1. Session 236 Cybercrime, Incident Response & Digital Forensics Services

2. 2 Bio Robert Schperberg is the Operations Vice President of TeleDesign Security, relating to Information Security matters, as well as, Incident Response, Digital, and Major Crimes Investigations. –Has provided incident response and investigative support to a great number of the global 100 financial institutions and corporations. –Expertise in the physical and information security, counter- terrorism, hostage negotiations, explosives investigations and interview skills and techniques.

3. 3 Agenda Threats and attacks Building and Incident Response process Declaring an incident Investigating High Tech crimes Evidence and the legal system Demonstration

4. 4 Agenda Threats and attacks Building and Incident Response process Declaring an incident Investigating High Tech crimes Evidence and the legal system Demonstration

5. 5 Types of Incidents Denial of service System compromise: –Local/remote –Root/admin/user –Vulnerability –Configuration –Accounts –Virus/worm Email Errors Deception Social engineering Misuse

6. 6 Techniques Observed Sophisticated Methods – Plain text encryption of programs and messages – Multi-path/multi-part program insertion – Graphics transfer using last bit of each pixel – Physical compromise of nodes, routers and networks – Spoofing of addresses – Eavesdropping on telecommunications networks & downstream spoofing – Modification of transmissions – Insider and Outsourced Insider co-opts

7. 7 Covering the Tracks Overview The attacker doesn’t want to get caught Most attacks are likely unobserved Attackers hide themselves using a variety of techniques –Log editing –File and directory hiding –Process hiding –Network usage hiding— covert channels

8. 8 Defenses from Covering the Tracks Guard the integrity of your system logs Use tools to search for hidden files All defenses from Trojan horse backdoors apply here as well!

9. 9 Hacker Conventions

10. 10 Hacker Model Terrorism Espionage Criminal Organized Group Individual Growth Path

11. 11 CERT ADVISORIES SECURITY BOOKS OPERATING SYSTEM SECURITY MANUALS SECURITY POLICIES, AND PROCEDURES. KNOWLEDGE... ALMOST ANYTHING Reverse Intent

12. 12 Agenda Threats and attacks Building and Incident Response process Declaring an incident Investigating High Tech crimes Evidence and the legal system Demonstration

13. 13 Enterprise Incident Response Pro-active preparation in the event of a critical threat to the infrastructure The creation of a centralized reporting structure –Confidentiality of information –Sanitized data sharing The creation of a SCRT “Security Cyber Response Team” –Representatives of The Corporate infrastructure

14. 14 Goals To assist in collecting and disseminating information on incidents related to information security, including information on security configuration and security management. To implement a security Incident response process. To provide a central reporting hierarchy of contacts for information about security incidents.

15. 15 Security Program Conceptual Model

16. 16 Suggested Priorities in Incident Handling? Protecting human life. Ensuring operational continuity. Protecting sensitive, proprietary, or customer data. Protecting other intellectual property and company data. Preventing damage to other systems.

17. 17 IR Team Charter and Scope Respond and investigate incidents Act as a central point of contact for all incident information Document reported activity pertaining to security events Communication and reporting to Management

18. 18 Suggested Department Participation Stakeholders Human Resources Public Relations Legal Information Security Information Technology Auditors Telecommunications Corporate Security Loss Prevention

19. 19 Team Components Director Incident Manager(s) Steakholder(s) Skillset Team(s)

20. 20 IR Director Authority Authority to –Declare an event as an incident –Declare an incident is over Executive level authority to approve actions such as –System shutdown –Disconnect system from the network –Allow compromised system to continue to run

21. 21 IR Director Responsibilities Guides the Incident Manager in the following: –Which on-call teams (HR, PR, Legal, etc.) should be involved in the incident –When should specific on-call teams should be alerted Ensures the safety and well being of all IR team members

22. 22 Incident Manager’s Responsibilities Perform the role of IR Coordinator Manage information sharing with –Upper Management –Business Unit Management –Legal and Public Relations –Human Resources –etc...

23. 23 Incident Manager’s Responsibilities Assist in adding in new team members as required Maintaining incident database Consolidate status reports Identify who “Needs to know.” Coordinate the lessons learned and document improvement opportunities

24. 24 Incident Manager’s Responsibilities In the event the investigation is escalated from internal, to civil litigation or criminal prosecution –Maintain the evidence chain of custody –Interface with government agencies Manage evidence –Make sure chain of custody is followed –Proper packaging, etc...

