SlideShare a Scribd company logo

4. Forensic Investigation Techniques By Neil Hare Brown.pptx

Download as PPTX, PDF
A
AMIRHAMZA18953

DIGITAL FORENSIC

Science
1 of 15
Forensic Investigation Techniques
STORM Cyber.Care Assess | Plan | Respond Full Service offering for Reinsurers, Insurers, Brokers and Clients. Assess Lightweight cyber risk assessments to enable clients to learn and improve their cyber security and to enable insurers and reinsurers to manage book risk. Respond Delivering a fully coordinated and Integrated Cyber Incident Response Team (I-CIRT). Plan Helping insured clients to create, learn (through training) and exercise/test their plans in dealing with different types of cyber incidents in the context of their business. © Storm Guidance 2019 Forensic Investigation Techniques
Investigation: Revealing the Picture Method of Attack • Body of Evidence Was it Stopped How? Criminal Theft Other Criminal Non-Criminal Error Why? Detected? Compromised? When? Controls Failed Affected Systems Location • Organisation • 3rd Party • Staff Home • Mobile • Attacker Location Data Went Where? Was Targeted • Staff Involved • 3rd Parties Involved Was Responsible • Attacker type • Location/Identity Who? Was Compromised • Incident Type Was/is Potential Impact • Severity • Priority What?
Technical response objectives  Triage of breach  Analysis of the incident “Indicators of Compromise” (IoC)  Halt the spread or worsening of the compromise and limiting the impact  Digital forensics and testing to investigate the cause and effects of incident/breach  Recover when needed: – Clear existing environment or establish new environment in preparation for recovery – Restore all systems and business data to operational readiness  Implement more effective controls and make whole any compensating controls  Post-incident reporting and analysis 3
Incident Stats 4  129 incidents in last 12 months: range of types and size of victim org.  Mailbox hijacking – BEC – Significant Rise in targeted fraud  Ransomware/Extortion  Advanced malware incidents increasing  Data Theft: PII and other digital assets  Diverse causes and types of incident – some not actual breaches  Range of Impacts: sometimes significant loss – increasing BI  Increasing regulator scrutiny: GDPR – 72 hour window 4
The BEC Analysis Challenge 5  Business Email Compromise an extremely simple attack  Starts with Phishing; usually from trusted parties, aim: steal login credentials  Attackers use credentials to hijack users online mailbox(es)  Mailbox rules are often used to hide activity and assist the criminals  Main aim of the hijack is to detect and manipulate payment instructions  In the process, (often) significant PII is accessible and downloaded  Downstream risk of attacker extortion with threat to release news of breach  GDPR/MU DPA requires notification of all data subjects who may be at ‘high risk’ as a result of the data breach  As part of our investigation we need to inform the client about:  Sensitive data which may put data subjects at ‘high risk’ e.g. fraud & ID theft  Identify all data subjects to inform the notification activity 5
6  Mailbox data is highly unstructured and not easily searchable for PII  Often there are many Gigabytes of data from many years of activity  It is not just messages & attachments…  Calendar entries (with attachments), Tasks & Contacts  Files (OneDrive & SharePoint)  Automated searching is used extensively with our forensic toolset and without losing the overall evidential integrity often risked with e-Discovery tools  Often, sensitive data is contained within scanned documents (images) which cannot be reliably searched.  Scanned documents include passports, driving licenses, ID records, agreements, bank statements etc. 6 The BEC Analysis Challenge
The BEC Analysis Challenge The BEC Analysis Steps 1. Extract mailbox(es) into standard file format for forensics tool 2. Load the mailbox(es) into the forensics tool and perform indexing function 3. Run initial analysis report and share results 4. Initiate build of spreadsheet tool 5. Arrange search terms (more of which may be added dependent on findings during analysis) 6. Run search terms and enhance with Boolean expressions where necessary to exclude FNs and reduce FPs 7. Manually verify results on searches returning key sensitive information including image files of note 8. De-duplicate 9. Report 10. Carve out items of interest for legal consideration 7
The BEC Analysis Challenge 8  Considerable manual effort is therefore needed to:  Contextualise email discussion threads to determine risk  Read and classify image files  Dismiss false positives generated by automated searches  Carve out message attachments for review by legal specialists  Record data found against data subjects to assess risk in the aggregate  create a register of the affected data subjects so as to aid legal advice around risk, and enable suitable notification responses if required. 8
The BEC Analysis Challenge 9
The BEC Analysis Challenge 10 De-duplication Findings totals
STORM BEC Analysis Process 1. Request Client complete Mailbox Analysis Questionnaire for each mailbox 2. Assist Client in advice on export 3. Receive the Mailbox in PST format 4. Verify the PST (PST viewer - check that it opens, check date range to confirm all mailbox or incomplete/limited extraction 5. Load into e-Discovery platform & run indexing process 6. Run Insight report: Share with client and discuss estimated time to complete 7. Run searches (Pre-defined Search Lists) 11
STORM BEC Analysis Process 8. Need to select search terms (within selected lists) to maximise accuracy and minimise false positives - called ‘alignment’. 9. Randomly select results and check alignment. 10. Make modifications to improve the alignment 11. Grade and group search term results into Batches for analysis (200-300 search results per batch). 12. Results of batch analysis is transcribed into the DDS spreadsheet. 13. De-duplicate the DDS spreadsheet 14. Design and execute the Notification exercise driven from the DDS 12
What to Expect in 2020  Further rise in reported incidents  Specific rise in mailbox hijacking – BEC – Unless Microsoft make Multi-Factor Authentication (MFA) mandatory  Further advanced Ransomware attacks with data exfiltration  Extortion from historic Data Thefts – threat intel important  Rise in sophisticated malware (called RAT) assisted frauds  Continued focus on social engineering scams  Renewed drive to reduce fraud opportunities – Banks to include account name in transaction integrity checks – Better email analysis and mailbox threat/phishing detection 13
© Storm Guidance 2019 Neil Hare-Brown Thank you

