Communication network simulation on the unix system trough use of the remote ...
encase enterprise
1. Computer Forensic and Incident Response
or
Why invest in a Digital Investigations Platform?
Damir Delija
Insig2
2. Presentation plan
- Introduction into computer forensic and
incident response
• what it is
• legal and organisational issues
- EnCase approach
• Arhitecture, tools, methods
• approach forensic and incident response
• How it is done
3. Computer Forensic – a Definition
A practical definition:
“Computer Forensics is simply the
application of computer investigation
and analysis techniques in the interest
of determining potential legal evidence
(Judd Robbins).”
4. Legal Definition of Forensics
- Daubert/Frye: The most important decisions governing the
use of scientific evidence in court are those of
Daubert(Federal)/Frye(California).
- There are four primary factors according to Daubert/Frye that
should be considered before ruling on the admissibility of scientific
evidence:
• Whether the theory or technique has been reliably tested;
• Whether the theory or technique has been subjected to peer
review and publication;
• What is the known or potential rate of error of the method
used;
• Whether the theory or method has been generally accepted by
the scientific community.
5. Role of the EnCase suite
- EnCase Suite - Guidance Software
www.guidancesoftware.com
- Central point in the system security, other usual security
related tools are subordinates (feeds and actuators)
- Act as standalone or as enterprise wide tool
- It is supposed to react on incidents or to control system, both
in same sound digital forensic way
- Examiner wokstation is a workplace for incident responder,
examiner, auditor, controler - all in same consitent manner,
legaly acceptable
- Predefined roles, ranges, users and events
- Use other parts of incident response infrastructure like
ticketing system, help desk, IPS, IDS, etc ...
6. What are our threats?
Others (Unknown)
Regulatory compliance IP theft (eg. external consultants)
Classified Disgruntled employees
Data leakage
Human error Competitors
Client
Fraud Virus outbreaks
Inappropriate content Unauthorised software
Deliberate attack (hackers)
7. Integrating Forensic into IR
What is an incident to you? How do you respond?
- Virus outbreak? - Manual processes?
- Stolen laptop? - Take Computers off the
- Inappropriate usage? network?
- Suspend Employees?
- Legal requirement for electronic
data? - External investigative
- Unauthorised software? consultancy?
- Outsource data collection?
- Inappropriate content?
- Press release / PR?
- Classified data appearing in the
wrong environments? - Hope and Pray?
- Data leakage? - Ignore?
- IP theft?
- Disgruntled employee?
8. Latest analytics (1)
Who is behind data breaches?
- 73% resulted from external sources
- 18% were caused by insiders
- 39% implicated business partners
- 30% involved multiple parties
How do breaches occur?
- 62% were attributed to a significant error
- 59% resulted from hacking and intrusions
- 31% incorporated malicious code
- 22% exploited a vulnerability
- 15% were due to physical threats
Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY
THE VERIZON BUSINESS RISK TEAM, 10th June 2008
9. Latest analytics (2)
What commonalities exist?
66% involved data the victim did not know was on the
system
75% of breaches were not discovered by the victim
83% of attacks were not highly difficult
85% of breaches were the result of opportunistic attacks
87% were considered avoidable through reasonable
controls
Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY
THE VERIZON BUSINESS RISK TEAM, 10th June 2008
10. Latest analytics (3)
Nine out of 10 data breaches incidents involved one of the
following:
• A system unknown to the organization (or business group
affected)
• A system storing data that the organization did not know
existed on that system
• A system that had unknown network connections or
accessibility
• A system that had unknown accounts or privileges
Source: "2008 DATA BREACH INVESTIGATIONS REPORT",
A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM
11. How do we deal with these threats today?
Reactively
We manually investigate incidents, which is time consuming
We employ 3rd party consultancies to collect data for compliance
We quarantine computers from the network (disrupting operations)
We need multiple tools to investigate and solve problems
We have to wait for our AV vendor to supply signatures for new outbreaks
Proactively
We cannot search the network for IP or other sensitive data
We cannot search for unauthorised software or malicious code
We cannot forensically remove data or malicious processes
We don‟t have time to investigate disgruntled employees
We can‟t identify potential risks comprehensively
12. How EnCase Enterprise and it’s
modules link together
Data Audit System Audit Investigative
Intelligence
EnCase Data Audit & EnCase Infocon
Policy Enforcement Hardening
HB Gary Responder
Current
EnCase eDiscovery Bit 9
EnCase Enterprise Platform
(Examiner, SAFE, Snapshot, Connections, Pro Suite)
EnCase Enterprise Command Centre
API
Future
Document Security Intrusion Content
Management Information Detection Management
Management Systems Systems
13. Critical Requirements of IR Capabilities
REACTIVE: Extreme End Point Visibility to answer hard Information
Security questions at critical times….
Were we compromised or NOT ?
Precision Response to attacks
Remote & Immediate access to RAM and Raw Disk Level data
Preserve requisite info for Optimal Decision Making Process
“Freeze Crime Scene”
Enterprise Collateral Damage Assessment
Easily search for “intrusion footprint signatures”
Search the Enterprise for critical information
14. Implement Incident Response
infrastructure
- Implement Encase Enterprise as a core
• define additional funcionalities and plugins for Encase
• trainig, testing, support, etc
- Integrate it with other tools
• IDS, IPS, network management, physical security, system
administration, etc...
• Help Desk system, trouble ticketing system
- Develop lifecycle for effcient Incident
Response System
• policies, controls, reports, tests etc...
