SlideShare a Scribd company logo

Računalna forenzika i automatizirani odgovor na mrežne incidente

Download as PPTX, PDF
Damir Delija
Damir Delija

This document discusses computer forensics and incident response. It provides an introduction and definition of computer forensics, discusses legal issues, and describes the EnCase approach and tools. It also discusses threats like data breaches, integrating forensics into incident response, analytics on common breaches, and recommendations for implementing an incident response infrastructure.

Related slideshows

Incident Response
Incident Response Incident Response
Incident Response
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 dataset
 
1 of 21
sigurnost integrirana Computer Forensic and Automated IR Damir Delija Dr.Sc.E.E
Presentation plan 2 - Introduction into computer forensic and incident response • what it is • legal and organisational issues - EnCase approach • Arhitecture, tools, methods • approach forensic and incident response • How it is done
Computer Forensic – a Definition 3 - A practical definition: - “Computer Forensics is simply the application of computer investigation and analysis techniques in the interest of determining potential legal evidence (Judd Robbins).”
Legal Definition of Forensics 4 - Daubert/Frye: The most important decisions governing the use of scientific evidence in court are those of Daubert(Federal)/Frye(California). - There are four primary factors according to Daubert/Frye that should be considered before ruling on the admissibility of scientific evidence: • Whether the theory or technique has been reliably tested; • Whether the theory or technique has been subjected to peer review and publication; • What is the known or potential rate of error of the method used; • Whether the theory or method has been generally accepted by the scientific community.
Role of the EnCase suite 5 - EnCase Suite - Guidance Software www.guidancesoftware.com - Central point in the system security, other usual security related tools are subordinates (feeds and actuators) - Act as standalone or as enterprise wide tool - It is supposed to react on incidents or to control system, both in same sound digital forensic way - Examiner wokstation is a workplace for incident responder, examiner, auditor, controler - all in same consitent manner, legaly acceptable - Predefined roles, ranges, users and events - Use other parts of incident response infrastructure like ticketing system, help desk, IPS, IDS, etc ...
What are our threats? 6 Others (Unknown) Regulatory compliance IP theft (eg. external consultant Classified Disgruntled employees Data leakage Human error Client Competitors Fraud Virus outbreaks Inappropriate content Unauthorised software Deliberate attack (hackers)
Integrating Forensic into IR 7 What is an incident to you? How do you respond? - Virus outbreak? - Manual processes? - Stolen laptop? - Take Computers off the - Inappropriate usage? network? - Legal requirement for - Suspend Employees? electronic data? - External investigative - Unauthorised software? consultancy? - Inappropriate content? - Outsource data collection? - Classified data appearing in - Press release / PR? the wrong environments? - Hope and Pray? - Data leakage? - Ignore? - IP theft? - Disgruntled employee?
Latest analytics (1) 8 Who is behind data breaches? - 73% resulted from external sources - 18% were caused by insiders - 39% implicated business partners - 30% involved multiple parties How do breaches occur? - 62% were attributed to a significant error - 59% resulted from hacking and intrusions - 31% incorporated malicious code - 22% exploited a vulnerability - 15% were due to physical threats Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
Latest analytics (2) 9 What commonalities exist?  66% involved data the victim did not know was on the system  75% of breaches were not discovered by the victim  83% of attacks were not highly difficult  85% of breaches were the result of opportunistic attacks  87% were considered avoidable through reasonable controls Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
Latest analytics (3) 10 Nine out of 10 data breaches incidents involved one of the following: • A system unknown to the organization (or business group affected) • A system storing data that the organization did not know existed on that system • A system that had unknown network connections or accessibility • A system that had unknown accounts or privileges Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
