Chapter 6 Discovering the Scope of the Incident Spring 2016 - Incident Response & Computer Forensics.

Slides:

Advertisements

Similar presentations

Presented by Nikita Shah 5th IT ( )

Advertisements

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Welcome to the CardSaver VoIP Billing & Call Management Demonstration © 2004, Parwan Electronics Corporation.

Lunker: The Advanced Phishing Framework

Effective Discovery Techniques In Computer Crime Cases.

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,

Computers: Tools for an Information Age

Maintaining and Updating Windows Server 2008

COEN 252: Computer Forensics Router Investigation.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Term 2, 2011 Week 3. CONTENTS Network security Security threats – Accidental threats – Deliberate threats – Power surge Usernames and passwords Firewalls.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.

Section 13.1 Add a hit counter to a Web page Identify the limitations of hit counters Describe the information gathered by tracking systems Create a guest.

Test Review. What is the main advantage to using shadow copies?

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,

OCR Nationals – Unit 1 AO2 (Part 2) – s. Overview of AO2 (Part 2) To select and use tools and facilities to download files/information and to send.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 4 Manage Software for SUSE Linux Enterprise Server.

Hands-On Microsoft Windows Server 2008

What is FORENSICS? Why do we need Network Forensics?

Staying Safe Online Keep your Information Secure.

Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.

IT security By Tilly Gerlack.

Module 7. Data Backups  Definitions: Protection vs. Backups vs. Archiving  Why plan for and execute data backups?  Considerations  Issues/Concerns.

Surveying patrons with the Impact Survey A fast, easy way to gather feedback from the community about public technology needs Samantha Becker, MLIS, MPA.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

CS 474 Database Design and Application Terminology Jan 11, 2000.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

NUOL Internet Application Services Final Presentation 24 th of May, 2004.

Database What is a database? A database is a collection of information that is typically organized so that it can easily be storing, managing and retrieving.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Dec07-02: Prototype Parking Meter Phase 8 Bret Schuring: Team Leader Pooja Ramesh: Communications Wilson Kwong, Matt Swanson, Alex Wernli.

1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.

OARtech Logging, evidence, and network management Brian Moeller, CISSP 10APR2002.

Chapter 11 Working with Credit Card Methods of Processing Credit Cards Preparing for Cyber Cash Authoring a Credit card Transaction.

ADVANTAGES OF DATA BASE MANAGEMENT SYSTEM. TO BE DICUSSED... Advantages of Database Management System  Controlling Data RedundancyControlling Data Redundancy.

INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.

1 Figure 10-4: Intrusion Detection Systems (IDSs) Actions  Alarms  Interactive analysis Manual event inspection of raw log file Pattern retrieval 

Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.

Computer Security By Duncan Hall.

January 07 th 2016 Intelligence Briefing NOT PROTECTIVELY MARKED.

Role Of Network IDS in Network Perimeter Defense.

(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,

Chapter 1 Real World Incidents Spring Incident Response & Computer Forensics.

Chapter 2 Incident Response Management Handbook Spring Incident Response & Computer Forensics.

Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

Forms of Network Attacks Gabriel Owens COSC 352 February 24, 2011.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

Maintaining and Updating Windows Server 2008 Lesson 8.

By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.

( ) 1 Chapter # 8 How Data is stored DATABASE.

Benefits of IT Outsourcing Services

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Welcome to the CardSaver VoIP Billing & Call Management Demonstration

Forensics Week 11.

Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,

Information Security Session October 24, 2005

Chapter 1 Database Systems

TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.

Chapter 1 Database Systems

16. Account Monitoring and Control

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

Presentation transcript:

Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics

Discovering the Scope  Scope: Understanding what the attacker did  To determine the scope, one has to carry out a limited investigation  What helps in scope discovery  Examining initial data  Collecting and reviewing preliminary evidence  Determining course of action

Examining Initial Data  Talk to people involved  Use a “trust but verify” approach  IT people may not know what is important to the investigation  Assemble facts  Think of  Who  What  When  Where  Why  How

Gathering and Reviewing Preliminary Evidence  Identify what source of preliminary evidence may help  Pick sources of evidence that come from several categories and require less effort to analyze  Advantage of using independent sources  When sources agree, probability of incident (or not) is higher  Difficulty for attacker to delete all sources  Likelihood of accidental overwrite is low  Review evidence  Use a method that can do it quickly  Test the method to make sure it is fast and accurate Note: Absence of evidence is not evidence of absence

Determining a Course of Action  Activities include:  Preserving evidence  Containing damage  Questions that may help:  Will the action help answer an investigative question?  Am I following the evidence?  Am I putting too much effort into a single theory?  Do I understand the level of effort?  Am I staying objective?  Have I uncovered something that requires immediate remediation?  Note: there is no “ideal path” to solve a case.

