Role of Forensic Triage In Cyber Security Trends 2021

National Faculty Development Program
Role Of Forensic Triage
In
Cyber Security Trends 2021
Amrit Chhetri,
DFIR Expert|AI & Cyber Security Researcher
Cyber Security Architect & CEI(RCS, Siliguri, West Bengal)
Certified Forensic Psychologist,
Associate Technical Editor(4N6)
Tech Speaker and Forensic Researcher( My Cyber Hubs & Merapps)
Member Of: DSCI( Individual) & Nasscom Community

About AMRIT CHHETRI
 Me:
 I’m Amrit Chhetri from Darjeeling, West Bengal, India. Currently, based in Siliguri with residence at 3A,
3Rd Floor, Medicare Building, Lower Bhanu Nagar, Siliguri-734004, WB, India. I’m CEI(Certified EC-Council
Instructor) with following Global Certifications:
 CSCU, CEH, CHFI, CTIA, CSA, ECSA from EC-Council
 Certified Smart City Expert from King’s University, UK and 100 Plus other Certifications
 Since February 2020, I’m working as Associate Technical Editor, Digital Forensics Mentor and Research
Lead for Digital Forensics Journal(D4N6)
 Also, I’m DFIR Analysts and Cyber Security and AI Researcher
 Edge AI Certifications and Research Papers:
 Udacity-Intel Edge AI IOT Developer Scholarship
 I’ve presented 4 plus Research Papers in the fields of Forensics with AI, BigData, IOT Security and Cyber
Security Architecture
 Experiences and Projects:
 18 Plus Years of Experiences and 7 Years in Cyber Security, Incident Response, VAPT and Digital Forensics
 I was J2EE Developer and BI System Architect/Designer of DSS for APL and Disney World
 I have played the role of BI Evangelist and Pre-Sales Head for BI System* from OST
 I have worked as Business Intelligence Consultant for national and multi-national companies including
HSBC, APL, Disney, Fidedality , LG(India) , Fidelity, BOR( currently ICICI), Reliance Power. * Top 5 Indian
BI System ( by NASSCOM

Mr. AMRIT CHHETRI is Cyber Security Analyst, Forensics Researcher and Digital Forensics Mentor.
He has presented Workshops to great organizations such as CII, AMITY University, Inofsec Foundation,
Chandigarh University and he also serving as Sr. Technical Editor of 4N6, India Leading Forensics
Journal. He Teaches EC-Council’s Certifications, Enterprise and End-User Cyber Security and
Machine Learning/Quantum Machine Learning Courses in RCS, Siliguri and he member of AMITY
Research Group. He served as “Jury Member” to various Online and Offline Events in Cyber Security,
Machine Learning and Digital Forensics – Cyber Security and Digital Forensics eConference from
IASR, “Technological Innovation” from Salesian College, Siliguri and Digital Forensics CTFs
Competition( proposed) and State/National Level Cyber Security Challenges/Hackathons. Amrit
Chhetri is also well established Forensics, QML and Cyber Security Technology Reviewer and some of
his great Reviews include DSCI Annual Information Security Summit 2020(AISS), Machine Learning in
Cyber Security Research Papers of ICRITO, 4N6 and 5 more.
Amrit Chhetri is an Active Member of different Cyber Security, Digital Forensics and Machine
Learning Forums, Organizations and Groups – including KeyCybr( Nasik), NASSCOM Community(India)
and OpenMined(UK). He is known for his expertise in Cyber Security and Digital Forensics CTFs and
NextGen SOC Technology Stacks.
Amrit Chhetri loves spending Quality Time with Intelligent GenX Youngs- Males and Female with
Coffee and Country/Jazz Songs - mainly discussing innovations, Trends, Business Scopes and Future
of “Machine Learning” in Healthcare, Fashion, Cyber Security, Digital Marketing …..! He love even
number and lucky to have same in his POI( Proof Of Identity) , which is XXXX-XXXX-0176
Mr. Amrit Chhetri

Certificate Collage
of
AMRIT CHHETRI, SILIGUR, WEST BENGAL(Cyber Security, AIML, SOC & DFIR)
Cyber Security Certifications( Of Amrit Chhetri)
AICTE- STTP Certifications: Community Engagements(AIML, Cyber Security & DFIR)
Instructor/Faculty Development Certifications( C-DAC, EC-Council) Free Certifications( DFIR & CyberSec
Companies)
Speaker Certificates( CII, 4N6, AMITY, THM, CU) COMMITTEE MEMBER SOC CERTIFICATIONS
[ Splunk]
AI/ML/DL Certifications: Mentor
Certificates
Cyber Security Researcher, Forensics Tech Editorial & Articles Digital Forensics PR
Engagement(Interviews)

7 Highly Effective Best Practices Of Cyber Security:
Enterprise or Business Users:
 Adopt SOC Maturity Model
 Installation of SIEM for Event Correlation
& Analysis
 Install XDR/EDR as Endpoint Solution
 Securing Accounts with 2-Factor
Authentication
 Apps Security with Biometric Security
 Security Controls for Supply Chain
Attacks
 Masked Number in Identity Badge or
Cards
Home Users/Public Services:
 Strong Password Policy-Mobile/IOT,
WiFi, Bluetooth Network, Phone
 2-L/2-Layers of Malware Security
 Using Social Networking Privacy
 Engagement with Cyber Security
Awareness Activities
 Cyber Threat Hunting(CTH)/CTI to
find connected People
 Purchase of Device & Cyber
Insurance
DevOps: Clone Resources:
(git clone https://github.com/amritchhetrib78/CyberSecurityTrends2021-FDP.git)