How do we deal with these threats today? 11 Reactively •We manually investigate incidents, which is time consuming •We employ 3rd party consultancies to collect data for compliance •We quarantine computers from the network (disrupting operations) •We need multiple tools to investigate and solve problems •We have to wait for our AV vendor to supply signatures for new outbreaks Proactively •We cannot search the network for IP or other sensitive data •We cannot search for unauthorised software or malicious code •We cannot forensically remove data or malicious processes •We don’t have time to investigate disgruntled employees •We can’t identify potential risks comprehensively
Implement Incident Response infrastructure 15 - Implement Encase Enterprise as a core • define additional funcionalities and plugins for Encase • trainig, testing, support, etc - Integrate it with other tools • IDS, IPS, network management, physical security, system administration, etc... • Help Desk system, trouble ticketing system - Develop lifecycle for effcient Incident Response System • policies, controls, reports, tests etc... • keep IR system proactive, healty and efficient
Anti-Forensics 16 Anti-forensics is any and all actions taken by an unauthorized intruder to conceal evidence securely deleting critical log files is • considered an antiforensic technique. - discovered use of antiforensics in 39% cases - this will be a trend to watch over the next years Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM
Incident Response Recommendations 18 - Align process with policy - Achieve “essential” then worry about “excellent” - Secure business partner connections - Create a data retention plan - Control data with transaction zones - Monitor event logs - Create an incident response plan - Increase awareness - Engage in mock incident testing
IT security dependencies 19 - IT security depends on core competencies: • People - skill and knowledge problem • Process - there are standards and best practices • Technologies - control of usage and fuctions - This can be achived by • developing enterprise investigative infrastructure • use of forensics technologies as core part of IR
EnCase Enterprise (EE) Platform 20 Key capabilities   Covertly investigate across the network on live machines  Bit level analysis able to uncover deleted and hidden data  Also able to analyse volatile data in RAM  Sweep enterprise for hacker code like key loggers & root kits  Court validated as forensically sound  Role based access control and encrypted data flow Business benefits   Respond to HR/IT requests much faster  Conduct many more investigations with the same resource  Rules employees in or out of investigations covertly  Collects court validate evidence of wrong doing
EnCase Incident Response 21 Key capabilities  Can integrate directly with IDS and SIM solutions  Automatically collects volatile data at point of attack or infection  Threat can be killed immediately on target machine  Scan and kill threat across entire network very quickly Business benefits  Acts on intelligence provided by SIM  Guarantees collection of intelligence 24x7x365  Removes threat from entire estate without disrupting operations  Helps enhance defences by offering real actionable intelligence  Drives the true value out of IDS and SIM solutions  An effective way to counter “Day Zero” attacks !
Case Review IR 22 A professional Malicious attacker tries to penetrate your network and you have netForensics deployed.  The SIM (netForensics) & other perimeter defence products throw up hi-priority alerts  Alert passed on to EnCase Enterprise  Automatic Snapshot of target machine retrieved (all processes running in RAM of target)  Your SIRT team analyse snapshot results to determine malicious processes  Process can be killed remotely and forensically wiped on target node  Malicious/Rogue process hashed and enterprise sweep carried out to determine extent of breach. Can be remotely wiped on all “infected” nodes to clean network
Kill Malicious Process – options 23 Choice of deleting the process file, or deleting and wiping from hard drive
Global Market Leaders across industries rely on Guidance Software 24
Pitanja 25 damir.delija@insig2.hr