25. 25 Stakeholders Responsibilities Interface their department into the IR team Assist the incident manager during an incident Represent their department’s concerns –HR may provide relevant personal info regarding suspects –PR may want to go public, or not

26. 26 Skillset Team Responsibilities Primary functions –If Auditors Identify changes and anomalies Use of available baselines –If Technical Engineers Stop any breaches and vulnerabilities –Both Groups Responsibilities Data collection Documenting activities Maintain contact with IR Manager Instruct users not to interrupt or destroy data Instruct users to stop using the system

27. 27 Reporting Structure Director: Executive Level Manager: Director Stakeholders: –Normal reporting structure Skillset team: –Report to IR Manager or IR Director during an incident –Job description MUST include IR responsibilities

28. 28 Process Overview Incident Preparation Incident Identification Containment and Investigation Eradication Restoration Post Incident Activities and Follow-up

29. 29 Framework Preparation Identification Containment and Investigation EradicationRestoration Follow-up The Cyber Response Process

30. 30 The Components Policies Procedures Teams Participants Plans Decision trees Checklists Reports Forms Communications Escalation procedure Roles and responsibilities Backups Tools and utilities IT infrastructure Investigations Proactive detection Risk evaluations Agreements Incident categories Incident indicators

31. 31 Preparation Team members –Selection –Preparation –Includes core team participation Training / presentations –IR Team –Management –Employee Documentation

32. 32 Communication Many modes of communication –Phones and Call chains Work, home, cellular –E-mail, pagers, fax –Intranet, database –Paper, face-to-face, war-room or off site Necessity of positive interpersonal communication and relationships

33. 33 Defining the Threat Differentiate between –Vulnerability –Threat –Risk Differentiate between –Event –Incident

34. 34 What is a Vulnerability? Vulnerability = A weakness which exposes an asset* to loss or damage. –Ex. Application flaws –Ex. Non-redundant networks –Ex. Poor physical security –Ex. No fire suppression systems *Asset = An object of value to the organization.

35. 35 What is a Threat? Threat = A person or group that has some probability of exploiting some vulnerability. –Ex. Casual hackers –Ex. Thieves –Ex. Foreign intelligence services –Ex. Weather

36. 36 What is Risk? Risk describes the relationship between threat, vulnerability, and assets: –Risk is the probability that a given threat will exploit a given vulnerability resulting in damage to a particular asset. The impact or cost of that asset's damage is factored in to calculate the risk. Total risk for a particular asset would consider all of the relevant threats and vulnerabilities. Risk = Threat x Vulnerability (Asset Value)

37. 37 Defining an Event Attributes –Any noticeable occurrence in a system which may lead personnel to determine an incident is occurring Examples –System crash –Unusual graphic display –New unauthorized user accounts –Something “not right”

38. 38 Defining an Incident Attributes –Any unauthorized access, entry or attempt to enter an information system –Any browsing, disruption, or denial of service –Any alteration or destruction of input processing, storage or output; or changes to hard/soft/firmware without the user’s knowledge, instruction or intent

39. 39 Agenda Threats and attacks Building and Incident Response process Declaring an incident Investigating High Tech crimes Evidence and the legal system Demonstration

40. 40 Understanding the Incident Understand –The nature of the attack –Why the attacker chose the target Apply this knowledge to assessing –Level of the threat –Future potential of damage or danger

41. 41 Data Preservation Any and All available data must be preserved for future potential use –Why data needs to be preserved Due diligence in incident investigation and reporting Prevent a wrongful termination in the case of an insider or prosecution of an outsider Legal action may be initiated later Regulatory requirements

42. 42 Backing up the Systems Backups are critical! –A valid backup must be found to restore from –Do backups as soon as an incident has been declared –If possible, make 2 backups - one to keep as sealed evidence and one to provide a basis for comparison and assessment

43. 43 Backups as Evidence Safely store all backup media DO NOT use these backups to rebuild systems Keep backups as evidence

44. 44 Eradication and Restoration Goal: To eliminate the cause of an incident –Eradication of rogue software –Clean/reformatted disks –Ensure backups are clean –Continue to log activities –Proprietary/sensitive data must be handled properly Destruction of media Secure data wipe