Recommended

Internal Audit
Internal AuditInternal Audit
Internal AuditNigel Robinson
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA SensePost
 
f6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdff6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdfSurendhar57
 
2. IntroductionYou are employed with Government Security Consu.docx
2. IntroductionYou are employed with Government Security Consu.docx2. IntroductionYou are employed with Government Security Consu.docx
2. IntroductionYou are employed with Government Security Consu.docxstandfordabbot
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Cyber and information security operations and assurance
Cyber and information security operations and assurance Cyber and information security operations and assurance
Cyber and information security operations and assurance EyesOpen Association
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA PresentationMarc Crudgington, MBA
 
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear AttacksIRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear AttacksIRJET Journal
 

Recommended

Internal Audit
Internal AuditInternal Audit
Internal AuditNigel Robinson
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA SensePost
 
f6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdff6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdfSurendhar57
 
2. IntroductionYou are employed with Government Security Consu.docx
2. IntroductionYou are employed with Government Security Consu.docx2. IntroductionYou are employed with Government Security Consu.docx
2. IntroductionYou are employed with Government Security Consu.docxstandfordabbot
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Cyber and information security operations and assurance
Cyber and information security operations and assurance Cyber and information security operations and assurance
Cyber and information security operations and assurance EyesOpen Association
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA PresentationMarc Crudgington, MBA
 
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear AttacksIRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear AttacksIRJET Journal
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docxhyacinthshackley2629
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public InvestigationsCTIN
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
Focused agile audit planning using analytics
Focused agile audit planning using analyticsFocused agile audit planning using analytics
Focused agile audit planning using analyticsJim Kaplan CIA CFE
 
Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7Veronica Pereira
 
Practical IT auditing
Practical IT auditingPractical IT auditing
Practical IT auditingFrederick Altum Pokoo-Aikins
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docxcroysierkathey
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
Chapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxChapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxketurahhazelhurst
 
Chapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxChapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxwalterl4
 
10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises10 Security issues facing NZ Enterprises
10 Security issues facing NZ EnterprisesNigel Hanson
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12Jim Kaplan CIA CFE
 
VulnerabilityRewardsProgram
VulnerabilityRewardsProgramVulnerabilityRewardsProgram
VulnerabilityRewardsProgramTaha Kachwala
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Efficient spin-up of Earth System Models usingsequence acceleration
Efficient spin-up of Earth System Models usingsequence accelerationEfficient spin-up of Earth System Models usingsequence acceleration
Efficient spin-up of Earth System Models usingsequence accelerationSérgio Sacani
 
Adaptive Restore algorithm & importance Monte Carlo
Adaptive Restore algorithm & importance Monte CarloAdaptive Restore algorithm & importance Monte Carlo
Adaptive Restore algorithm & importance Monte CarloChristian Robert
 

