1 / 18

Investigating Sophisticated Security Breaches

Investigating Sophisticated Security Breaches. Digital Forensics has proven tough in the age of sophisticated Intruders. Security Breaches. What’s going on? Data is being compromised Information is being placed in inappropriate places (i.e. Swastika on a Jewish site)

palmermary
Télécharger la présentation

Investigating Sophisticated Security Breaches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Investigating SophisticatedSecurity Breaches Digital Forensics has proven tough in the age of sophisticated Intruders

  2. Security Breaches • What’s going on? • Data is being compromised • Information is being placed in inappropriate places (i.e. Swastika on a Jewish site) • Code manipulation (i.e. Altering code being utilized in security without developer knowledge) • Personal identities

  3. Security Breaches • Who is doing it? • Programmers • Hackers • Governments (China, Russia) • Terrorists

  4. Security Breaches • What is happening? • Workplace theft • Phishing scams • Email Scams • Utilization of Rootkits (coming up) • Network Intrusions

  5. Security Breaches • Who Investigates? • Company Security Personnel • Forensic Scientist (Digital and Traditional) • Governments • Police Departments • Digital Forensic Specialization companies

  6. Network Intrusions • Among the most challenging kinds of computer crime to investigate • Dynamic nature of networks • Time is evidence lost • Investigate without interrupting organization • Find what was stolen (taken) • Find out who did it

  7. Network Intrusions • Hindrances to investigation • Smarter and younger generation of hackers • Sophisticated programs • Dynamic nature of networks • Large amounts of data to go through • Time zone differences • Foreign location of systems/persons • Encoded Communications between hosts

  8. Investigation Tools • The companies Security personnel (if they weren’t fired!) • Command, Control, Communications, and Concealment systems (Analysts Notebook) • Sniffers (Packet, Node, etc…) • Custom Programs

  9. Analysts Notebook Image Credit given to Jessica Reust

  10. Rootkits • A rootkit is a set of software tools used to legitimately (and not legitimately) conceal running processes. • They modify parts of the operating system (Including, UNIX, Linux, Solaris, and Windows) • The term rootkit is used due to its origins in UNIX and since it allows an intruder to maintain ‘root’, the secure level of the UNIX operating system (‘ps, netstat, w, passwd)

  11. Rootkits • Used to hide files • Rootkits are a technology • Threats that utilize Rootkits generally try to maintain control of one system (Zombie host) • Used for • DOS Attacks • Email attacks • Spam Attacks

  12. The Investigative Team • Multidisciplinary teams are needed to catch sophisticated intruders • Range from 3 to 8 personnel • All have their own expertise • May include outside help (Local police, Forensics labs, etc) • May also include a liaison to other law enforcement agencies • Keep track of incoming information (not easy)

  13. The Need For Speed • Success is very dependant on system logs and backups the organization has in place. • Capture of logs by freezing • Capture data backups by utilizing the organizations personnel • Ghost hard drives and memory spaces • Capturing network traffic • Disabling rootkits if still active to reveal any of the above needed data

  14. Organization Issues • Rarely prepared for a digital forensic investigation • Investigators seldom have knowledge of the victim network • Preservation effort is heavily dependant on information gathered from the victim IT staff • All of this data is collected in a forensically sound manner

  15. Challenges Faced • Gathering Memory Dumps • Capturing Virtual Memory • Looking for comparable hints • Discovering the Method of Operation (MO) of the intruder. • Searching network level logs • Hacking back

  16. Conclusion • Ill prepared networks allow for controlled systems to attack the more prepared networks • The more sophisticated the networks become, the more sophisticated the intruders become • Programmers wake-up

  17. Informative Sites • Kernel Control Software • Hxdef.czweb.org • Development of Anti-forensic tools • www.metasploit.com/projects/antiforensics • Investigating Company • Global Digital Forensics • www.evestigate.com • Digital Forensic Research Workshop • www.dfrws.org

  18. References • Casey, Eoghan, Investigating sophisticated security breaches; February 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: ACM Press • Richard, Golden, Roussev, Vassil, Next-generation cyber forensics; February 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: ACM Press • Burmester, Mike, Mulholland, Judie, The Advent of Trusted Computing: Implications for Digital Forensics; April 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: ACM Press • Mohay, Gearge, Technical Challenges and Direction for Digital Forensics; 2005, Proceed or the first International Workshop on Systemic Approches to Digital Forensics • Lasavio, Micheal, The Law of Digital Objects: Dominion and Control Issues for Digital Forensics Investigations and Prosecutions; 2005, Proceed or the first International Workshop on Systemic Approches to Digital Forensics

More Related