Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Practice of Cyber Crime Investigations

822 views

Published on

A beginner's introduction to Case Theory approach for Cyber Crime Investigations.

Published in: Technology
  • Be the first to comment

The Practice of Cyber Crime Investigations

  1. 1. The Practice of Cyber Crime Investigations Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, GSEC, CISA, CISM, CRISC S ec urI ty Ro ni n November 19th 2016 @ HKUST Cybersecurity Lab Security Day
  2. 2. Who am I? Copyright © 2016 Albert Hui 2  Co-designed the first Cyber Forensics curriculum for Hong Kong Police, trained cops  CSIRT Manager at an Investment Bank  ACFE (Association of Certified Fraud Examiner) Asia Pacific Fraud Conference keynote speaker  HTCIA (High Tech Crime Investigation Association) Asia Pacific Forensics Conference speaker  Technology Risk Manager at Multinational Banks  Risk Consultant for Government and Critical Infrastructures  Black Hat speaker Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, GSEC, CISA, CISM, CRISC Security RonI n IncidentResponse& Investigations Technology RiskManagement
  3. 3. Main Types of Cyber Crimes Copyright © 2016 Albert Hui 3 Theft SabotageExtortion
  4. 4. The “Whys” of Cyber Crime Copyright © 2016 Albert Hui 4 Secular Sacred egomoney ideology (e.g. hacktivists) revenge (e.g. former employees) curiosity industrial espionage war & terrorism (e.g. state-sponsored hackers) political (e.g. foreign government policies) Hui’s Cyber Threat Intent Taxonomy
  5. 5. Objectives of Private Investigations  Find bad actors, for legal action and/or settlement  Gather concrete evidences for suspect wrongdoings, for legal action and/or settlement  Recover lost assets  Independent assessment of incident for insurance claims  Determine control weaknesses for risk mitigation (…and many others) Copyright © 2016 Albert Hui 5
  6. 6. Common Practice Areas Cyber Crime Investigation Cyber Forensics Evidence Collection Forensic Analysis Incident Response Intrusion Analysis Malware Reverse Engineering E-Discovery Forensic Accounting Intelligence Cyber Intelligence (CYBINT) Open Source Intelligence (OSINT) Human Intelligence (HUMINT) Copyright © 2016 Albert Hui 6
  7. 7. Copyright © 2016 Albert Hui 7 Investigation Methodology
  8. 8. Methodology Copyright © 2016 Albert Hui 8 You know my method. It is founded upon the observation of trifles.” Sherlock Holmes “
  9. 9. Locard’s Exchange Principle Copyright © 2016 Albert Hui 9 Every contact leaves a trace.” Edmond Locard “
  10. 10. Red Flags Lead to Smoking Gun Copyright © 2016 Albert Hui 10
  11. 11. Case Theory Approach Gather & Analyze all relevant facts Construct Hypotheses based on knowledge of Hacking Operations, Crime Modus Operandi, Fraud Scheme Mechanics, etc. Test Hypotheses via Forensic Examination, Data Analysis, Document Review, etc. Copyright © 2016 Albert Hui 11 Revise & Refine
  12. 12. Copyright © 2016 Albert Hui 12 http://www.acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2016/fraud-tree.pdf Example Model 1: Occupational Fraud Schemes  Vendor profiles  Incomplete profile  Non-business address  Payments  Duplicate payments  To unauthorized vendors  Without matching POs or invoices  Small amount below approval limit  Unusual short turn-around time  Excessive purchase of particular items  Excessive purchase from particular vendors  Received goods or services  Inventory missing purchased goods  Unusual non-goods purchases  Unusual shipment destinations (...and many many more) Billing Scheme red flags to test for:
  13. 13. Example Model 2: Cyber Kill Chain Copyright © 2016 Albert Hui 13 Recon Weaponize Deliver Exploit Install C2 Action
  14. 14.  Check IDS / SIEM for intrusion attempts Data Theft via Web Intrusion Scenario Copyright © 2016 Albert Hui 14 Recon Weaponize Deliver Exploit Install C2 Action Intrusion Artifacts to Check for:  Check web server log for malicious requests  Check file access timeline for post-breach exploitation and malware installation  Check DNS resolution for data exfiltration attempts  Reverse engineer malware  Check web proxy log for data exfiltration  Check IDS / SIEM for scans (…and many many more)
  15. 15. Summary  Case Theory Approach  Forensics is but one method out of many (use the right method and right tool for the job!)  In-Depth Domain Knowledge required Copyright © 2016 Albert Hui 15
  16. 16. Thank You! 16 albert@securityronin.com Security Roni n

×