More Related Content

Similar to 4. Forensic Investigation Techniques By Neil Hare Brown.pptx

1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docxhyacinthshackley2629
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public InvestigationsCTIN
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
Focused agile audit planning using analytics
Focused agile audit planning using analyticsFocused agile audit planning using analytics
Focused agile audit planning using analyticsJim Kaplan CIA CFE
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docxcroysierkathey
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
Chapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxChapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxketurahhazelhurst
 
Chapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxChapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxwalterl4
 
10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises10 Security issues facing NZ Enterprises
10 Security issues facing NZ EnterprisesNigel Hanson
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
VulnerabilityRewardsProgram
VulnerabilityRewardsProgramVulnerabilityRewardsProgram
VulnerabilityRewardsProgramTaha Kachwala
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 

Similar to 4. Forensic Investigation Techniques By Neil Hare Brown.pptx (20)

1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentation
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Focused agile audit planning using analytics
Focused agile audit planning using analyticsFocused agile audit planning using analytics
Focused agile audit planning using analytics
 
Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7
 
Practical IT auditing
Practical IT auditingPractical IT auditing
Practical IT auditing
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
Chapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxChapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docx
 
Chapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxChapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docx
 
10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
VulnerabilityRewardsProgram
VulnerabilityRewardsProgramVulnerabilityRewardsProgram
VulnerabilityRewardsProgram
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 

Recently uploaded

Efficient spin-up of Earth System Models usingsequence acceleration
Efficient spin-up of Earth System Models usingsequence accelerationEfficient spin-up of Earth System Models usingsequence acceleration
Efficient spin-up of Earth System Models usingsequence accelerationSérgio Sacani
 
Adaptive Restore algorithm & importance Monte Carlo
Adaptive Restore algorithm & importance Monte CarloAdaptive Restore algorithm & importance Monte Carlo
Adaptive Restore algorithm & importance Monte CarloChristian Robert
 
ANATOMY OF DICOT AND MONOCOT LEAVES.pptx
ANATOMY OF DICOT AND MONOCOT LEAVES.pptxANATOMY OF DICOT AND MONOCOT LEAVES.pptx
ANATOMY OF DICOT AND MONOCOT LEAVES.pptxRASHMI M G
 
Taphonomy and Quality of the Fossil Record
Taphonomy and Quality of the Fossil RecordTaphonomy and Quality of the Fossil Record
Taphonomy and Quality of the Fossil RecordSangram Sahoo
 
RACEMIzATION AND ISOMERISATION completed.pptx
RACEMIzATION AND ISOMERISATION completed.pptxRACEMIzATION AND ISOMERISATION completed.pptx
RACEMIzATION AND ISOMERISATION completed.pptxArunLakshmiMeenakshi
 
GBSN - Microbiology (Unit 5) Concept of isolation
GBSN - Microbiology (Unit 5) Concept of isolationGBSN - Microbiology (Unit 5) Concept of isolation
GBSN - Microbiology (Unit 5) Concept of isolationAreesha Ahmad
 
Molecular and Cellular Mechanism of Action of Hormones such as Growth Hormone...
Molecular and Cellular Mechanism of Action of Hormones such as Growth Hormone...Molecular and Cellular Mechanism of Action of Hormones such as Growth Hormone...
Molecular and Cellular Mechanism of Action of Hormones such as Growth Hormone...Ansari Aashif Raza Mohd Imtiyaz
 
Heads-Up Multitasker: CHI 2024 Presentation.pdf
Heads-Up Multitasker: CHI 2024 Presentation.pdfHeads-Up Multitasker: CHI 2024 Presentation.pdf
Heads-Up Multitasker: CHI 2024 Presentation.pdfbyp19971001
 
Technical english Technical english.pptx
Technical english Technical english.pptxTechnical english Technical english.pptx
Technical english Technical english.pptxyoussefboujtat3
 
GBSN - Biochemistry (Unit 8) Enzymology
GBSN - Biochemistry (Unit 8) EnzymologyGBSN - Biochemistry (Unit 8) Enzymology
GBSN - Biochemistry (Unit 8) EnzymologyAreesha Ahmad
 
FORENSIC CHEMISTRY ARSON INVESTIGATION.pdf
FORENSIC CHEMISTRY ARSON INVESTIGATION.pdfFORENSIC CHEMISTRY ARSON INVESTIGATION.pdf
FORENSIC CHEMISTRY ARSON INVESTIGATION.pdfSuchita Rawat
 
