Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Prepared By: Robert W. Beggs, CISSP CISA Presented To: EnergizeIT 16 June 2007 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca.

Published byGwendolyn Hoover Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Prepared By: Robert W. Beggs, CISSP CISA Presented To: EnergizeIT 16 June 2007 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca."— Presentation transcript:

1 Slide 1 Prepared By: Robert W. Beggs, CISSP CISA Presented To: EnergizeIT 16 June 2007 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca - AIM – Agile Incident Management

2 Slide 2 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Introduction Robert Beggs, CISSP, CISA -15+ years experience in Information Security -Military, biomedical research, consulting, financial services background DigitalDefence.ca -9-1-1 for Data Security Incidents -Focus on providing incident management services -Professional services, managed services, training

3 Slide 3 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Data Security Incidents Data security incident: the act of non- compliance with the corporate security policy or procedures, or any event that negatively impacts the confidentiality, integrity and availability of your corporate data

4 Slide 4 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca The Threat Attackers financially motivated – skills are rewarded; “business competitors” are hacking “Trickle down effect” – powerful, easy to use tools are widely available (Metasploit) Focus on hiding attacks, beating forensics Internal attacks are commonly detected External attacks are focused on the end user, not the network -Cross-site scripting -USB devices

5 Slide 5 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Law Enforcement … 61,000 police officers in Canada 245 specialize in cybercrime (0.4%) Overall, lack budget and training Still developing legal infrastructure to support criminal investigations (lawful intercept legislation) In short, an effective response is generally up to the victim Are you ready? …

6 Slide 6 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Traditional Incident Response, IR Event-triggered: you have lost the initiative Competing priorities – technical (investigation) versus business (recovery) Mistakes are frequently made

7 Slide 7 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca

8 Slide 8 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Agile Incident Management Incident management is the totality of proactive and reactive measures undertaken to help prevent and manage data security incidents across an organization

9 Slide 9 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Proactive Measures Develop incident management strategic plan; integrate it into corporate business strategy Risk assessment – security / privacy incidents are a business risk Develop policy and SOPs (standard operating procedures) Assign roles and responsibilities Support technical staff Augmentation with appropriate 3 rd parties

10 Slide 10 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Proactive Measures Activity monitoring, including employees Pro-active forensics End-user education Create a culture of security

11 Slide 11 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Reactive Measures Emphasize “agility” -Fast, Focused, Flexible Fast data collection (live response) Fast data analysis Focused and appropriate response / countermeasures Focused documentation Flexible approach – attacks can change rapidly

12 Slide 12 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Live Response Live response = volatile + (sometimes) non-volatile data collected before the system is powered down and recovered Why? -Rapid response; provide guidance for traditional response -Loss of volatile information (Trojan defence) -System must be returned to production state -Too much data to image (750 GB drives common) -Data will return to encrypted / locked state

13 Slide 13 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Information To Collect System time RAM contents Logged-on user(s) Open files Network information Network connections Running process information Process – to – port mapping Process memory Network status Clipboard contents Service / driver information Command history Mapped drives Shares ADS Registry (e.g. autoruns) Non-volatile information (e.g. event logs, file lists) System time

14 Slide 14 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Live Response Tools Console-agent architecture -Enterprise forensic software (EnCase, LiveWire) -Mandiant’s First Response Helix bootable Linux CD or USB Open-source IR scripts Roll your own script to invoke native MS Windows commands, CLI tools -MS.BAT files are reliable, easy to explain -PERL can be more flexible

15 Slide 15 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Make Your Own Response Toolset Create a bootable disk (command.com, cmd.exe) Use multiple media formats (floppy, CD, DVD, USB) Label the disk Rename the tools you will use! Make sure that all dependencies are included Do an MD5 hash of final tools, toolset Identify where output will be stored, and how it will be protected Test

16 Slide 16 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Step One: Validate Your Tools Tools must not alter the target system OR all alterations must be known What is the “touch” of the file on the target? -Regmon and Filemon(Sysinternals) -ListDLLs (Sysinternals) identifies changes to DLL useage, or chaged / updated DLLs -Dependency Walker (www.dependencywalker.com) identifies any changes to dependent modules -Wireshark or other sniffer What is the “touch” of the delivery system (CD, USB)?

17 Slide 17 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Let’s Begin …

18 Slide 18 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Memory Analysis It’s the RAM! (Does not include virtual memory, swapped to the HD How do we get it? -Hardware devices -Firewire (uses direct memory access, DMA) -Crash dumps -Suspended virtual sessions -DD (“data dumper”) -Other applications (KnTTools,Nigilant32, ProDiscover IR)

19 Slide 19 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Nigilant32 (http://www.agilerm.net/download.html) Free Black box – does not describe how it is doing it Does not provide any analysis tool

20 Slide 20 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Analysis of a Memory Image Hex editor + string search -“Password”, “BOT” “@hotmail”, “backdoor”, “Trojan”, “key”, “logger”, “IRC”, various expletives Various open source scripts -Ptfinder.pl (Andreas Shuster) -Lsproc.pl, Lspd.pl, Lspi.pl (Harlan Carvey) Proprietary tools

21 Slide 21 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca DEMO

22 Slide 22 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca “Rules of the Tools” Understand the tool, and the results Test before use Have a clear objective; don’t throw everything at a suspect system Redundancy – every finding should be validated by at least 2 separate tools, preferably from 2 different vendors -FPorts (Foundstone) -OpenPorts (PortExplorer toolkit; www.diamondcs.com.au)

23 Slide 23 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Live Response Tools

24 Slide 24 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca DEMO (Selected Tools)

25 Slide 25 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Open Source – Windows Forensic Toolchest http://www.foolmoon.net/security/wft/index.html

26 Slide 26 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Open Source and Easy – Helix 1.8 http://www.e-fense.com/helix/ Runs on Windows and Unix boxes; well documented CD tools may be out of date

27 Slide 27 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Remember Toronto Area Security Klatch, TASK www.task.to Free monthly meetings, portal site SecTor (November, 2007) www.sector.ca Technical attacks; technical defences Dan Kaminsky, Johnny Long, Ira Winkler … Free Canadian Information Security Newsletter (www.digitaldefence.ca/subscribe)

28 Slide 28 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca Contact

Download ppt "Slide 1 Prepared By: Robert W. Beggs, CISSP CISA Presented To: EnergizeIT 16 June 2007 © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)www.digitaldefence.ca."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
LeadManager™- Internet Marketing Lead Management Solution May, 2009.

LeadManager™- Internet Marketing Lead Management Solution May, 2009.
IT-Forensic Investigations (in Sweden) Computers Sebastian Leclerc 13.12.2011.

IT-Forensic Investigations (in Sweden) Computers Sebastian Leclerc
WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+

WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+
Security and Personnel

Security and Personnel
Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.

Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Security Controls – What Works

Security Controls – What Works
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Extended Learning Module H Computer Crime and Digital Forensics Copyright © 2010 by the McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.

Extended Learning Module H Computer Crime and Digital Forensics Copyright © 2010 by the McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
McGraw-Hill © 2008 The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Extended Learning Module H COMPUTER CRIME AND DIGITAL.

McGraw-Hill © 2008 The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Extended Learning Module H COMPUTER CRIME AND DIGITAL.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.

Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi

MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi
Chapter 8 Operating Systems and Utility Programs By: James Granahan.

Chapter 8 Operating Systems and Utility Programs By: James Granahan.
Introduction to Network Defense

Introduction to Network Defense
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.

Similar presentations

Ads by Google