Cyber Attacks–generates Evidences in :
 Systems Logs – Events and Logs
 Networking Devices – Router, Switches
 Application Logs , Endpoint Device logs ……..
 Automated Endpoint Security &
Forensic Triage–collects, correlates and
examines those evidences for :
 Digital Forensics
 Cyber Security |Cyber Resilience
 Internal Researches- DFIR, VAPT & InfoSec Products
Presenting–
 Roles of Forensics Triage in Cyber
 Enhancing Cyber Threats/Attacks Mitigation with Forensic Triage

Agendas:
 Cyber Security Trends 2021 Summary
 Cyber Resilience-Digital Forensics Triage
 Cyber Resilience-ML In Cyber Security
 Cyber Resilience-TM, CTI & SOC
 Cyber Security Trends 2021 Exploration
 Next Gen Security Areas
 Aligning with Cyber Security Trends 2021

Cyber Security Trends 2021 Summary: Home
Home Security Trends 2021:
 Security Automation
 IOT & Cloud Security
 Apps Security & Passwordless
Authentication
 Automated Endpoint Security & SASE
Authentication
 SCADA & Hardware Security
 Data Privacy Ethics
Home Security Trends 2021:
 Cyber Crime As-A Service( C2A2S)
Security
 Autonomous Systems & 5G Security
 Malware & APT Security
 Device and Cyber Insurance
 Cyber Security Awareness
 Digital Forensics Readiness &
Intelligent IR
Advantage Of Adopting Cyber Security Trends
1. Improves Cyber Metal Health Healthiness of Users)
2. Protects during Data Loss( Software or Hardware Theft)
3. Improves Cyber Economics
4. Saves Personal Brand Reputation
5. Protection from Financial and Data Loss

Cyber Security Trends 2021 Summary: Enterprise
Enterprise Security Trends 2021:
 Security Automation
 IOT & IIOT Security
 Automated Endpoint Security & SASE
 Cloud & OT SOC
Authentication
 SCADA & Hardware Security
 Data Privacy & Differential Privacy
Measures
Enterprise Security Trends 2021:
 Cyber Crime As-A Service( C2A2S)
Security
 Autonomous Systems & 5G Security
 Next Generation SOC & NOC
 Malware & APT Security
 Purple Team & Security CTFS
 ZTM and ZTNA
 Digital Forensics Readiness &
Intelligent IR
 Device & Cyber Insurance
Advantage Of Adopting Cyber Security Trends
1. Enhances Cyber Resilience (Application + Data+ Business Processes)
2. Improves Cyber Economics
3. Saving Brand Reputation
4. Protection from Financial and Data Loss
5. Improves Cyber Metal Health Healthiness

 Reasons:
 Increasing Attack Surface Areas and Vectors
 Increasing Cost of Security Investment
 Complying with Multiple & Complex Standards
 Security Tools
 NextGen SOC & EDR/XDR
 SIEM : IBM Qradar, SOAR : Exabeam
 UEBA and Security Analytics : Splunk
 Forensics Triage Automation – Cyber Triage
 Bring Up Cyber Resilience to:
 Zero Day Attacks ,APT(Advanced Persistent Threats)-APT12, APT15
 Ransomware Attacks- WannaCry, Petya | Data Leak, SQL/LDAP Injection, CSRF, XSS
 Advantages/Benefits
 Automated Cyber Threats Detection & Mitigations
 Automated Forensics Triage and Threat Alerts
 More details( Reference): Security Trend Analysis 2021
1. Security Automation:

 Reasons:
 Extra Large Quantity of IOT and IIOT Devices
 Organization Specific Protocols & Standards
 Security Tools
 XDR
 Security Analytics
 Next Gen SOC
 Retains Cyber Resilience from
 Ransomware and Sniffing
 Zero Day Attacks
 APT(Advanced Persistent Threats)- APT12, IOT DDOS, Sniffing…
 Session Hijacking..
 Automated Cyber Threats Detection & Mitigations
 More details( Reference): Security Trends Analysis 2021
2. IOT & IIOT Security :

 Reasons:
 Hybrid Endpoint Devices
 Comply with BYOD Standard
 APT(Advanced Persistent Threats)- APT12 , APT42
 Malware
 Centralized Security Monitors
 More details( Reference): Security Trend Analysis 2021
3. Automated Endpoint Security(XDR) :

 Reasons:
 Need of Cyber Resilience of Mid-Size Companies
 Connected Sensors and Devices
 Security Tools
 SIEM with SOAR & Endpoint Security: LogRhtythm SIEM
 UEBA
 Security Analytics
 APT(Advanced Persistent Threats)
 Malware
 Centralized Security Monitoring
 More details( Reference): Cyber Security Trends Analysis 2021
4. Cloud & OT SOC :

 Reasons:
 Fast Growing Application-Level Attacks
 Availability of API Frameworks- OWASP API Security Framework
 Vulnerability in Password-Based Security
 Security Tools & Frameworks
 Apps Security: DevSecOps, OWASP SKF,
 Authenticators: Google Authenticator, Biometrics
 Hardware Tokens:
 Password Guessing and Injection
 BOF, SOF and Fuzzing
 Post-Header Attacks and Parametr Tampering
 Secure By Design Security Models
 Privacy By Design
 ZTM(Zero Trust Model) in Apps
5. Apps Security & Passwordless Authentication:

 Reasons:
 Vulnerability in Computer H/W & Peripherals
 Hardware Supply Chain Attacks
 Hardware Theft & Locks(Ransomware)
 Cyber Kill Chain Model( APT)
 ZTM for Hardware Security
 MAD(MITRE-Attack Defense) Techniques
 Tools: NextGen SOC & EDR/XDR https://attack.mitre.org/ https://www.lockheedmartin.com
 Hardware Theft and Physical Damage
 Supply Chain Attack
 Plan Hardwar Security Project
 Reduces Down-Time
 More details( Reference): <Cyber Security Trends>, <URL>
6. SCADA & Hardware Security:

 Reasons:
 Need of PII Information Security
 Growing Instances of PII exchanges
 Hybrid and Complex Information Flow
 Indian Data Privacy Protection Act( 2021)
 Australia Data Privacy Acts
 Supply Chain Attack…..
 More details( Reference): <Cyber Security Trends>, <URL>
7. Data Privacy & Differential Privacy:

 Reasons:
 Need of PII Information Security
 Growing Instances of PII exchanges
 Hybrid and Complex Information Flow
7. Data Privacy & Differential Privacy:
8. Cyber Crime As-A Service Security:

 Reasons:
 Growing Number Industry 4.0/5.0 Devices
 Adoption of Drones in Businesses and Private Uses
 Authorized Access could lead to Physical Damages
9. Autonomous Systems & 5G Security:

 Reasons:
 Advanced and Complex Attack Vectors
 Fast Growing Incident Logs
 Need of Integration of TM(Threat Modeling), CTIA and
 Automated Threat Intelligence
 Threat Modeling
 Threat Mitigation
 ZTA and OT Security
 More details( Reference): Security Trends Analysis 2021
10. Next Generation SOC & NOC:

 Reasons:
 Large Number Malware Attacks
 Fast Growing Incident Logs
 Need of Integration of TM(Threat Modeling), CTIA and
 Advanced Threat Protection
 Intelligent SOC
 APT Penetration Testing
 Initiate APT Security Project
 More details( Reference): Security Trends Analysis
11. Malware & APT Security:

 Reasons:
 Needs of Testing Security Controls designed by PenTesters
 Enhance Security Posture by Drills/Practice
 CTFS
 CTFd
 Belkasoft and Managnet Forensic CTFs
 More details( Reference): Cyber Security Trends Analysis 2021
12. Purple Team & Security CTFs

13. ZTM And ZTNA:
14. Digital Forensics Readiness & Intelligent IR:
15. Device & Cyber Insurance:

Cyber Resilience Tech-Camp
Real Cyber Incident – Malware Attack
• Real Cyber Incident – Malware Attack
• Security Operation Center
• Threat Modeling
• Threat Intelligence
• Threat Hunting
• Forensics Triage
• OT Security

SOC Team –suspects Cridex Malware in
Memory Image collected for Forensics
Triage
How Mitigate– Incident Response, Analysis:
 ( Binary detected as Malicious by Virus Total)
…..screenshot and live!
Quick Upskilling-Cyber Resilience for
Automated Mitigation–
 SOC – Architectures, Tools and ZTA/ZTNA
 Forensics Triage – OS Forensics, Cyber Triage

Security Operation Center
• Threat Modeling
• Threat Hunting
• OT Security

Cyber Resilience:SOC:
What is SOC?
- "Security Operation Center is integrated Unit of People, Processes and Technology that handles detection,
mitigation and monitoring systems to bring Cyber Resilience in organization " - Amrit Chhetri
- “A security operations center (SOC) is a centralized unit that deals with security issues on an organizational and
technical level. A SOC within a building or facility is a central location from where staff supervises the site, using data
processing technology” - Wikipedia
How SOC Works?
- Design and Implementation
- Logs and events – Collection, Normalization and Actions
Image Courtesy: Cloud4c
Additional Resources:
1. OT SOC : https://www.tenable.com/solutions/it-ot
2. CVSS : https://www.first.org/cvss/specification-document

Cyber Resilience :SOC:
SOC Components and Architecture:
- Threat Intelligence Platform
- SIEM Platforms – SEM and SIM with logs Aggregators
- Network Monitoring Platforms
- Security Analytics
IT & OT SOC Concepts:
- OT Security is newer concept to apply standard SOC into Operational Technology Systems
Image Courtesy: Google Image
Designing SOC :
- Planning of SOC - DevOps, SecOps, RPA, Zero Day Architecture
- Requirement Analysis of SOC - IT and SOC ,Designing of SOC
- Operating SOC ,Applying Best Practices of SOC
1. Designing of SOC-1 : https://www.ciscopress.com/articles/article.asp?p=2460771
2. Designing of SOC-2 : https://www.splunk.com/en_us/form/how-to-design-your-soc-to-work-smarter-not-harder.html

SOC Tools:
- SIEM is the Technology of SOC’s Process, Technology and People Triangle, SIEM collects logs and events from various
sources and perform analysis
- Cyber Threat Intelligence Tools:
CTI Tools is used to collect and publish Cyber Threat Pulses and they can be used to secure systems from Advanced
Malware Attacks- APT, Zero Day Attacks. Best 5 CTI Tools
- Cyber Threat Modeling Tools :
CTM Tools is used to map Cyber Threat and they can be used in Forensics Triage, enhancing CTI and to understand
Threat much better- APT, Zero Day Attacks. Best 5 CTM Tools
- IRT Tools :
IRT Tools for Incident Response to mitigate impacts during Cyber Attacks. Best 5 IRT Tools
- Digital Forensics :
Digital Forensics in SOC Operations are used by Forensics Experts working with IRT Team to analyze and examine
artifacts/evidences further during Incident Response. Best 5 Forensics Tools
1. SOAR Tools: https://www.trustradius.com/security-orchestration-automation-and-response-soar
:

Best Practices of Security Operation Center:
Best Practices of SOC – Implementation :
- Adopt 100 Visibility into Data and Infrastructure, Business Processes
- Focus on Cyber Resilience - Business Alignment with Cyber Security
- Apply DevOps - DevSecOps and SecDevOps
- Create Capability of Advanced Threats - Ransomware, APT,
- Integrate CTIand CTM into SIEM and SOAR of SOC
- Adopt best SOC type of SOC – MSP or
- Keep consideration for Industry 5.0 Systems
- Build Upskilling and Internal Research Center for IOT SOC
1. Best Practices of SOC-1: https://www.devo.com/blog/best-practices-for-security-operations-center-success/
2. Best Practices of SOC-2(SANS): https://www.sans.org/media/analyst-program/common-practices-security-
operations-centers-results-2019-soc-survey-39060.pdf

Threat Modeling
• Threat Modeling
• Threat Hunting
• OT Security

Cyber Threat Modeling:
Cyber Threat Modeling:
Cyber Threat Model is structured process that identifies potential Security THREATS & Vulnerabilities,
quantify the impacts of those Threats and prioritize Techniques to mitigate attacks and to protect IT systems.
"Threat Modeling works to identify, communicate and understand threats and mitigations with the context..”
–OWASP . To map the Scope of Edge AI in Security Testing and Control Designing, Threat Modeling allows to
cover all possible Cyber Threats in Pre-Engagement Phase.
Adopting Cyber Threat Modeling:
 Perform Cyber Risk Assessment
 Evaluate Threat Modeling Frameworks and Tools such as Microsoft Threat Modeling Tool
 Start with Basic Modeling
MITRE ATT&CK - Threat Modeling for Threat Intelligence and Cyber Security:
MITRE ATT&CK is global repository of adversary Tactics and Techniques based on real-world observations. It
is used as Foundation TT on Cyber Threat Modeling in private, public and government sectors, by Cyber
Threat Analysts and Researcher, to acquire Cyber Resilience
Common Use Cases(Categories):
Detections and Analytics
Threat Intelligence
Adversary Emulation and Red Teaming
Assessment and Security Engineering
Cyber Threat Modeling Tools: ATT&CK Navigator
Description:
A tool to help navigate, annotate, and visualize ATT&CK for Cyber Security exercises.
Website: https://mitre-attack.github.io/attack-navigator/enterprise/

Threat Intelligence
• Threat Modeling
• Threat Hunting
• OT Security

Cyber Resilience:CTI:
Cyber Threat Intelligence:
Cyber Threat Intelligence( CTI) is Information about Threats and Threat Actors that helps in mitigating Cyber
Incidents and Malicious events in IT Ecosystem. It is performed under ICO( Intent, Capability and Opportunity)
Triad to know IOC( Indicator Of Compromises). Some of common Techniques of Cyber Threat Intelligence are:
OSINT HUMINT SOCIAL ENGINEERING
Cyber Threat Intelligence Tools :
 AlientVault USM , IBM X-Force Exchange
 Threat Connect, ELK( Kinana Dashboard)
 Splunk Enterprise
Objective of CTI :
Cyber Security Analysts can adopt CTI in IT Security exercises powered/support Machine Learning for
1. Improved Cyber Incident Detection
2. Enhanced and Automated Incident Prevention
3. Automation of Security Operations and Remediation Activities
4. Improved Risk Management
5. To understand Attacks Equations
Attacks = Motives+ Methods+ Vulnerability
Risk = Probability * Potential ( Risk directional proportionate with Probability)
CTI Use Cases/Functions:
1. Alarm, Events and Alerts
2. Incident Response and Malware Analysis
3. Investigation and Mitigation
4. Fusion Analysis and Cyber Threats Collaborations

Threat Hunting
• Threat Modeling
• Threat Hunting
• OT Security

• Threat Hunting Model:
• Business Use Cases
• Technology
• Project Plan
• Well Designed details
• Document details from LogRhythm :
• LogRhythm’s MITRE ATT&CK Module https://logrhythm.com/threat-
hunting-with-logrhythm-demo/
• Your Practical Guide to Threat Hunting– LogRhythm
Cyber Resilience: Threat Hunting:

Forensics Triage
• Threat Modeling
• Threat Hunting
• OT Security

Cyber Resilience: Digital Forensics Triage(I):
• Digital Forensics:
The discipline of general Forensics that deals in investigating electronic device related crimes and
incidents. It also covers Investigation of Cyber Crimes on smart and intelligent platforms such as
IOT/IIOT,ChatBots, Robotic Process Automation(RPA), Edge Computing, Machine Learning and Edge AI.
• Sub-Fields of Digital Forensics:
• OS Forensics , Network Forensics ,IOT Forensics, AI Forensics, Wireless Forensics, Database
Forensics,
• Mobile Forensics, E-mail Forensics, Memory Forensics, Drone Forensics, SCADA Forensics etc.
• AI Forensics, Drone Forensics, IOT/OT Forensics - latest requirements
• Forensics Triage:
“Forensic Triage also known Digital Forensic Triage is the process by which Forensics and Incident
Response Team/Tool collect, assemble, analyze, and prioritize digital evidences from a crime or during
investigation" , Digital Forensics Researcher
• Forensics Triage Automation:
The process of automating Forensics Triage using
• Forensics Triage Automation Tools ,Robotics Process Automation(RPA) Scripts
• Security Orchestration and Automation Response

Cyber Resilience: Digital Forensics Triage(II):
• Levels of Forensics Triage:
• Live Forensics Triage , Postmortem Forensics Triage
• Levels of Forensics Triage:
• Live Forensics Triage
• Survey/Triage Forensic Inspection
• Preliminary forensic Examination,
• In-Depth Forensic Examination
• Incident Response Remediation
• Forensics Triage Steps
• Live Data Collection: Collection for Security related information from systems(Business,
Security Controls...)
• Collected Data Analysis: Analysis of evidences using Tools and Scripts
• Incident Response Report: In Automated Forensics Triage is its generated and saved
automatically
• Remediation Actions: Actions to remediate/remove incidents
• Forensics Methodology – Recap:
• Procedures and Methods of investigating Cyber Incidents or Cyber Crimes
• Phases:
• Seizure- Marking to get artifacts and evidences , Acquisition-Imaging Evidences, 65B Form
• Analysis - Examinations of acquire evidences, Reporting - Forensics Report, Expert
Witness, Eye Witness