GBSN - Biochemistry (Unit 3) Metabolism
GBSN - Biochemistry (Unit 3) MetabolismGBSN - Biochemistry (Unit 3) Metabolism
GBSN - Biochemistry (Unit 3) MetabolismAreesha Ahmad
 
MSC IV_Forensic medicine - Mechanical injuries.pdf
MSC IV_Forensic medicine - Mechanical injuries.pdfMSC IV_Forensic medicine - Mechanical injuries.pdf
MSC IV_Forensic medicine - Mechanical injuries.pdfSuchita Rawat
 
Polyethylene and its polymerization.pptx
Polyethylene and its polymerization.pptxPolyethylene and its polymerization.pptx
Polyethylene and its polymerization.pptxMuhammadRazzaq31
 
VILLAGE ATTACHMENT For rural agriculture PPT.pptx
VILLAGE ATTACHMENT For rural agriculture PPT.pptxVILLAGE ATTACHMENT For rural agriculture PPT.pptx
VILLAGE ATTACHMENT For rural agriculture PPT.pptxAQIBRASOOL4
 
Terpineol and it's characterization pptx
Terpineol and it's characterization pptxTerpineol and it's characterization pptx
Terpineol and it's characterization pptxMuhammadRazzaq31
 
X-rays from a Central “Exhaust Vent” of the Galactic Center Chimney
X-rays from a Central “Exhaust Vent” of the Galactic Center ChimneyX-rays from a Central “Exhaust Vent” of the Galactic Center Chimney
X-rays from a Central “Exhaust Vent” of the Galactic Center ChimneySérgio Sacani
 
Film Coated Tablet and Film Coating raw materials.pdf
Film Coated Tablet and Film Coating raw materials.pdfFilm Coated Tablet and Film Coating raw materials.pdf
Film Coated Tablet and Film Coating raw materials.pdfPharmatech-rx
 
Introduction and significance of Symbiotic algae
Introduction and significance of Symbiotic algaeIntroduction and significance of Symbiotic algae
Introduction and significance of Symbiotic algaekushbuR
 

Recently uploaded (20)

Efficient spin-up of Earth System Models usingsequence acceleration
Efficient spin-up of Earth System Models usingsequence accelerationEfficient spin-up of Earth System Models usingsequence acceleration
Efficient spin-up of Earth System Models usingsequence acceleration
 
Adaptive Restore algorithm & importance Monte Carlo
Adaptive Restore algorithm & importance Monte CarloAdaptive Restore algorithm & importance Monte Carlo
Adaptive Restore algorithm & importance Monte Carlo
 
ANATOMY OF DICOT AND MONOCOT LEAVES.pptx
ANATOMY OF DICOT AND MONOCOT LEAVES.pptxANATOMY OF DICOT AND MONOCOT LEAVES.pptx
ANATOMY OF DICOT AND MONOCOT LEAVES.pptx
 
Taphonomy and Quality of the Fossil Record
Taphonomy and Quality of the Fossil RecordTaphonomy and Quality of the Fossil Record
Taphonomy and Quality of the Fossil Record
 
RACEMIzATION AND ISOMERISATION completed.pptx
RACEMIzATION AND ISOMERISATION completed.pptxRACEMIzATION AND ISOMERISATION completed.pptx
RACEMIzATION AND ISOMERISATION completed.pptx
 
GBSN - Microbiology (Unit 5) Concept of isolation
GBSN - Microbiology (Unit 5) Concept of isolationGBSN - Microbiology (Unit 5) Concept of isolation
GBSN - Microbiology (Unit 5) Concept of isolation
 
Molecular and Cellular Mechanism of Action of Hormones such as Growth Hormone...
Molecular and Cellular Mechanism of Action of Hormones such as Growth Hormone...Molecular and Cellular Mechanism of Action of Hormones such as Growth Hormone...
Molecular and Cellular Mechanism of Action of Hormones such as Growth Hormone...
 
