Upload
haquynh
View
216
Download
1
Embed Size (px)
Citation preview
CYBERSECURITY AND DATA PRIVACY LAW CONFERENCE
UNDERSTANDING THE TECH OF CYBERSECURITY FORENSICS
CYBERSECURITY LANDSCAPE
• Traditional information security techniques have not been effective in keeping cyber intruders out of the organization.
• Company expenditures for the latest and greatest technology to protect the infrastructure continue to increase.
• Technology solutions alone do not appear to have significant impact in reducing cyber threats.
• Cyber threat actors will continue to evolve and persist in accessing corporate information.
3
AN EVOLVING APPROACH TO CYBER SECURITY
According to IDC, Cyber Security Spending Will Grow Almost 4.7 Percent to Reach $101 Billion by 2020, a 38% increase from what was spent in 2016
Worldwide spending on software, hardware, and services related to cyber security will reach $101 billion by 2020, an increase of 38% percent over what was spend in 2016, according to the latest forecast from the International Data Corporation. The increase in spending is being driven by an increase in high profile cyber incidents in popular news and media, specifically the Sony, Yahoo, and more recently the DNC hacking scandal
37%The percent of organizations
not equipped with the latest security tools in 2015.
DETECTION CAPABILITIES REMAIN POOR ACROSS INDUSTRIES
4
• 2016 Verizon Data Breach Investigations Report indicates that internal breach capabilities are failing to improve in the recent years.
• Organizations need technology and processes in place to help sort through all event data and determine who was behind the security breach, identify which systems were compromised, determine data exfiltration, and if the breach was successfully remediated.
5
AN EVOLVING APPROACH TO CYBER SECURITY
• Organizations need to learn that technology solutions themselves do not provide effective security.
• Competent cyber security protection is provided by people who have been enabled by:• Policy• Procedure• Technology
• These three things provide the security professional with authority, accountability, repeatability, and efficiency needed to conduct incident response effectively.
6
AN EVOLVING APPROACH TO CYBER SECURITY
Dedicated Security Team• Too often we see clients that have no
dedicated security roles in the organization at all.
• Often the cyber security role is a hat worn by the general system administration team. • Sometimes this is even unbeknownst to
the teamEffective cyber security will always require dedicated roles
• For smaller organizations, this may mean a MSSP agreement to provide effective security
• For organizations with 1000+ hosts, this will generally require the use of an internal SOC
7
AN EVOLVING APPROACH TO CYBER SECURITY
8
AN EVOLVING APPROACH TO CYBER SECURITY
Technology Solutions Required:Network monitoring device(s)
• IDS / IPS can detect suspicious user activity outbound, and threat actor activity inbound, and even potential threats moving laterally within your network
Host monitoring devices• OS monitoring scripts or applications that enumerate OS
level activity (processes, files, etc…)Security Incident and Event Manager (SIEM)
• Aggregates Host and Network data separately or together to create a holistic picture of the network
TOOLS AND TECHNIQUES FOR CYBERSECURITY AND FORENSICS
Network Security Controls• Network security deals with devices and technology that monitors a
computers network connection to the corporate network, or the internet itself
• Since (most) attackers must use the internet to communicate with their targets, an effective network security defense can make propagation difficult, or even prevent the attack from ever starting.
PREVENTATIVE SECURITY CONTROLS
10
Network Security ControlsFirewalls• Basic perimeter protection, serves to isolate network segmentsIntrusion Detection / Intrusion Prevention Systems• IDS will continually scan network traffic to identify signs of known signatures or
malicious activity traveling in and out of your network.• IPS does them same thing, but automatically blocks and prevent attacks.Data Loss Prevention• If an attack is able to bypass the IPS and reach the target, a DLP solution will
prevent theft of confidential information. DLP monitor traffic as it leaves the network. If unauthorized transmission of information is detected, DLP will block and alert.
