analysis of the malicious code to determine the full extent of the threat to the enterprise. Calculate Entropy value to find polymorphic iterations and remediate the threat Triage After basic analysis confirms the activity of the suspicious code, core functionality is used to further investigate the incident. (What? When? Who? How?) RAM Analysis If code is found to be out of profile, Snapshot and other analysis is done to determine if suspicious code is a threat System Profile and Analysis with Bit9 Alert comes in and first response is to see if any code is out of profile on system(s) -- (RUN THIS DAILY)
  • 35.
  • 36. Integration with Bit9 (Whitelist/blacklist)
  • 37. Disregard known good files and processes from incident investigation
  • 39. Integration with HBGary (Memory Analysis)
  • 40. Code and behavioral analysis of running RAM or a single process
  • 41. Provides intelligence on how any given process “does its thing”
  • 42. Can determine if a piece of Malware is polymorphic, if it can transfer files, etc.
  • 43.
  • 44. Malware’s Intended Consequence You are always vulnerable to the unknown… It is impossible to achieve impenetrability If I can get you knocked of the grid, is that a mission kill? We like “Point & Click” & “Idiot Proofed” Automated Solutions that are easy to operate and subsequently, easy to circumvent. (Plug & Pray) Appliance based sensors that you just set and forget… (Plug and Prey) Puts you in perpetual catch up mode It is called a “0-Day” for a reason They know you can’t patch against the unknown…
  • 45. Current Methods for Finding Malware Hashing MD5/SHA Formats Context Triggered Piecewise Hashing (ie, rolling hash) “Fuzzy Hashing” Easy to fool Signature based detection Relies on Hashes or other Code fragments Computationally expensive, takes time Deep Packet Inspection / Stream Analysis Checking it coming in and going out
  • 46.
  • 47. Antivirus software scans files using these signature(s).
  • 49.
  • 50. Binary is scanned structurally and reverse engineered
  • 51.
  • 52. Polymorphic Code When creating a new instance, the malware uses code encryption to encrypt its body (Payload) Different keys are used in different instances so body is different sequence of bytes Simple signatures that are just sequences of bytes in the body are fooled Polymorphic Decryption Several algorithms Uses Code obfuscation Signature changes constantly.
  • 53. Detection of Polymorphic Code Commercial Antivirus Software is challenged to detect polymorphic malware (viruses and trojans) in real time Signature is created to detect MUTEX code segments (vendors may take days…) Virtualization is used to Command & Control code execution to find a detectable sequence in the body APT Malware employs anti-reversing techniques to defeat code analysis (Detection of sandbox & virtualization = Morph) Polymorphic worms Cyber speed is expressed in milliseconds
  • 54. Current Methods for Finding Malware (including polymorphic) Hashing MD5/SHA Formats Context Triggered Piecewise Hashing (ie, rolling hash) “Fuzzy Hashing” Easy to fool Signature based detection Relies on Hashes or other Code fragments Computationally expensive, takes time Deep Packet Inspection Indexing DOESN’T scale to Enterprise Code mutation used to change malware attributes makes identification difficult
  • 55. Behavioral Detection Behavior based detection is mostly dynamic analysis based Static analysis may be combined (Streams) Sandboxed code execution Some malware exhibit identifiable run-time behavior, for example Spyware that hijack browser Bot programs that access C2 server Adware that may show popups and ads Principle Define “templates” of bad behavior Use run-time monitoring to find match Run-time monitoring is mostly system call, API or an observable behavior
  • 56. Traditional Hash Algorithms Take an unlimited number of bytes and construct a fixed size digest AB 15 73 2F DE CB 3C 2A 14 7B 34 FF File Contents FF DE CB 15 73 2F 3C 2A 14 7B DE 2F 3C CB 15 73 2A 14 2F 3C CB 15 73 2A Hash Algorithm Hash Value 2F3CF732F3CFFDECB152A147B2F3CF56
  • 57. Hash Properties Two files with the same hash will almost certainly have the same contents and size Great for detecting exact file matches If a singe byte changes, the hash value changes completely Actually 50% on average The hash value has no “meaning” One cannot infer information about the file from the value of the hash Good for security Examples CRC32, MD5, SHA1, SHA256
  • 58. What is entropy? Ordered System Unordered System Low Entropy High Entropy
  • 59. What about for files? Ordered File Unordered File 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 019283784736284725104816351947164823264583264612864836413743 385713091470450913497583048913408975013876473465132409873443 847251048163519471648232645832648913408975013876473465137103 891340897501387647346513837847368472510481635194716482326454 847251048163519471648232645832648913408975013876473465137103 385713091470450913497583048913408975013876473465132409873443 010101018472510481635194716482326489134089750138764734651363 837847362847251048163519471648232645832646128648364137433857 385713091470450913497583048913408975013876473465132409873443 Low Entropy High Entropy
  • 60. Entropy value range (bits per byte) Blank 0.0 Text EXE Picture Compressed Encrypted Random 8.0
  • 62. Using Entropy to find Polymorphism
  • 63.
  • 64. Data is the Lifeblood of Government Intellectual Property ClassifiedInformation Government Data Epicenter of Risk Personnel Data Schematics Human Resources Budgetary Defense Contracts
  • 65.
  • 66. $600 Billion IP Theft a Year Globally
  • 67.