Heads-Up Multitasker: CHI 2024 Presentation.pdf
Heads-Up Multitasker: CHI 2024 Presentation.pdfHeads-Up Multitasker: CHI 2024 Presentation.pdf
Heads-Up Multitasker: CHI 2024 Presentation.pdf
 
Technical english Technical english.pptx
Technical english Technical english.pptxTechnical english Technical english.pptx
Technical english Technical english.pptx
 
GBSN - Biochemistry (Unit 8) Enzymology
GBSN - Biochemistry (Unit 8) EnzymologyGBSN - Biochemistry (Unit 8) Enzymology
GBSN - Biochemistry (Unit 8) Enzymology
 
FORENSIC CHEMISTRY ARSON INVESTIGATION.pdf
FORENSIC CHEMISTRY ARSON INVESTIGATION.pdfFORENSIC CHEMISTRY ARSON INVESTIGATION.pdf
FORENSIC CHEMISTRY ARSON INVESTIGATION.pdf
 
GBSN - Biochemistry (Unit 3) Metabolism
GBSN - Biochemistry (Unit 3) MetabolismGBSN - Biochemistry (Unit 3) Metabolism
GBSN - Biochemistry (Unit 3) Metabolism
 
MSC IV_Forensic medicine - Mechanical injuries.pdf
MSC IV_Forensic medicine - Mechanical injuries.pdfMSC IV_Forensic medicine - Mechanical injuries.pdf
MSC IV_Forensic medicine - Mechanical injuries.pdf
 
Polyethylene and its polymerization.pptx
Polyethylene and its polymerization.pptxPolyethylene and its polymerization.pptx
Polyethylene and its polymerization.pptx
 
VILLAGE ATTACHMENT For rural agriculture PPT.pptx
VILLAGE ATTACHMENT For rural agriculture PPT.pptxVILLAGE ATTACHMENT For rural agriculture PPT.pptx
VILLAGE ATTACHMENT For rural agriculture PPT.pptx
 
Terpineol and it's characterization pptx
Terpineol and it's characterization pptxTerpineol and it's characterization pptx
Terpineol and it's characterization pptx
 
X-rays from a Central “Exhaust Vent” of the Galactic Center Chimney
X-rays from a Central “Exhaust Vent” of the Galactic Center ChimneyX-rays from a Central “Exhaust Vent” of the Galactic Center Chimney
X-rays from a Central “Exhaust Vent” of the Galactic Center Chimney
 
Film Coated Tablet and Film Coating raw materials.pdf
Film Coated Tablet and Film Coating raw materials.pdfFilm Coated Tablet and Film Coating raw materials.pdf
Film Coated Tablet and Film Coating raw materials.pdf
 
ABHISHEK ANTIBIOTICS PPT MICROBIOLOGY // USES OF ANTIOBIOTICS TYPES OF ANTIB...
ABHISHEK ANTIBIOTICS PPT MICROBIOLOGY // USES OF ANTIOBIOTICS TYPES OF ANTIB...ABHISHEK ANTIBIOTICS PPT MICROBIOLOGY // USES OF ANTIOBIOTICS TYPES OF ANTIB...
ABHISHEK ANTIBIOTICS PPT MICROBIOLOGY // USES OF ANTIOBIOTICS TYPES OF ANTIB...
 
Introduction and significance of Symbiotic algae
Introduction and significance of Symbiotic algaeIntroduction and significance of Symbiotic algae
Introduction and significance of Symbiotic algae
 