Cyber Resilience: Digital Forensics Triage(III):
• Forensics Triage-In Enterprise:
• Digital Forensics- Core component of IRT(Incident Response Team) of SOC
• Forensics Triage -
• Main Practice in regular Incident Remediation exercises
• Needed in Digital Forensics Readiness or Forensics Preparedness
• Further Reference: https://www.isaca.org/resources/isaca-journal/past-
issues/2014/importance-of-forensic-readiness
• Forensics Triage- In Public:
• Enhancing Efficiency and Accuracy of Investigations
• Easy Timeline Analysis
• Increasing efficiency and reducing cost ,Real-Time Evidence Collection
• Easy and Effective Analysis ,Maximizing Evidence Collection
• Forensics Triage- Stakeholders:
• CIO/CTO-Forensics Practice Head in Cyber Resilience Management
• SOC Manager- Manages IRT Team ,Incident Response Handlers- Handles Incidents
• Forensic Investigators & Forensic Examiners
• Best Practices of Forensics Readiness:
• Adoption of Modern
• Security Strategies and Architectures- Zero Trust Security
• Security Automation-SOAR with Automated Forensics - Forensic Reediness Checklist
• Internal Capacity Building Initiatives
• Initiative for SCADA and OT Forensics and Incident Response

OT Forensics
• Threat Modeling
• Threat Hunting
• OT Security

OT Forensics And Forensics Triage
• OT Definition:
• "Operational technology (OT) is hardware and software that detects or causes a change,
through the direct monitoring and/or control of industrial equipment, assets, processes and
events." – Wikipedia
• More precisely, OT is Hardware and Software System designed to monitor or/and control
Industrial equipment( IIOT, SCADA, IACS) for smooth Operations
• Use Case Of Operation Technology :
• Monitoring and Control
• Airplane, Drones and IIOT Maintenance
• Engergy Supply Networks
• Remote Job Execution
• Oil Drilling
• Forensics Triage Of OT:
• OT Forensics include OT Technology, Devices and GUI/Remote Terminal Unit
devices such as
• Supervisory Control and Data Acquisition (SCADA)
• DCS
• Computer Numerical Controls(CNC)
• Building Automation Systems(BAS)
• IACS( Industrial Automation and Controls Systems)
• Phases Of OT Forensics Triage: ( Slightly different than traditional Forensics Triage)
• Forensics Triage , Collection ,
• Analysis , Actions
Cyber Resilience: OT Security

Cyber Resilience: TM, CTI & SOC :
 Security Operation Center:
• "Operational technology (OT) is hardware and software that detects or causes a change,
through the direct monitoring and/or control of industrial equipment, assets, processes and
events." – Wikipedia
 Security Operation Center
 Threat Modeling
 Threat Intelligence
 Threat Hunting
 Forensics Triage
 OT Security ( Intelligent SOC Architecture)

Cyber Security Trends 2021 Exploration:
Forensics Triage and Security Tools and Labs ……….
………………………………..

Aligning with Cyber Security Trends 2021:
Next Generation Up-Skilling:
 Knowing Cyber Hygiene Responsibility-Users
 ISEA/MEITY Cyber Hygiene Pledge
 Read & Apply Cyber Security Advisories
 Know Data Privacy Ethics
 Cyber Technology Upskilling
 Next Generation Cyber Security Awareness for Users
 Participation in Cyber Security and DFIR CFTs
 Cyber Mental Health Wellness & Cyber Psychology
 CQ and TQ of Assessment & Skills Tuning
 Cyber Security QUIZ
 Playing Cyber Security and DFIR CTFs
 UpSkills In Latest Techs-AI,IOT & OT
 Cyber Security Engagements - Rules and Encouragements
 CI( Critical Infrastructure) Vulnerability Disclosures and Boosting Digital Economy
 Cyber Security Events and Conferences
Next Generation Security Controls:
 Intelligent Cyber Security Controls

Next Gen Security Areas and Research Scopes:

Next Gen Security Areas and Research Scopes:
 Next Generation Security Areas:
 BCI Systems Security,
 Robotic System Security,
 Cryptograhy Trust Management
 Blockchain SWARM Security
 Security Challenges:
 Lack of Cryptography Algorithm to withstand Quantum Computing
 Ocean of Hidden Information in Dark-Web
 Lack of OT Security Standards, Frameworks and Tools
 Lack of Adequate Security for AIML Systems