  • 68. Its not always on purpose
  • 69. There is no shortage either…
  • 70. This network had just undergone a survey… Some of the spill data was over 5 years old… Network had undergone a “technology refresh” 3 yrs previously How do you transfer files from one server to the next? Drag & Drop Backup tapes Copy to removable drives So, classified data was migrated… However, in the interest of full disclosure… #1 - No TS on UNCLAS #2 - Only 2 real scary leaks #3 - Unit tool swift action to contain & report Real Life Example #1 (cont.)
  • 71. Performing large enterprise sweep during Intrusion Find malicious code on machines Look at naming convention of machine Indicates machine is(was) on class network Was machine improperly connected to domain? Was machine wiped and never renamed? Good news… IT personnel reapportioned asset, removed HDD Renaming was done via sticker on top of computer… Real Life Example #2
  • 72. containing leakage Exfiltration techniques Store to USB Thumb drive Email it to the “other” account XOR the data (Bit Shifting) Encrypt it Collect and compress (ZIP/RAR) Covert Tunnel it using proprietary packers On a network share, how do you know who accessed a compromised file? Link file analysis Matching files search If you clean a shared repository, have you adequately contained? Can a user save a file to their own desktop?
  • 73.
  • 76. Video of classified operations
  • 80.
  • 83. File flagged as deleted. Data wiped with zeros
  • 84. Data-B-Gone As a side note, no entry was created in the INFO2 file and the Recycler was untouched.
  • 85. Data Risk and Spillage AssessmentHow do You Ensure Sensitive Data is Kept in Check? Define: Create search criteria for relevant sensitive data Identify: Automatically search systems for sensitive data Enforce: Collect and/or wipe sensitive data from unauthorized locations Assess: Map data found to data policies
  • 86. In addition to malware and suspicious activity, EnCase Cybersecurity can expose and remediate errant sensitive data Ongoing risk assessments for PII/IP and Classified Spillage Configurable for your specific data formats (e.g., contract numbers) Light passive driver as opposed to a heavy and active agent Forensic-grade disk level visibility and validation Risk mitigation and policy enforcement through remediation Data Risk and Spillage AssessmentData Remediation & Policy Enforcement
  • 87. EnCase Cybersecurity provides… An open, web-services API to enable third-party applications to trigger investigative/forensic functions, so that automated incident response can be performed. It is optimized when triggered by a SIM/SIEM wherein threshold, prioritization and coverage are all weighted within the requesting sensor. Automated Incident Response
  • 89. Feature Roadmap Job Scheduling Job Recurrence Examiner Affinity Security Centric User Interface Web UI Process Automation API Based integration with SIEM, IDS, IPS tools Initial integration with ArcSight Services based offering with other IDS vendors Enhanced Reporting
  • 91. EnCaseCybersecurity AIRS module will functionally provide: An API to allow data flow between AIRS and 3rd Party security applications. The ability to automate routine job cueing and execution based on both internal (manual) and external (Semi-Automatic) triggered events. The ability to schedule job execution at a user selectable frequency and reoccurrence. Extension of pre-configured job modules that are to run based upon class of event trigger received into the cue, or as defined by the operator upon manual entry.
  • 92. 3rd Party Application Programming Interface (API) Full API Will accept inbound event Queuing Will provide outbound job results Open API ensures open framework User writes own connectors User uses Professional Services to write connector ArcSight out of the box Partnered
  • 93. Triggered job creation and execution Templates jobs that will ingest target data Conduct Snapshot Preserve data Image Drive Image Memory Perform System Profile Collection & Subsequent Analysis Perform Configuration Assessment (DISA STIG/FDCC) Perform PII/IP Audit Perform Entropy Remediation
  • 94. Triggered job creation and execution Automatically Queue Run the job Automatic Semi-Automatic Manual Override Alert Threshold Asset Prioritization Event Severity Distributed Command Center Infrastructure Remote Examiner Service Jobs assigned by region/AD Forest/segment, etc…
  • 95. Job scheduling Minimize bandwidth impact of intensive operations Ie, Full Disk Imaging Assign jobs based upon network infrastructure Keep jobs within segments Creation of reoccurring jobs Set up periodicity and intervals
  • 96. Job status Which jobs are running Which jobs have completed Which jobs remain in the Queue
  • 97. Job Results Viewable via Web Interface within Cybersecurity Open API pushes results to requesting sensor Optional write results to Database
  • 98. User Interface and Report Generator Results delivered to “non experts” via web interface Consolidate and Simplify Results Provide Report Generation of items of interest Export significant items for archive
  • 99. Saturation Safeguards / “Run Now” Operator Override Set Job Queue to auto run Run continuously as licensing permits Preconfigured batch limit Spool like jobs and run concurrently Operator will be able to select and override Immediately trigger jobs.
  • 100. Job Refresh / Export XML to 3rd Party Refresh Job Status Alert 3rd Party Solution that jobs have completed Export XML to: Database 3rd Party Solution Ready to review
  • 101. Major Defense Contractor US Military Federal and State Departments Critical Infrastructure (Oil/Water/Gas) UK Office of Govt Commerce NATO Financial Industry Bio Research Real World Use Cases
  • 102.
  • 103.
  • 105.
  • 106. McAfee
  • 107.
  • 109.
  • 110. McAfee
  • 111.
  • 113.
  • 115.
  • 118.
  • 119. Snort
  • 120.
  • 122.
  • 123. RSA
  • 124.
  • 126.