45. 45 System Reinstallation Operational goal: To restore the systems to fully operational status –rebuild –replace –reconfigure Goals will differ according to: –Business units –Managers –IT Security System Reinstallation will be based on: –Policy –Business Continuity –Disaster Recovery

46. 46 Post Incident Assessment and Actions Goal: To review and integrate information related to the incident into IR procedures The most frequently neglected stage of the process This stage is potentially the most valuable to the incident response effort

47. 47 Recommendations Recommendations may need to be made to –Management –IR Team and Skillset members –Tech Support personnel –Employees

48. 48 Reporting Reports which document the entire chronology of an incident are extremely important –Metric for IR Team success –IR Team improvement –Legal Issues –Corporate Security –Due Diligence

49. 49 Agenda Threats and attacks Building and Incident Response process Declaring an incident Investigating High Tech crimes Evidence and the legal system Demonstration

50. 50 High Tech Investigative Implications Compliance risk: –Non-compliance with local & international minimum standards Legal risk and exposure to liability: –Non-compliance with law (e.g., EU data protection) –Third-party liability and “due care” –Employment law liability –Lack of protection of intellectual property

51. 51 Objectives of Investigations Identifying the investigation Data capture & discovery Data recovery Evidence analysis Forensics protocol Investigative report Deposition/Court testimony

52. 52 What is Data Forensics? Process of extracting information from computer storage media and guaranteeing its accuracy and reliability Structured computer science discipline Involves deductive reasoning,investigative skills,and common sense Carefully planned methodology that combines physical and technical investigations

53. 53 Digital Forensics Digital Forensics knowledge & expertise are required when: –Retrieval of computer, information, data, and telecom as digital evidence. –Seizing, preserving, and analyzing digital evidence. –The evidence within a computer or any other storage media is very vulnerable –The computers or storage media are rigged to destroy evidence.

54. 54 Types of Computer Crimes Areas and types of investigations: –Computers –Wireless –Networks –PBX –Social engineering –Internal –External

55. 55 Types of Telecommunications Fraud PBX hacking Long-distance fraud Voicemail fraud Faxback fraud Wireless fraud Pager fraud

56. 56 Typical Investigation Goals Compromised? –What? How? When? Where? Who? Post-compromise activity? Source? Recommendations? Immediate and future?

57. 57 Legal Aspects Legal issues surrounding incident response & digital forensics investigations: –Evidence collection –Cyber forensics (Digital, Web, Documents, Storage) –Employee privacy policy –Corporate liability Corporate negligence Protection of customer information –eCommerce & privacy issues –Regulatory compliance –Visiting pornographic sites –Child pornography issues

58. 58 Basic Elements of Investigations Legal recovery: –Private means: Corporate security divisions Computer forensics investigative companies Private investigative agencies –Law enforcement means Local State Federal

59. 59 Basics Elements of Investigations When IRT is conducting external investigations, it’s imperative for the responders to: –Proof of security before attack –Proof of security altered –Proof of information loss or destruction –Proof that information/intellectual property was proprietary –Value of information

60. 60 Basics Elements of Investigations Understanding methods of intrusion –Provide Clues –Provide Identity –Assist in Search Internal/External If no outside connectivity, then internal –If Internal Who has access? Who has knowledge of passwords Review Audit Logs

61. 61 Basics Elements of Investigations Plan investigative strategies behind closed doors All information related to law enforcement is public –Information is related to opposing attorneys –Information is related to the media Minutes of meeting should be relevant to the investigation Exculpatory evidence should also be collected

62. 62 Basics Elements of Investigations Interviews should be conducted individually If a section of a company is affected –Everyone should be interviewed –Who knows who? –Who said what to who? –All areas of responsibilities should be defined Corporate Security Investigators will be kept out when law enforcement takes over

63. 63 Administrative Support Internal Investigative Division HR Executive Management Legal Department Corporate Security Auditors IT Administrator Telecommunications Administrator Outsourced Expert Assistance

64. 64 Agenda Threats and attacks Building and Incident Response process Declaring an incident Investigating High Tech crimes Evidence and the legal system Demonstration