AI for Security: Research Labs:
Intel OpenVINO (Preparing Edge AI for Cyber Security
Labs. - On Linux):
1. Install Ubuntu 20.04 LTS
2. Install Pre-requisites
3. Install OpenVINO Tools for Linux
4. Installation Steps
GitHub Project URL:
5. Model Conversion
Intel OpenVINO (Preparing Edge AI for Cyber Security
Labs. - On Windows)
1. Install Windows 10 ( 64-Bits)
2. Install Pre-requisites
3. Get and install IntelOpenVINO Tools 2020
4. Model Conversion ( Short Video with Audio)
Labs Testing Demos:
1. Number Plate Detection – Physical
Security
Malware Analysis using Edge AI: Steps and Research Scope
1. Prepare Datasets 2. Make Edge AI Environment Ready – OpenVINO , NVIDIA SDK
3. Run Model Optimizer and Model Converter 4. Deploy on Edge Device on Lab Env. – FPGA, Intel Neural
Computer Stick
5. Install on selected Computer – to analyze and protect from Malware
AI for Security- Offensive Vs. Defensive :
Offensive Site of AI/Attacks by AI: * AI Voice Attack * Information Gathering * Social Engineering …
Defensive Site of AI/Attacks by AI: * PenTesting * Malware Analysis * Automation * Threat Monitoring(
DarkTrace)
Edge AI Model Leaning Techniques:
1. Supervised 2. Unsupervised 3. Semi-Supervised 4. Reinforcement 5. Deep Reinforcement Learning
Machine Learning Frameworks for Cyber Security:
1. On-Premise :
1. TensorFlow 2. Keras 3. PyTorch 4. CoreML
2. Machine learning as a service (MLaaS) :
Amazon AWS Machine Learning
Google Machine Learning
Azure Machine Learning
Kaggle Machine Learning
Components of Edge AI for Cyber Security:
1. Models
2. Edge AI Platforms
1. TensorFlow, TensorFlow Lite
2. OpenVINO Toolkit
3. Intel VTune Amplifi
3. Datasets/Pipes/Video Streams –Data Lake

Penetration Testing using AIML:
AI for AI: Securing AI Systems:
1. Standard Practice -Information Gathering
2. Vulnerability Assessment- Nessus
3. System Exploitation-Maintaining Access
* Static Analysis of IR(OpenVINO .xml and bin)
* Dynamic Code Analysis of AI Model-Eclipse
Debugger, Code Review Platforms
4. Encrypted AI Models
5. DevOps for Cyber Security Practices
Designing AI-Powered Security Controls :
1. Know the Security Goals well
2. Include Solutions in Trends
1. SOC/NOC 2. Sanboxing 3. NGFW( with AI)
3. Adopt Standard Practices:
1. Secure By Design 2. Multi-Layer Secure Design
4. Initiate Internal Researches – Edge AI for Cyber Security
AI-Penetration Testing Tools:
1. MIT AI 2: Cyber Attack Prediction, useful in Cyber Threat Modeling, CTI
2. Deep Exploit : Information Gathering, Explorations, Pos-Exploitations, etc.
(Website: https://github.com/13o-bbr-bbq/machine_learning_security/wiki#deep-exploit)
2. Deep Code: Symantec Code Analysis
(https://www.deepcode.ai/)
Purchase Vs. Build- Penetration Testing Tools:
* Purchase : Expensive but ready-to-used
* In-House Development: Lengthener but effective for Modern Cyber Attacks
Edge AI Model Leaning Techniques:
1. Supervised 2. Unsupervised 3. Semi-Supervised 4. Reinforcement 5. Deep Reinforcement Learning
Key Considerations:
1. All Systems Considerations -Data, UI, Network
2. Security by Design or Security Automation Practice
3. Appropriate Security Frameworks AIML Solutions
* DSCI CAF for Security Assessment
* NIST 800-160( System Security Engineering ) for Machine
Learning Models
* Security Guidelines/Frameworks -from SEBI, TRAI, CERT-IN
* Cyber Threat Modeling and Cyber Threat Intelligence
4. Standards of Penetration Testing Report
5. Pre-PenTesting Security Assessment( or Audit)
6. Security Assessment Tools:
1. Nessus 2. OpenAudit 3. NS Auditor and more
7. Evaluation of :
1. Cloud Vs. On-Premises Solutions – Edge AI
2. Machine Learning As-A Service with Edge AI

Impacts Of QML(Q Machine Learning):
Security Analytics and Genx System Synchronization :
1. AI-Based Solution/Product:
* Cloud-Based Machine Learning
* Microservice-compatible Security System Design
* Open-ended Architecture for AI
2. Standard Frameworks- NIST System Security
Impact Of Quantum Machine Learning:
* Enhanced Classical AI-Based Cyber Security Assessment, Testing and Security Controls
* Adding Quantum Computation in Cyber Security Analytics
* Enhancement on TensorFlow Extended (TFX) large Scale Solution
* Projected TensorFlow Embedded with QML in Sanboxing
QML In AI-Based Security
* API & GUI Testing, Sandboxing, CTIA
* Malware Detection
QML API/Platforms:
* TensorFlow Quantum
* PennyLane
*
Model, Edge & Algorithm Evaluation:
* Q CNN – Anomaly Detection
* Blockchain SWARM Intelligence – for own Security
* Edge Computing and Edge in Security Design

Use Case of Edge AI in Cyber Security:13
Upskilling for Edge AI In Cyber Security:
* Engage with AIML Community – GitHub, Facebook, etc.
* Acquire Global Security Certifications –
* Register for Online Courses from Universities –Cyber
Security …
* Engage with Vendor Specific Inittives- Webinars,
Courses, Challenges
* Refer Great Books in Cyber Security
* Prepare towards to extremes
* NIST 800-160
* Embedded AI for Cyber Security
* Organize Challenges in “Edge AI for Cyber
Resilience” Theme
Malware Analysis using Edge AI - Resources
1. Books: Mastering Machine Learning for Penetration Testing , Chiheb Chebbi * GrayHat Python
2. Vendor Courses: * Intel Data Center To Edge AI – from Intel Academy
* AI Foundation from Nasscom - https://skillup.online/courses/course-
v1:NASSCOM+FOUNDAI100+2019/about ,
3. Research Papers:
Deep Reinforcement Learning: https://arxiv.org/pdf/1602.01783.pdf
AI-Based Anti-Virus: BlackBerry Cylance:
* Next Gen Anti-Virus with built-in EDR powered by Edge AI-Based
* Core Functions by Edge at Edge
* Website: Website: https://www.cylance.com/en-us/index.html
AI-Based Anti-Virus: Virus Total
* Online Anti-Virus solution with Built-In AI
* Detects by File, Hashes and URL
AI-Based Enterprise DNA Security : DarkTrace
* Self-Learning AI for Cyber AI that protects
Enterprise DNA through AUTONOMOUS RESPONSE
* AXA IT’s Network Security by DarkTrace
Intelligent UBEA(UEBA (User And Entity Behavior
Analytics): Exabeam Analytics
* Intelligent Security System with Video Analytics
Phsycal Security: Artificial Intelligence Based
Human Efface Detection (ABHED):
* The criminal Registration & Identification Systems
* Developed for LEA and Police Offices in India