More Related Content

Računalna forenzika i automatizirani odgovor na mrežne incidente

  • 1. sigurnost integrirana Computer Forensic and Automated IR Damir Delija Dr.Sc.E.E
  • 2. Presentation plan 2 - Introduction into computer forensic and incident response • what it is • legal and organisational issues - EnCase approach • Arhitecture, tools, methods • approach forensic and incident response • How it is done
  • 3. Computer Forensic – a Definition 3 - A practical definition: - “Computer Forensics is simply the application of computer investigation and analysis techniques in the interest of determining potential legal evidence (Judd Robbins).”
  • 4. Legal Definition of Forensics 4 - Daubert/Frye: The most important decisions governing the use of scientific evidence in court are those of Daubert(Federal)/Frye(California). - There are four primary factors according to Daubert/Frye that should be considered before ruling on the admissibility of scientific evidence: • Whether the theory or technique has been reliably tested; • Whether the theory or technique has been subjected to peer review and publication; • What is the known or potential rate of error of the method used; • Whether the theory or method has been generally accepted by the scientific community.
  • 5. Role of the EnCase suite 5 - EnCase Suite - Guidance Software www.guidancesoftware.com - Central point in the system security, other usual security related tools are subordinates (feeds and actuators) - Act as standalone or as enterprise wide tool - It is supposed to react on incidents or to control system, both in same sound digital forensic way - Examiner wokstation is a workplace for incident responder, examiner, auditor, controler - all in same consitent manner, legaly acceptable - Predefined roles, ranges, users and events - Use other parts of incident response infrastructure like ticketing system, help desk, IPS, IDS, etc ...
  • 6. What are our threats? 6 Others (Unknown) Regulatory compliance IP theft (eg. external consultant Classified Disgruntled employees Data leakage Human error Client Competitors Fraud Virus outbreaks Inappropriate content Unauthorised software Deliberate attack (hackers)
  • 7. Integrating Forensic into IR 7 What is an incident to you? How do you respond? - Virus outbreak? - Manual processes? - Stolen laptop? - Take Computers off the - Inappropriate usage? network? - Legal requirement for - Suspend Employees? electronic data? - External investigative - Unauthorised software? consultancy? - Inappropriate content? - Outsource data collection? - Classified data appearing in - Press release / PR? the wrong environments? - Hope and Pray? - Data leakage? - Ignore? - IP theft? - Disgruntled employee?
  • 8. Latest analytics (1) 8 Who is behind data breaches? - 73% resulted from external sources - 18% were caused by insiders - 39% implicated business partners - 30% involved multiple parties How do breaches occur? - 62% were attributed to a significant error - 59% resulted from hacking and intrusions - 31% incorporated malicious code - 22% exploited a vulnerability - 15% were due to physical threats Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
  • 9. Latest analytics (2) 9 What commonalities exist?  66% involved data the victim did not know was on the system  75% of breaches were not discovered by the victim  83% of attacks were not highly difficult  85% of breaches were the result of opportunistic attacks  87% were considered avoidable through reasonable controls Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
  • 10. Latest analytics (3) 10 Nine out of 10 data breaches incidents involved one of the following: • A system unknown to the organization (or business group affected) • A system storing data that the organization did not know existed on that system • A system that had unknown network connections or accessibility • A system that had unknown accounts or privileges Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
  • 11. How do we deal with these threats today? 11 Reactively •We manually investigate incidents, which is time consuming •We employ 3rd party consultancies to collect data for compliance •We quarantine computers from the network (disrupting operations) •We need multiple tools to investigate and solve problems •We have to wait for our AV vendor to supply signatures for new outbreaks Proactively •We cannot search the network for IP or other sensitive data •We cannot search for unauthorised software or malicious code •We cannot forensically remove data or malicious processes •We don’t have time to investigate disgruntled employees •We can’t identify potential risks comprehensively
  • 12. Implement Incident Response infrastructure 15 - Implement Encase Enterprise as a core • define additional funcionalities and plugins for Encase • trainig, testing, support, etc - Integrate it with other tools • IDS, IPS, network management, physical security, system administration, etc... • Help Desk system, trouble ticketing system - Develop lifecycle for effcient Incident Response System • policies, controls, reports, tests etc... • keep IR system proactive, healty and efficient
  • 13. Anti-Forensics 16 Anti-forensics is any and all actions taken by an unauthorized intruder to conceal evidence securely deleting critical log files is • considered an antiforensic technique. - discovered use of antiforensics in 39% cases - this will be a trend to watch over the next years Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM
  • 14. Incident Response Recommendations 18 - Align process with policy - Achieve “essential” then worry about “excellent” - Secure business partner connections - Create a data retention plan - Control data with transaction zones - Monitor event logs - Create an incident response plan - Increase awareness - Engage in mock incident testing
  • 15. IT security dependencies 19 - IT security depends on core competencies: • People - skill and knowledge problem • Process - there are standards and best practices • Technologies - control of usage and fuctions - This can be achived by • developing enterprise investigative infrastructure • use of forensics technologies as core part of IR
  • 16. EnCase Enterprise (EE) Platform 20 Key capabilities   Covertly investigate across the network on live machines  Bit level analysis able to uncover deleted and hidden data  Also able to analyse volatile data in RAM  Sweep enterprise for hacker code like key loggers & root kits  Court validated as forensically sound  Role based access control and encrypted data flow Business benefits   Respond to HR/IT requests much faster  Conduct many more investigations with the same resource  Rules employees in or out of investigations covertly  Collects court validate evidence of wrong doing
  • 17. EnCase Incident Response 21 Key capabilities  Can integrate directly with IDS and SIM solutions  Automatically collects volatile data at point of attack or infection  Threat can be killed immediately on target machine  Scan and kill threat across entire network very quickly Business benefits  Acts on intelligence provided by SIM  Guarantees collection of intelligence 24x7x365  Removes threat from entire estate without disrupting operations  Helps enhance defences by offering real actionable intelligence  Drives the true value out of IDS and SIM solutions  An effective way to counter “Day Zero” attacks !
  • 18. Case Review IR 22 A professional Malicious attacker tries to penetrate your network and you have netForensics deployed.  The SIM (netForensics) & other perimeter defence products throw up hi-priority alerts  Alert passed on to EnCase Enterprise  Automatic Snapshot of target machine retrieved (all processes running in RAM of target)  Your SIRT team analyse snapshot results to determine malicious processes  Process can be killed remotely and forensically wiped on target node  Malicious/Rogue process hashed and enterprise sweep carried out to determine extent of breach. Can be remotely wiped on all “infected” nodes to clean network
  • 19. Kill Malicious Process – options 23 Choice of deleting the process file, or deleting and wiping from hard drive
  • 20. Global Market Leaders across industries rely on Guidance Software 24
  • 21. Pitanja 25 damir.delija@insig2.hr