1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response.

Slides:



Advertisements
Similar presentations
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Leveraging the Load Balancer to Fight DDoS Brough Davis September 2010 GIAC GCIA,
Advertisements

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Steganography Then and Now John Hally May 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN,
Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Chapter 4: Trees Part II - AVL Tree
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Scoping Security Assessments: A Project Management Approach Lack of planning is.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Baselining Windows and Comparative Analysis: Quick and Easy Kevin Fuller May 2012.
Chapter 14 Multi-Way Search Trees
SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 The Afterglow Effect and Peer 2 Peer Networks Jay Radcliffe June 2010 GIAC: GSEC.
1 Complexity of Network Synchronization Raeda Naamnieh.
Introduction to the World of Computers
1 Introduction Lecture 1 CSCI 1405 Introduction to Computer Science Fall 2006.
Decision Trees Chapter 18 From Data to Knowledge.
CS 206 Introduction to Computer Science II 12 / 01 / 2008 Instructor: Michael Eckmann.
SIP-Based Emergency Notification System Knarig Arabshian IRT Laboratory Columbia University December 5, 2001.
Transforming Infix to Postfix
Reporting Module for Gateway Yvonne Yao. Recap: What is the Gateway? Web-base system Create, schedule, send mailings Statistics collected and presented.
1 Section 9.2 Tree Applications. 2 Binary Search Trees Goal is implementation of an efficient searching algorithm Binary Search Tree: –binary tree in.
1 of 4 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
Charles Greene, CISSP, GSLC. Senior Information Security Architect I&AM Team Lead, DR Team Lead Virginia Commonwealth University Bachelor's Degree in.
Microsoft Dynamics CRM 2011 Update Rollup 5 Enhancements Dana Martens Escalation Engineer Microsoft.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 STRIDE towards 2-factor Web SSO Rich Graves October 2014 GIAC GSE, GCIA, GCIH, GPEN,
Chapter 19: Binary Trees. Objectives In this chapter, you will: – Learn about binary trees – Explore various binary tree traversal algorithms – Organize.
Introduction to the World of Computers
Improving Efficiency with Reusable Processes Linda Koestler Kinetic Data.
1 Index Structures. 2 Chapter : Objectives Types of Single-level Ordered Indexes Primary Indexes Clustering Indexes Secondary Indexes Multilevel Indexes.
Data Structures Balanced Trees 1CSCI Outline  Balanced Search Trees 2-3 Trees Trees Red-Black Trees 2CSCI 3110.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Remote Access Tools Policy John Jarocki May 2010 GIAC GSEC, GCIA, GCIH, GCFW, GPEN.
Balanced search trees: 2-3 trees. 2-3 trees allow us to process ordered lists in more efficient way than binary trees with an ordering property. Recall.
Binary Search Tree Traversal Methods. How are they different from Binary Trees?  In computer science, a binary tree is a tree data structure in which.
2-3 Trees Extended tree.  Tree in which all empty subtrees are replaced by new nodes that are called external nodes.  Original nodes are called internal.
Module networks Sushmita Roy BMI/CS 576 Nov 18 th & 20th, 2014.
CS690L Data Mining: Classification
Information explosion 1.4X 44X Empower the UserEnable the Compliance Officer In Place and Extensible Easy for IT Exchange, SharePoint, Windows Outlook,
Module 2: Installing Exchange Server Overview Introduction to the Exchange Server 2007 Server Roles Installing Exchange Server 2007 Completing the.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH.
Interaction Diagram An interaction diagram is a graphical representation of interactions between objects. Sequence diagram: shows the sequence in which.
* DataSpace. * What is DataSpace * DataSpace is a third party add-on to ArcGIS Desktop * Developed by US Bureau of Reclamations * Allows the user to arrange.
11 Intel Modular Server Understanding the Storage MFSYS25 MFSYS35.
What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Diskless Cluster Computing: Security Benefit of oneSIS and Git Aron Warren September.
Outlook How to connect to a mobile device. 1. On the “Home” screen go to settings 2. Go to Mail, Contact’s, and Calendars 3. Select “Account” associated.
B-Trees Katherine Gurdziel 252a-ba. Outline What are b-trees? How does the algorithm work? –Insertion –Deletion Complexity What are b-trees used for?
HDPlus Project Management HDPlus, Inc. Landline: Fax Cellphone:
Digital Account Verification Services Through Encompass
Recursive Objects (Part 4)
Classification Algorithms
SNS COLLEGE OF TECHNOLOGY (Autonomous ) COIMBATORE-35
Heaps © 2010 Goodrich, Tamassia Heaps Heaps
BIRCH: An Efficient Data Clustering Method for Very Large Databases
CMSC 341 Lecture 10 B-Trees Based on slides from Dr. Katherine Gibson.
Factors, multiple, primes: Factors from prime factors
(Includes setup) FAQ ON DOCUMENTS (Includes setup)
Height Balanced Trees 2-3 Trees.
Using the Hierarchy Workbench
Concur Travel & Expense
Time Gathering Systems Secure Data Collection for IBM System i Server
B-Tree.
Manage your documents CIRCABC Module 1 DIGIT A3
Binary Search Trees Chapter 9 2/22/2019 B.Ramamurthy.
Solution for Section Worksheet 4, #7b & #7c
Binary Search Trees Chapter 9 2/24/2019 B.Ramamurthy.
Birch presented by : Bahare hajihashemi Atefeh Rahimi
(Includes setup) FAQ ON DOCUMENTS (Includes setup)
Factors, multiple, primes: Multiples
Balanced search trees: 2-3 trees.
Presentation transcript:

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees – Converting Attack Trees into Guides for Incident Response Rodney Caudle December 2009 GIAC GSEC, GCIA, GCIH, GCFA, GSNA, GCPM, GLDR, GSLC, GSPA

SANS Technology Institute - Candidate for Master of Science Degree 2 Objective Setting the Stage Basics of Investigative Trees Rules for Building Investigative Trees Example: Corporate Espionage Demo: iTree.pm

Setting the Stage Multi-Site Corporation Information Leakage Suspected Insider Suspected Factor: Outsourced IT You’re the objective third party SANS Technology Institute - Candidate for Master of Science Degree 3

4 Investigative Trees Designed to answer one question: Given a fixed amount of resources, what investigation will yield the results with the most confidence for a given outcome?

SANS Technology Institute - Candidate for Master of Science Degree 5 Building a Tree Ask a question Split into smaller questions that can be answered until the questions are small enough to act upon Build procedures to answer questions. There may be multiple ways to answer Add parameters to provide perspectives

Rules for iTrees Root node is the goal or outcome Leaf nodes represent conditions of meeting the parent node or goal –“OR” leaf nodes –“AND” leaf nodes All nodes should be Boolean in nature SANS Technology Institute - Candidate for Master of Science Degree 6

7 Rules (cont’d.) Additional parameters can be added to provide perspectives Leaf nodes may become root nodes of a sub-tree that can be saved as a library

General Parameters Confidence – level of trust Confidence i – level of trust (impacted) Impacted – True or false Weight – comparison to neighbor nodes Category – label for organization SANS Technology Institute - Candidate for Master of Science Degree 8

Other Parameters Cost Time Rate Units Dependency Early Start Early Finish Late Start Late Finish Slack Time SANS Technology Institute - Candidate for Master of Science Degree 9

Example: Corporate Root Question: Can we verify the vector for delivering the s? Need to define the leaf nodes or sub- goals SANS Technology Institute - Candidate for Master of Science Degree 10

Leaf Nodes (OR) Were the s sent via the Outlook- Exchange method? Were the s sent via the web-based OWA method? Were the s sent via a mobile device method? Were the s sent via SMTP through a gateway? SANS Technology Institute - Candidate for Master of Science Degree 11

Continue Expanding Were the s sent via SMTP through a gateway? –Can we verify the presence of SMTP headers in the original ? –Can we verify the presence of (s) in the log events from the SMTP gateway server? SANS Technology Institute - Candidate for Master of Science Degree 12

Add Steps to Get the Answers Can we verify the presence of SMTP headers in the original ? –Can we recover the presence of SMTP headers in the original ? Can we recover a copy of the original from the desktop or laptop? Does the contain SMTP headers (RFC821)? SANS Technology Institute - Candidate for Master of Science Degree 13

Demo: iTree.PM Perl module to automate the investigation tree creation process SANS Technology Institute - Candidate for Master of Science Degree 14

SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Investigative Trees = good investment Design supports KB natively Easy to expand and share information Perl Modules available for creation and automation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.