Network Access Control• NAC will prevent unauthorized devices from connecting to the internal network.• Can prevent a computer from interacting with the internal network by verifying
Anti-virus, Policy Compliance, Updates, etc…Web Application Firewall • Will prevent users and malicious logic from downloading or interacting with
known malicious or inappropriate web content.
PREVENTATIVE SECURITY CONTROLS
11
Endpoint SecurityAnti-Virus• Most commonly used form of all cyber defense, and also the least effective.
Nearly all Anti-Virus engines are trivial to evade for even modestly experienced attackers.
Host Intrusion Prevention Systems (HIPS)• Similar to a Network Intrusion Prevention System (IPS) but entirely centered on
the host. If it detects a potential network attack, it will block it before the information reaches the targeted application.
Standard Images• Standardized OS installations increase security and make your security team’s
job easier by installing all company approved applications. Makes spotting a suspicious machine much easier.
Application Whitelisting• Allows only company approved applications to run. • Can be cumbersome to manage, but is often the only option for out of lifecycle
operating systems that must continue to run. (Windows XP)File Integrity Monitoring• FIM will detect unauthorized changes to critical system files and notify when
such changes are detected. Excellent at detecting rootkits, steganography, and process hijacking.
PREVENTATIVE SECURITY CONTROLS
12
Deployment Constraints• Selected products and services may not be optimized to
the specific needs and budget of the organization.
Signatures are not readily available for new attacks • Traditional security tools depend on signature detection
technology to identify breaches. This can be ineffective against 0-day attacks or insider threats.
Behavioral based signatures fire too often• Behavioral signatures while more inclusive, can fire too
often to be taken seriously
SHORTCOMINGS IN PREVENTATIVE TECHNOLOGIES
Not all defensive solutions are perfect. There are often limitations to consider for each product.
13
In addition to the technical limitations of these solutions, many companies have additional unforeseen difficulties simply implementing these solutionsMaintenance Overhead
• An already thinly stretched security team now has to maintain another appliance, so shortcuts are taken in setting it up
Lack of expertise• With no training provided for the appliance, employees
unknowingly configure a glaring security hole
However the largest non technical vulnerability by far will always be:
SHORTCOMINGS IN PREVENTATIVE TECHNOLOGIES
14
Security teams face a challenge• Reviewing gigabytes and terabytes of security event data
to discover the needle in the haystack
Multitudes of security data from network packets to system and firewall logs make it difficult to identify the critical data.
• Even an experienced security analyst who understands the tools and activity can only look at so many events.
A Strong SIEM can increase the efficiency of an analyst• Can parse through large amounts of alerts and filter based
on potential incident severity• Not a replacement for a strong analyst
MASSIVE AMOUNTS OF SECURITY EVENT DATA
15
CYBER THREAT DETECTION CAPABILITIES
16
Detection Capabilities
Attack Lifecycle Captured
Firewall Logs Recon, Delivery
IDS / IPS logs Recon, Delivery, Exploit, Control
System Event Logs Delivery, Exploit, Control, Execute, Maintain
NetFlow Analysis Recon, Delivery, Maintain
Passive DNS logs Recon
Malware Analysis Execute, Control, Maintain
Registry Analysis Control, Execute
Pcap Analysis Recon, Delivery, Exploit, Control, Maintain
Forensic Disk Analysis Recon, Delivery, Exploit, Control, Execute, Maintain
Memory Forensics Exploit, Control
THE DARK WEB AND WHERE TO FIND YOUR LOST/STOLEN DATA
17
What occurred on the system• Was there data exfiltration, was malware installed, etc.
Who is responsible• Internal employee, external attacker, etc.
Where did the attacker go after initial entry• Did the attacker move laterally, did they stay resident on the
system, etc.
When did the activity occur• Time analysis on entry, movement, deletion of logs, etc.
Why did the activity occur• Data theft, lateral movement, deployment of network sniffer, etc.
WHAT CAN FORENSIC TOOLS DO FOR US
Forensic tools and process can provide the What, Who, Where, When and Why of activity on digital devices.