4. Forensic Investigation Techniques By Neil Hare Brown.pptx

  • 2. STORM Cyber.Care Assess | Plan | Respond Full Service offering for Reinsurers, Insurers, Brokers and Clients. Assess Lightweight cyber risk assessments to enable clients to learn and improve their cyber security and to enable insurers and reinsurers to manage book risk. Respond Delivering a fully coordinated and Integrated Cyber Incident Response Team (I-CIRT). Plan Helping insured clients to create, learn (through training) and exercise/test their plans in dealing with different types of cyber incidents in the context of their business. © Storm Guidance 2019 Forensic Investigation Techniques
  • 3. Investigation: Revealing the Picture Method of Attack • Body of Evidence Was it Stopped How? Criminal Theft Other Criminal Non-Criminal Error Why? Detected? Compromised? When? Controls Failed Affected Systems Location • Organisation • 3rd Party • Staff Home • Mobile • Attacker Location Data Went Where? Was Targeted • Staff Involved • 3rd Parties Involved Was Responsible • Attacker type • Location/Identity Who? Was Compromised • Incident Type Was/is Potential Impact • Severity • Priority What?
  • 4. Technical response objectives  Triage of breach  Analysis of the incident “Indicators of Compromise” (IoC)  Halt the spread or worsening of the compromise and limiting the impact  Digital forensics and testing to investigate the cause and effects of incident/breach  Recover when needed: – Clear existing environment or establish new environment in preparation for recovery – Restore all systems and business data to operational readiness  Implement more effective controls and make whole any compensating controls  Post-incident reporting and analysis 3
  • 5. Incident Stats 4  129 incidents in last 12 months: range of types and size of victim org.  Mailbox hijacking – BEC – Significant Rise in targeted fraud  Ransomware/Extortion  Advanced malware incidents increasing  Data Theft: PII and other digital assets  Diverse causes and types of incident – some not actual breaches  Range of Impacts: sometimes significant loss – increasing BI  Increasing regulator scrutiny: GDPR – 72 hour window 4
  • 6. The BEC Analysis Challenge 5  Business Email Compromise an extremely simple attack  Starts with Phishing; usually from trusted parties, aim: steal login credentials  Attackers use credentials to hijack users online mailbox(es)  Mailbox rules are often used to hide activity and assist the criminals  Main aim of the hijack is to detect and manipulate payment instructions  In the process, (often) significant PII is accessible and downloaded  Downstream risk of attacker extortion with threat to release news of breach  GDPR/MU DPA requires notification of all data subjects who may be at ‘high risk’ as a result of the data breach  As part of our investigation we need to inform the client about:  Sensitive data which may put data subjects at ‘high risk’ e.g. fraud & ID theft  Identify all data subjects to inform the notification activity 5
  • 7. 6  Mailbox data is highly unstructured and not easily searchable for PII  Often there are many Gigabytes of data from many years of activity  It is not just messages & attachments…  Calendar entries (with attachments), Tasks & Contacts  Files (OneDrive & SharePoint)  Automated searching is used extensively with our forensic toolset and without losing the overall evidential integrity often risked with e-Discovery tools  Often, sensitive data is contained within scanned documents (images) which cannot be reliably searched.  Scanned documents include passports, driving licenses, ID records, agreements, bank statements etc. 6 The BEC Analysis Challenge
  • 8. The BEC Analysis Challenge The BEC Analysis Steps 1. Extract mailbox(es) into standard file format for forensics tool 2. Load the mailbox(es) into the forensics tool and perform indexing function 3. Run initial analysis report and share results 4. Initiate build of spreadsheet tool 5. Arrange search terms (more of which may be added dependent on findings during analysis) 6. Run search terms and enhance with Boolean expressions where necessary to exclude FNs and reduce FPs 7. Manually verify results on searches returning key sensitive information including image files of note 8. De-duplicate 9. Report 10. Carve out items of interest for legal consideration 7
  • 9. The BEC Analysis Challenge 8  Considerable manual effort is therefore needed to:  Contextualise email discussion threads to determine risk  Read and classify image files  Dismiss false positives generated by automated searches  Carve out message attachments for review by legal specialists  Record data found against data subjects to assess risk in the aggregate  create a register of the affected data subjects so as to aid legal advice around risk, and enable suitable notification responses if required. 8
  • 10. The BEC Analysis Challenge 9
  • 11. The BEC Analysis Challenge 10 De-duplication Findings totals
  • 12. STORM BEC Analysis Process 1. Request Client complete Mailbox Analysis Questionnaire for each mailbox 2. Assist Client in advice on export 3. Receive the Mailbox in PST format 4. Verify the PST (PST viewer - check that it opens, check date range to confirm all mailbox or incomplete/limited extraction 5. Load into e-Discovery platform & run indexing process 6. Run Insight report: Share with client and discuss estimated time to complete 7. Run searches (Pre-defined Search Lists) 11
  • 13. STORM BEC Analysis Process 8. Need to select search terms (within selected lists) to maximise accuracy and minimise false positives - called ‘alignment’. 9. Randomly select results and check alignment. 10. Make modifications to improve the alignment 11. Grade and group search term results into Batches for analysis (200-300 search results per batch). 12. Results of batch analysis is transcribed into the DDS spreadsheet. 13. De-duplicate the DDS spreadsheet 14. Design and execute the Notification exercise driven from the DDS 12
  • 14. What to Expect in 2020  Further rise in reported incidents  Specific rise in mailbox hijacking – BEC – Unless Microsoft make Multi-Factor Authentication (MFA) mandatory  Further advanced Ransomware attacks with data exfiltration  Extortion from historic Data Thefts – threat intel important  Rise in sophisticated malware (called RAT) assisted frauds  Continued focus on social engineering scams  Renewed drive to reduce fraud opportunities – Banks to include account name in transaction integrity checks – Better email analysis and mailbox threat/phishing detection 13
  • 15. © Storm Guidance 2019 Neil Hare-Brown Thank you