Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 6 Discovering the Scope of the Incident Spring 2016 - Incident Response & Computer Forensics.

Published byDominick Underwood Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 6 Discovering the Scope of the Incident Spring 2016 - Incident Response & Computer Forensics."— Presentation transcript:

1 Chapter 6 Discovering the Scope of the Incident Spring 2016 - Incident Response & Computer Forensics

2 Discovering the Scope  Scope: Understanding what the attacker did  To determine the scope, one has to carry out a limited investigation  What helps in scope discovery  Examining initial data  Collecting and reviewing preliminary evidence  Determining course of action

3 Examining Initial Data  Talk to people involved  Use a “trust but verify” approach  IT people may not know what is important to the investigation  Assemble facts  Think of  Who  What  When  Where  Why  How

4 Gathering and Reviewing Preliminary Evidence  Identify what source of preliminary evidence may help  Pick sources of evidence that come from several categories and require less effort to analyze  Advantage of using independent sources  When sources agree, probability of incident (or not) is higher  Difficulty for attacker to delete all sources  Likelihood of accidental overwrite is low  Review evidence  Use a method that can do it quickly  Test the method to make sure it is fast and accurate Note: Absence of evidence is not evidence of absence

5 Determining a Course of Action  Activities include:  Preserving evidence  Containing damage  Questions that may help:  Will the action help answer an investigative question?  Am I following the evidence?  Am I putting too much effort into a single theory?  Do I understand the level of effort?  Am I staying objective?  Have I uncovered something that requires immediate remediation?  Note: there is no “ideal path” to solve a case.

6 Customer Data Loss Scenario  A company receives complaints from customers saying they are receiving a large amount of e-mail spam soon after they registered in company database.  Initial data:  customer complaints  How to verify?  Work with customers to check their emails  Create fake customer accounts and register  Rather than waiting, continue with investigation  Find out where customer data is stored and how it is managed

7 Customer Data Loss Scenario  There is one internal and one external database that stores customer data  Internal DB is the production server used for normal business  External DB is managed by a third party – a marketing firm - used for e-mail and postal mail  Interview IT department and learn more about the database and network

8 Customer Data Loss Scenario  Interview results  The internal DB system: About 500 GB Has advance query monitoring and reporting capability Customers can register directly via company website or manually via phone call into customer service department No other methods of updating customer records exists DB network traffic is approximately 3TB per day Backups are kept both on-site and off-site at another facility  The marketing firm receives data at the end of month following any updates

9 Customer Data Loss Scenario  Progress so far:  The marketing firm is unlikely the source of data leak  Theft via phone is unlikely as well  So, the focus of investigation should be on the website  The next step  Performing a network packet capture could be difficult  Monitoring DB access would be easier

10 Customer Data Loss Scenario  Could this be the work of an insider?  Is website code modified such that it sends customer email addresses to attacker?  Is someone taking copies of backup tapes?  So far there is no lead to suggest any of the above  What can be done to test these theories?  Enter data directly into the DB bypassing the web portal  Enter some fake records into backup tapes

11 Customer Data Loss Scenario  After two weeks of creating fake customer accounts, spam emails were received by those accounts  Spams also were received by the accounts entered manually into the DB.  So, website is not the source of data theft  No spams received by accounts placed in backup tapes  Backup tapes are not part of the problem  Thus, the strongest lead for data theft is direct access to the DB  We need to check DB activities

12 Customer Data Loss Scenario  How to check DB transactions?  Network level packet capture  DB-level query monitoring  The first option is not easy Too much data Queries might be encrypted  Query monitoring is set up after creating few more customer accounts

13 Customer Data Loss Scenario  Log file checked periodically  After two weeks the new accounts start receiving spams  Log shows a query retrieving customer emails  Select custemail from custprofile where signupdate >= …. ;  The date used was roughly two weeks old  The log shows when the query was executed and from which IP address  The IP address belongs to a desktop belonging to the company’s graphic arts department  The username associated with the query belongs to a DB administrator

14 Customer Data Loss Scenario  You check with the graphic arts department and ask if they query customer email information  Their answer is “no”  But, they say, they do frequently contact several outside vendors via email

15 Customer Data Loss Scenario  What we have learned so far:  Evidence supports customer complaints  Two-week cycle of data theft  Only customer email address is stolen  Data stolen from the production DB  Data theft query originated from a desktop computer in the graphic arts department  Graphic arts dept does not use customer email information  Query issued from a DB administrator account

16 Customer Data Loss Scenario  What is the next course of action?  There are two sources of evidence  The production database server  The desktop in graphic arts department  We need to check both sources and gather more data

17 Customer Data Loss Scenario  Action with respect to the graphics arts desktop  Collect live response  Create forensic images  Interview the user  Action with respect to the production database server  Collect live response  Preserve database logs that record user access  Preserve all query logs  Preserve all application and system logs

18 Customer Data Loss Scenario  What is the plan now?  Since we know the query origination time, see who was logged on at that time  Check that system’s network activity around that time  Examination of the graphic arts computer shows a malware is installed  The malware provides features such as remote shell, remote graphical interface, the ability to launch and terminate processes  The malware connects to an IP address allocated to a foreign country  The malware has been installed for nearly two years

19 Customer Data Loss Scenario  Final steps in the investigation process:  Use a host-based inspection tool to examine each computer in the company for indicators of compromise Look for file names, registry keys, and any other unique characteristics of the malware  Query firewall logs for indications that other computers may have been infected Look for traffic to the IP address the malware connects to

Download ppt "Chapter 6 Discovering the Scope of the Incident Spring 2016 - Incident Response & Computer Forensics."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Welcome to the CardSaver VoIP Billing & Call Management Demonstration © 2004, Parwan Electronics Corporation.

Welcome to the CardSaver VoIP Billing & Call Management Demonstration © 2004, Parwan Electronics Corporation.
Lunker: The Advanced Phishing Framework

Lunker: The Advanced Phishing Framework
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,

Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
Computers: Tools for an Information Age

Computers: Tools for an Information Age
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Term 2, 2011 Week 3. CONTENTS Network security Security threats – Accidental threats – Deliberate threats – Power surge Usernames and passwords Firewalls.

Term 2, 2011 Week 3. CONTENTS Network security Security threats – Accidental threats – Deliberate threats – Power surge Usernames and passwords Firewalls.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 E-mail Investigations.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
Section 13.1 Add a hit counter to a Web page Identify the limitations of hit counters Describe the information gathered by tracking systems Create a guest.

Section 13.1 Add a hit counter to a Web page Identify the limitations of hit counters Describe the information gathered by tracking systems Create a guest.
Test Review. What is the main advantage to using shadow copies?

Test Review. What is the main advantage to using shadow copies?

Similar presentations

Ads by Google