18
Forensic tools have the capability to:
• Forensically image digital media devices for authentication and chain of custody
• Recover deleted data• Identify connection times to network devices• Determine if data was copied to other devices to include USB and
other removable media• Identify websites visited and “search” terms used on the Internet• Recognize if data hiding is occurring• Chat session content• Much more..
WHAT CAN FORENSIC TOOLS DO FOR US
Forensic tools and process can provide the what, who, where, why and how of activity on digital devices.
19
Risk to an organization that do not use forensic tools and personnel properly:
• Spoliation issues from potential lawsuits• Minimize the ability to determine what
occurred, i.e., what data was lost if evidence is not available
• Possible action from regulators for not forensically preserving data
• Missing the fact that the malware is still present in the environment and has not been eradicated
• Law enforcement not being able to assist due to authentication of evidence and lack of chain of custody
• Much more..
WHAT CAN FORENSIC TOOLS DO FOR US
There are risks to an organization that does not used properly licensed tools and staff with the appropriate training and credentials.
20
● Art Ehuan has a specialization in corporate and nation-state strategic cyber advisory services to include incident response, digital investigations, enterprise data protection and cyber risk assessments. Mr. Ehuan also serves as a lecturer on cyber crime/terrorism for the U.S. State Department, Diplomatic Security Service, Anti-Terrorism Assistance Program. He has lectured on cyber threats to nation-state critical infrastructure to include Advanced Persistent Threat (ATP), Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) and how to minimize cyber risk. Prior to his position as Managing Director at A&M, Art was a Director at Forward Discovery, an incident response, cyber consulting and training firm.
● Mr. Ehuan served as Assistant VP and Director of the Corporate Information Security Department for USAA, a Fortune 200 financial services company. In this role, he was responsible for worldwide enterprise and strategic guidance on the protection of USAA information and established their digital forensic capability and Advanced Data Security and Incident reporting programs.
● Among Mr. Ehuan’s high-profile corporate positions was Deputy Chief Information Security Officer for the Northrop Grumman Corporation. He was responsible for protecting data from internal and external cyber threats, developing and managing security operations and implementing a corporate digital investigative unit. Mr. Ehuan was also a Federal Information Security Team Manager for BearingPoint (formerly KPMG Consulting), where he established information security initiatives and solutions for government and corporate organizations, as well as developing BearingPoint’s corporate incident response and digital forensic services. In addition, Mr. Ehuan served as the Program Manager for Cisco Systems Information Security, where he was responsible for securing corporate networks, managing risk assessments, protecting source code and developing Cisco’s worldwide digital forensic capability.
● As a law enforcement officer, Mr. Ehuan has worldwide experience working on cases involving computer crimes. His extensive background conducting and managing computer intrusion and forensic investigations with the Federal Bureau of Investigation (FBI) led to his assignment as a Supervisory Special Agent assigned to the Computer Crimes Investigations Program at FBI Headquarters in Washington, D.C. In addition, he served as a Computer Analysis Response Team Certified Examiner, where he developed and conducted training for law enforcement globally. Mr. Ehuan served as a computer crime Special Agent for the Air Force Office of Special Investigations (AFOSI), where he investigated cyber crime against the network systems of the U.S. Department of Defense. Mr. Ehuan has also testified in Federal, State and Military courts in cases involving digital forensics.
● Mr. Ehuan has received industry credentials including: the Certified Information Systems Security Professional (CISSP), and the Health Care Information Security Privacy Practitioner (HCISPP). He also maintains the Information Assessment Methodology (IAM) credentials with the National Security Agency (NSA).
● Mr. Ehuan was previously an Adjunct Professor/Lecturer at George Washington University, Georgetown University and Duke University where he taught courses on cyber crime, incident response, digital investigations and computer forensics. He is a contributing author of Techno-Security’s Guide to E-Discovery and Digital Forensics from Elsevier Publishing.
Managing Director
Global Cyber Risk Services
571-331-7763
Art EhuanCISSP, HCISPP
21
Art Ehuan
?
QUESTIONS
22