• keep IR system proactive, healty and efficient
15. Anti-Forensics
Anti-forensics is any and all actions
taken by an unauthorized intruder to
conceal evidence
• securely deleting critical log files is
considered an antiforensic technique.
- discovered use of antiforensics in 39% cases
- this will be a trend to watch over the next years
Source:
"2008 DATA BREACH INVESTIGATIONS REPORT",
A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM
16. Incident Response Recommendations
- Align process with policy
- Achieve “essential” then worry about “excellent”
- Secure business partner connections
- Create a data retention plan
- Control data with transaction zones
- Monitor event logs
- Create an incident response plan
- Increase awareness
- Engage in mock incident testing
17. IT security dependencies
- IT security depends on core competencies:
• People - skill and knowledge problem
• Process - there are standards and best practices
• Technologies - control of usage and fuctions
- This can be achived by
• developing enterprise investigative infrastructure
• use of forensics technologies as core part of IR
19. EnCase Enterprise (EE) Platform
Key capabilities
Covertly investigate across the network on live machines
Bit level analysis able to uncover deleted and hidden data
Also able to analyse volatile data in RAM
Sweep enterprise for hacker code like key loggers & root kits
Court validated as forensically sound
Role based access control and encrypted data flow
Business benefits
Respond to HR/IT requests much faster
Conduct many more investigations with the same resource
Rules employees in or out of investigations covertly
Collects court validate evidence of wrong doing
20. Case Review I - Core EE
HR Investigation – Specific Employee under suspicion for viewing
inappropriate content on their office machine.
Specific Employee PC covertly previewed
Suspects directory structure is viewed and all images are found
A timeline analysis of when specific files/images were saved can
be seen
Over 400 types of file formats can „natively‟ be viewed without
having corresponding applications
All deleted but not overwritten files are pulled up for further
evidence. Can be viewed though deleted
USB/external storage device analysis can be done. Check to see
which files have been copied onto them.
USB ID can be used to find where else the USB device has been
plugged into other machines on the network.
21. EnCase Incident Response
Key capabilities
Can integrate directly with IDS and SIM solutions
Automatically collects volatile data at point of attack or infection
Threat can be killed immediately on target machine
Scan and kill threat across entire network very quickly
Business benefits
Acts on intelligence provided by SIM
Guarantees collection of intelligence 24x7x365
Removes threat from entire estate without disrupting operations
Helps enhance defences by offering real actionable intelligence
Drives the true value out of IDS and SIM solutions
An effective way to counter “Day Zero” attacks !
22. Case Review II
A professional Malicious attacker tries to penetrate your network and
you have netForensics deployed.
The SIM (netForensics) & other perimeter defence products throw
up hi-priority alerts
Alert passed on to EnCase Enterprise
Automatic Snapshot of target machine retrieved (all processes
running in RAM of target machine)
Your SIRT team analyse snapshot results to determine malicious
processes
Process can be killed remotely and forensically wiped on target
node
Malicious/Rogue process hashed and enterprise sweep carried out
to determine extent of breach. Can be remotely wiped on all
“infected” nodes to clean network
23. Kill Malicious Process – options
Choice of deleting the process file, or
deleting and wiping from hard drive
25. EnCase Data Audit & Compliance
Key capabilities
Automate the search for IP (eg. Video on Demand), source code,
PII such as credit card numbers, financial statements, compliance
data, Recharge card codes etc
by keyword, hash value, metadata, document type, within a date range, using GREP
search expressions, across a defined node range
Move offending data to new location or wipe it completely
Completed on desktops, laptops and servers irrelevant of OS
Business benefits
Protects valuable intellectual property
Reduces risk of credit card and customer data theft
Limits negative press by removing risks before they happen
Ensures swift compliance to regulator demands
Forms basis for refining /tightening company policies /processes.
26. Case Review III – protecting
confidential info
Minimise the risk of leakage by sweeping the network for a known
highly “Confidential” strategy document.
The confidential document is hashed to get its unique signature.
An enterprise “sweep” is quickly done for this hash value. Whilst
keyword can be done, using the hash is much faster.
Results are found. Further investigation done on those machines
to see where the document was emailed.
This is done by analysing the local PST mail file. Search for
attachments with the same hash value. The main body content of
the mail can also then be easily seen.
Remediation (forensically deleting) the classified data can also be
done, if necessary.
27. EnCase Infocon Hardening
Key capabilities
Perform network wide system integrity checking
baseline servers, workstations and laptops
perform scheduled and automated audits to look for threats from malicious and
risky applications of any kind without having to wait for signatures from
antivirus vendors and other assessment tools
Identify undocumented and unauthorized configuration changes to systems
Automate the auditing and reporting of systems across time to identify
installed software, new devices, and changes to users
Business benefits
Ensures contraband, such as illegal software, is not on the network
Ensures key system assets have not been compromised by external
hackers
Identifies suspicious employee behaviour, such as trying to hide data
28. Case Review IV – System Audit for a
key Enterprise Server
Enterprise server (eg. Online mobile payments application ) is
audited whilst live to check for potential compromise /threats
A “gold build” – ie all known good running processes is created
for that server. This hash set forms baseline.
At a later point in time, an audit is done for same machine or
other servers that should be identical.
Infocon hardening quickly compares the baseline with results
from the snapshot of running processes. Any processes not in
std. baseline are highlighted.
Based on further investigation and validation, the offending
processes can be remotely “killed” and wiped if necessary.
29. On investigation, undesired processes can be
killed remotely to restore baseline
Choice of deleting the process file, or
deleting and wiping from hard drive