Top Trends Security Labs: 4 Minutes each
 1. Security Automation : Forensics Triage With Cyber Triage
 2. IOT & Cloud Security :
 3. Automated Endpoint Security & SASE
 4. Apps Security & Passwordless Authentication
 5. Ransomware Security
 6. Data Privacy in Darknet
 7. Logs and Vulnerability Assessment: Using Splunk and Nessus
7 Labs , 4 Minutes Each = 28 Minutes
Cyber Security Trends 2021 - Labs:

1. Security Automation: 3 Minutes
Threat Detection: Automated TTP Gathering:
 Senario: Security Researchers notified Zero Day Attack from infected domain/s
 SOC Analyst have collect TTP details automatically to brief up all Stakeholder
 Security Solution: Threat Connect , creating Threat Pulse for the domain or domain
 Security Script Security: Version Management of Security Tools:
 Senario: SOC Team has been asked to follow Secure Management for CodeBase
 SOC Security Analysts decided use DevSecOps – Version Controls Systems
 Security Solution : DevSecOps, managing Code Base using GItGub
( Amrit Chhetri’s Repository for FDP: https://github.com/amritchhetrib78/CyberSecurityTrends2021-FDP.git)

2. IOT & Cloud Security :
Penetration Testing of Directory Listing: OWASP DirBuster:
 Senario: Files and Folder related of Business Plans are often leaked or published in media
from Cloud Systems( PAAS)
 Blue Team decided to secure all Server to protect from Directory listing
 Security Solution: Directory Listing Penetration Testing , using OWASP DirBuster
http://192.168.171.1/DVWA
 Directory Listing Security Controls:
 Secure Domain from Footprinting and Fingerpriting
 Protect using Web Application Firewall(WAF)
 Deploy HIPS/HIDS- Host Based Intrusion Detection Systems
 Snort :
 Suricata :
 Recommend or enhance SOC towards Next Generation Intelligent SOC
 Threat Detection

3. Automated Endpoint Security & SASE:
Securing Endpoint Devices from Ransomware and APT: XDR/EDR Evaluation
 Senario: The Endpoint Systems(Servers) running Windows 2016 Servers Professional often
attacked by Ransomware
 CISO decided to secure them using Integrated Endpoint Security Solution
 Automated Detection and Prevention ( NGAV, UBA)
 Incident Response Response Automation ( Automated Investigation and Mitigation)
 Security Solution: Deploying Extended Detection & Response(XDR) Extended Detection &
Response(XDR) by evaluation them through Security Software Evaluation Methods. Name
Considered:
 Taegis XDR: https://www.secureworks.com/products/taegis/xdr
 Cynet XDR: https://signup.cynet.com/signup/index.html#signup

4. Apps Security & Passwordless Authentication:
2-Factor Authentication: Gmail Security with Google Authenticator
 Senario: Forensics Triage of Browser indicates Access to Gmail in your absence
 Manual Forensic Triage of Firefox History and Analysis using OS Forensics Triage
 Security : 2-Factor Authentication | : Gmail Setting Enable 2-Factor Authentication
 2-Factor Code: Install Google Authenticator Scan QR Code Get OTP on Authenticator
(URL: https://www.netacad.com/)
2-Factor Authentication: Netacad with Google Authenticator
 Senario: Forensics Triage of Browser indicates Access to Netacad Portal in odd hours
 Manual Forensic Triage of Firefox History and Analysis using OS Forensics Triage
 Security : 2-Factor Authentication | Account Setting Enable 2-Factor Authentication

5. Ransomware Security:
Automated Ransomware Security: Next Generation SOC:
 Senario: CIO of Security Firm managing Power Grids asked Security Architect and SOC Team to
prepare “Ransomware and APT Security Controls” implementation details with top
requirements summary- ZTA, Threat Hunting, CTIA and XDR
 Security Solution : Advanced Threat Protection(ATP) and Ransomware/APT Incident Response
 Ransomware Incident Response( Mid-Size Organization):
 Automated Threat Detection and Mitigation.
 IR Team and Ransomware Descriptor
 Decryptor from Kasperky: https://noransom.kaspersky.com/
 Online Decrptor: https://www.emsisoft.com/ransomware-decryption-tools/
 Ransomware Assessment :
 https://www.fireeye.com/mandiant/ransomware-defense-assessment.html
 https://github.com/cisagov/cset/releases/tag/v10.3.0.0
 Ransomware Security:
 System Patch Management ,Intelligent Backup Mechanisms
 Recommend or enhance SOC towards Next Generation Intelligent SOC
 LogRhythm SIEM with CloudAI (Mist Net) – detected IOT/OT Malware and stopped Lateral Movement
 Next Generation Business or End User Security Awareness