65. 65 Digital Forensics Legal Issues Elements of the crime –What specific acts, omissions or intentions must be proven Admissibility of Evidence –Evidence must be competent, relevant and material –Evidence may be: direct (witness testimony) real (tangible objects) Documentary (business records) demonstrative (models, simulations, charts or illustrations)

66. 66 Digital Forensics Legal Issues –Rules of evidence Best Evidence Rule - originals are better than copies Exclusionary Rule - improperly collected evidence may not be used in court Hearsay Rule - second-hand testimony is not allowed Chain of Custody must be explicitly maintained

67. 67 Chain Of Custody Used to demonstrate authenticity Demonstrates lack of alteration Follow the evidence from creation to admission Signatures, seals, access control, environmental control. Break in chain need not be devastating if precautions are taken

68. 68 The Evidence Life Cycle Collection and identification Analysis Storage, preservation and transportation Presentation in court Case resolution Return to victim or owner

69. 69 Areas of Evidence Identification Data Hiding Techniques E-Commerce Text Search Techniques ID of Unknown Text Disk Structure Data Encryption Matching Media to a Computer Internet Abuse ID

70. 70 Types of Evidence Public Private Legal Proprietary Intrusive

71. 71 Analyzing Computer Evidence First Commandment –Thou shalt not use the suspect’s computer to look at data, or for any other purpose. Use another computer to analyze a copy of the data instead Second Commandment –The computer used to examine the suspect’s data should either not be used for anything else or have a hard drive partition reserved solely for the suspect’s data

72. 72 Investigative & Forensics Tools Requirements –Computer Forensics Software –Traveling Computer Forensics Kit –Secure Laboratories

73. 73 Computer Forensics Software The Needed Forensic Software (General) –Clean Operating Software –Disk Image Backup Software –Search & Recovery Utilities –File Viewing Utilities –Password Cracking Software –Archive & Compression Utilities

74. 74 Computer Forensics Software Imaging Utilities –EnCase, Access Data, SafeBack, SnapBack, ForensiX Search Utilities –Forensics: EnCase, Access Data, Expert Witness –File Systems: DOS, Windows, NT, UNIX –Norton Utilities –Super Sleuth File Viewing Utilities –Microsoft Thumbnail, Thumbs Plus, Drag & View, Quick View Plus

75. 75 Seizing Evidence Primary objectives: –Secure and control the scene Power supply Network servers Specific clients Telecommunications links –Preserve the evidence and its admissibility Unless the system is in use or appears to be active, move very cautiously Photograph and/or videotape the scene at each step of the investigation Supplement photos with measurements and diagrams Keep a log of ALL activities

76. 76 Seizing Evidence –Photograph or videotape the entire setup, supplementing with measurements taken with a tape measure Layout of workspaces and computers Configurations of computers including network connections, peripherals, internal and external components. The target computer’s display

77. 77 Seizing Evidence Securing the target computer –Unplug the computer (PC or Mac only; minis and mainframes must be turned off using their standard protocols) –UNIX must be turned off if critical information is in RAM –Carefully remove the cover Remember it could be booby-trapped, so be very careful –Photograph the inside layout

78. 78 Seizing Evidence Securing the target computer –Identify each component and its logical ID –Remove label and pack all internal and external drives –Check the floppy drives for disks and, if found, remove and label as to where it was found –Place a blank disk in each floppy drive and place evidence tape over the drive opening –Turn the on/off switch to off and cover with evidence tape

79. 79 Seizing Evidence Securing Other Evidence –Seize all diskettes, PCMCIA cards, magnetic media of any kind (e.g. magnetic cartridges), and CD-ROM’s or other optical media All disks and other media should be write protected whenever possible, logged and labeled –Seize all peripherals that have or may have memory components (e.g. routers, servers, printers, FAX machines) –Seize backup tapes or other forms of storage (e.g. Jaz! disks)

80. 80 Seizing Evidence Securing Other Evidence –Seize all printouts –Seize printer ribbons, if any –Seize all documentation –Phones, answering machines, desk calendars, pocket calendars or day-timers, electronic watches may all contain evidence –Don’t forget the trash!

81. 81 Agenda Threats and attacks Building and Incident Response process Declaring an incident Investigating High Tech crimes Evidence and the legal system Demonstration

82. Questions? Robert Schperberg TeleDesign Security Email: rschperberg@teledesignsecurity.com Tel: 001-209-836-2678 Mbl:001-209-815-1506