Customer Data Loss Scenario  A company receives complaints from customers saying they are receiving a large amount of spam soon after they registered in company database.  Initial data:  customer complaints  How to verify?  Work with customers to check their s  Create fake customer accounts and register  Rather than waiting, continue with investigation  Find out where customer data is stored and how it is managed

Customer Data Loss Scenario  There is one internal and one external database that stores customer data  Internal DB is the production server used for normal business  External DB is managed by a third party – a marketing firm - used for and postal mail  Interview IT department and learn more about the database and network

Customer Data Loss Scenario  Interview results  The internal DB system: About 500 GB Has advance query monitoring and reporting capability Customers can register directly via company website or manually via phone call into customer service department No other methods of updating customer records exists DB network traffic is approximately 3TB per day Backups are kept both on-site and off-site at another facility  The marketing firm receives data at the end of month following any updates

Customer Data Loss Scenario  Progress so far:  The marketing firm is unlikely the source of data leak  Theft via phone is unlikely as well  So, the focus of investigation should be on the website  The next step  Performing a network packet capture could be difficult  Monitoring DB access would be easier

Customer Data Loss Scenario  Could this be the work of an insider?  Is website code modified such that it sends customer addresses to attacker?  Is someone taking copies of backup tapes?  So far there is no lead to suggest any of the above  What can be done to test these theories?  Enter data directly into the DB bypassing the web portal  Enter some fake records into backup tapes

Customer Data Loss Scenario  After two weeks of creating fake customer accounts, spam s were received by those accounts  Spams also were received by the accounts entered manually into the DB.  So, website is not the source of data theft  No spams received by accounts placed in backup tapes  Backup tapes are not part of the problem  Thus, the strongest lead for data theft is direct access to the DB  We need to check DB activities

Customer Data Loss Scenario  How to check DB transactions?  Network level packet capture  DB-level query monitoring  The first option is not easy Too much data Queries might be encrypted  Query monitoring is set up after creating few more customer accounts

Customer Data Loss Scenario  Log file checked periodically  After two weeks the new accounts start receiving spams  Log shows a query retrieving customer s  Select cust from custprofile where signupdate >= …. ;  The date used was roughly two weeks old  The log shows when the query was executed and from which IP address  The IP address belongs to a desktop belonging to the company’s graphic arts department  The username associated with the query belongs to a DB administrator

Customer Data Loss Scenario  You check with the graphic arts department and ask if they query customer information  Their answer is “no”  But, they say, they do frequently contact several outside vendors via

Customer Data Loss Scenario  What we have learned so far:  Evidence supports customer complaints  Two-week cycle of data theft  Only customer address is stolen  Data stolen from the production DB  Data theft query originated from a desktop computer in the graphic arts department  Graphic arts dept does not use customer information  Query issued from a DB administrator account

Customer Data Loss Scenario  What is the next course of action?  There are two sources of evidence  The production database server  The desktop in graphic arts department  We need to check both sources and gather more data

Customer Data Loss Scenario  Action with respect to the graphics arts desktop  Collect live response  Create forensic images  Interview the user  Action with respect to the production database server  Collect live response  Preserve database logs that record user access  Preserve all query logs  Preserve all application and system logs

Customer Data Loss Scenario  What is the plan now?  Since we know the query origination time, see who was logged on at that time  Check that system’s network activity around that time  Examination of the graphic arts computer shows a malware is installed  The malware provides features such as remote shell, remote graphical interface, the ability to launch and terminate processes  The malware connects to an IP address allocated to a foreign country  The malware has been installed for nearly two years

Customer Data Loss Scenario  Final steps in the investigation process:  Use a host-based inspection tool to examine each computer in the company for indicators of compromise Look for file names, registry keys, and any other unique characteristics of the malware  Query firewall logs for indications that other computers may have been infected Look for traffic to the IP address the malware connects to