9. Malware & APT Security:
Malware Security: Malware Protection with Windows Defender & Glassware Firewall
 Senario: Integrity of File was modified by Malware
 Manual Forensic Triage of Memory Forensics and Analysis using OS Forensics Triage
 Analyzing Memory Image( of Windows 10 ) using Volatility:
 Image Info: volatility -f Memory-Image.mem imageinfo
 Running Process : volatility -f Memory-Image.mem --profile=Win2016x64_14393 pslist
 Parent and Child Process: volatility -f Memory-Image.mem --profile=Win2016x64_14393 pstree
 Connections: volatility -f Memory-Image.mem --profile=Win2016x64_14393 psscan
 Command Lines: volatility -f Memory-Image.mem --profile=Win2016x64_14393 cmdline
 Dumping Process: volatility -f Memory-Image.mem --profile=Win2016x64_14393 procdump -p 1640 --dump-dir
 Generating Hash and Checking(Virus Total):
 Security : Next Generation Anti-Virus and Firewall
 Mini SOC with Open Source Tools – Home or Mid-Size Organization
 Intelligent SOC with Automated Threat Hunting, CTI and Threat Modeling for Enterprises

RDP Cache Forensics:
Scenario(On Online):
 Examination of RDP Cache File(BIN), C:Users<username>AppDataLocalMicrosoftTerminal
Server ClientCache , generated by RDP Connections-
 Acquisition Analysis Detection Malware Check
Analysis of RDP Cache
 Extracting Caches from BIN File: python bmc-tools.py -s Cache0001.bin -d ./BitMapsChache
 Analyze Text Contents to know Access of Microsoft Store and further Malpractices…
 Attacker Access Pattern Analysis:
 Last Access Time: Behavioral Pattern Analysis– Which Apps and Intentions
 Examples: Logins and Logouts, Browsers used …

Forensic Triage-Memory Memory Data:
Collecting Evidences:
 Checking working of Forensics Triage Tools – OS Forensics, Cyber Triage,
 Collect Incident Details from Memory through Forensics Triage
Forensics Triage with Volatility:
 Get Volatility from https://www.volatilityfoundation.org/ and
 Evidence for Analysis:
 Live Image : https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
 Live Image
 Memory Image Analysis- Using Volatility
 Image Info: volatility -f cridex.vmem imageinfo
 Running Process: volatility -f cridex.vmem --profile=WinXPSP2x86 pslist
 Parent and Child Process: volatility -f cridex.vmem --profile=WinXPSP2x86 pstree
 Hiding Process Analysis: volatility -f cridex.vmem --profile=WinXPSP2x86 psxview
 Connections: volatility -f cridex.vmem --profile=WinXPSP2x86 connscan
 Command Lines: volatility -f cridex.vmem --profile=WinXPSP2x86 cmdline
 Dumping Process: volatility -f cridex.vmem --profile=WinXPSP2x86 procdump -p 1640 --dump-dir .
 Generating Hash of extracted Malicious File: Create Hash of exported Malware/suspected file and verify its
malicious nature using Virus Total
Virus Total Scan

Windows Application Cache Analysis:
Browser Cache Analysis(Chrome):
 Location : C:Users<username>AppDataLocalGoogleChromeUser DataDefaultCache
 Purpose : Created for improvement of Performances, sources of file access details
Cache Analysis Tools :
 Nirsoft Video Cache View:
https://www.nirsoft.net/utils/video_cache_view.html#DownloadLinks
Analyzing RDC Caches:
 Get https://github.com/ANSSI-FR/bmc-tools/ and extract
 Acquire or get Cache0001.bin and run
 python bmc-tools.py -s Cache0001.bin -d ./BitMapsChache

What You Bag-In::
 Labs on Forensics Triage
 Malware Analysis – Memory Forensics & Reverse Engineering
 List of Cyber Security Tools
Forensics Case Management Tools:
 Autopsy Forensics Tool: https://www.autopsy.com/download/
 OS Forensics : https://downloads.passmark.com/osforensics/downloads/osf.exe
Forensics Imagers(Memory Imagers) :
 Belkasoft RAM Capture: https://belkasoft.com/ram-capturer
 Mangnet RAM Capture : https://www.magnetforensics.com/resources/magnet-ram-capture/
 Mandiant RedLine : https://www.fireeye.com/services/freeware/redline.html
 FTK Imager : https://accessdata.com/product-download/ftk-imager-version-4-5
 Dumpit : https://github.com/chrisjd20/compiled_windows_memory_acquisition
System Cache Analysis Tools:
 Belkasoft R : https://belkasoft.com/get?product=bra
 Biscout : https://securelist.com/bitscout-the-free-remote-digital-forensics-tool-

Memory Forensics Tools:
Malware In Memory Analysis(Reverse Engineering, Dissembling and Debugging):
 Ghidra : https://ghidra-sre.org/
 IDA Pro : https://hex-rays.com/IDA-pro/
 SysAnalyzer : https://hex-rays.com/ida-free/
 Binary Nanja :
 Mimiktaz: : https://github.com/gentilkiwi/mimikatz/releases
Memory Analysis Tools
 Volatility : https://www.volatilityfoundation.org/
 Redline : https://www.fireeye.com/services/freeware/redline.html
Mobile Forensics Tools
 Oxygen Forensics : https://www.mobiledit.com/forensic-express
 Autopsy Forensics Tools : https://www.mobiledit.com/forensic-express/request-a-demo
Forensics Linux Distributions:
 RemNux
 SIFT Forensics Workstation: https://www.sans.org/tools/sift-workstation/

THANK YOU ALL
I’m thank to Computer Science Department of Sharda University for
inviting me to present this session.
My special thanks to Pro. Avinash for arranging this opportunity!

Role of Forensic Triage In Cyber Security Trends 2021

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Role of Forensic Triage In Cyber Security Trends 2021

Similar to Role of Forensic Triage In Cyber Security Trends 2021 (20)

Recently uploaded

Recently uploaded (20)

Role of Forensic Triage In Cyber Security Trends 2021