Forensics Book 4: Investigating Network Intrusions and Cybercrime
Successfully Responding to Cyber Intrusions
Transcript of Successfully Responding to Cyber Intrusions
-
8/8/2019 Successfully Responding to Cyber Intrusions
1/29
Cyber Intrusion
Retail and Law Enforcement Partnerships
-
8/8/2019 Successfully Responding to Cyber Intrusions
2/29
Joe Marsico
DirectorNike Retail Loss Prevention
Moderator:
-
8/8/2019 Successfully Responding to Cyber Intrusions
3/29
Obstacles For LP Professionals
Faceless Enemy
Non-Traditional Source Of Loss
Lack Of Technical Expertise / Training
Over Reliance On IT Department
-
8/8/2019 Successfully Responding to Cyber Intrusions
4/29
Potential Impact Of A Cyber Breach
Revenue Loss
Response / Clean-Up Is Costly
Stolen Intellectual Property
Tarnished Brand ImageDecreased Consumer Confidence
-
8/8/2019 Successfully Responding to Cyber Intrusions
5/29
John Capicchioni
Big Lots Stores Inc
Director Of Information Protection
CPP and EnCase Certified Examiner
20Years - Loss Prevention Experience
-
8/8/2019 Successfully Responding to Cyber Intrusions
6/29
Information Security
Information security follows traditional
security concepts. Common Goal: Protecting assets from
criminals attempting to convert assets to
cash.
-
8/8/2019 Successfully Responding to Cyber Intrusions
7/29
Information Security
The differences are:
Different types of security equipment Different threat communities
-
8/8/2019 Successfully Responding to Cyber Intrusions
8/29
Preventing Cyber Incidents
Awareness and training
Effective policies Security-in-depth
Protection standards for information
assets
-
8/8/2019 Successfully Responding to Cyber Intrusions
9/29
Preventing Cyber Incidents
Awareness and Training
Password protection Social engineering education
Secure code training for developers
InfoSec training for network group
-
8/8/2019 Successfully Responding to Cyber Intrusions
10/29
Preventing Cyber Incidents
Effective Policies
Defines expected behavior Incorporates best practices into daily
activities
Regulatory-required policies
-
8/8/2019 Successfully Responding to Cyber Intrusions
11/29
Preventing Cyber Incidents
Security-in-depth examples
Security Control Loss Prev. InfoSec
Perimeter Control Locks, etc. Firewall
Intrusion Detection Burg. Alarm I.D.S / I.P.S.
Preserving Evidence CCTV Logging Sys.Identify Suspicious Activity Exception
Rpt.
S.E.I.M
-
8/8/2019 Successfully Responding to Cyber Intrusions
12/29
Preventing Cyber Incidents
Protection Standards
Classify assets Develop protection standards for each
class
Inspect to identify deviations to standardsand correct deficiencies.
-
8/8/2019 Successfully Responding to Cyber Intrusions
13/29
2007Attack Signatures
Worm and virus attacks accounted for 98% of allattacks detected prior to March 2007.
Since March 2007, over 90% of all alerts havebeen something other than worm and virusattacks.
Most appear to be originating from novice
hackers or script kiddies. FTP attacks and exploits account for70% ofpost February 2007 alerts.
-
8/8/2019 Successfully Responding to Cyber Intrusions
14/29
2007 Threat Categories
21%
30%
48%
p oit
o i io ation
Re onnaissan e
-
8/8/2019 Successfully Responding to Cyber Intrusions
15/29
2008 Attack Signatures
There has been a steady increase of exploitactivity since March, 2007.
In addition to script kiddies, we are seeingattacks from internet protocol (IP) addressassociated with known professional hackinggroups.
Over the past year, we have seen multiple 0-day attacks.
-
8/8/2019 Successfully Responding to Cyber Intrusions
16/29
2008 Threat Categories
66%
28%
loit
oli iolatio
e o aissa e
-
8/8/2019 Successfully Responding to Cyber Intrusions
17/29
Current Threats Observed
Buffer-overflow
Remote codeexecution
Denial of Service
Privileged access
Port Scan
Host Sweep
Probe
Brute-Force
-
8/8/2019 Successfully Responding to Cyber Intrusions
18/29
Intelligence
Intelligence is critical to successful
information security program. Sources range from free to very
expensive.
You DO get what you pay for, with oneexception Infragard.
-
8/8/2019 Successfully Responding to Cyber Intrusions
19/29
Zero-Day Case Study
-
8/8/2019 Successfully Responding to Cyber Intrusions
20/29
Incident Response Plan
Thorough written plan
Test plan at least annually
Do not operate in silo Information Technology
Loss Prevention
Information Security/Protection
Legal
Establish contact with law enforcement prior toactual incident. Participate in Infragard.
-
8/8/2019 Successfully Responding to Cyber Intrusions
21/29
CyberAttack Identified Next Steps
Preserve evidence by following sound
forensic procedures. If you dont have in-house expertise hire
a reputable firm and/or notify law
enforcement
-
8/8/2019 Successfully Responding to Cyber Intrusions
22/29
Qualified CISP Incident ResponseAssessor List 11/16/2007
-
8/8/2019 Successfully Responding to Cyber Intrusions
23/29
Working with Law Enforcement
Decision to notify law enforcement:
Senior Management Legal
Loss Prevention
Information Technology
Information Protection
-
8/8/2019 Successfully Responding to Cyber Intrusions
24/29
Trent Teyema
FBI Unit Chief - Cyber Intrusion
Specializes In:
Corporate / State Sponsored
Espionage, Security Reviews ,
Malicious Code, ElectronicSurveillance, E-Commerce Fraud
-
8/8/2019 Successfully Responding to Cyber Intrusions
25/29
Federal Bureau of Investigation
Cyber Division
Computer Intrusion Section
Trent R. Teyema
Unit ChiefWashington, D.C.
Federal Bureau of
Investigation
1908-2008
-
8/8/2019 Successfully Responding to Cyber Intrusions
26/29
A New Threat - A New Response
The Threat
Top 5 myths of working with lawenforcement
The response
Federal Bureau of
Investigation
1908-2008
-
8/8/2019 Successfully Responding to Cyber Intrusions
27/29
Developing A Strategic Alliance
FBI
www.fbi.gov Internet Crime Compliant Center
www.ic3.gov
Infragard
www.InfraGard.net
Federal Bureau of
Investigation
1908-2008
-
8/8/2019 Successfully Responding to Cyber Intrusions
28/29
Federal Bureau of Investigation
Celebrating a century1908 - 2008
Unit Chief Trent R. Teyema
FBI Cyber DivisionWashington, D.C.
202-324-3000Federal Bureau of
Investigation
1908-2008
-
8/8/2019 Successfully Responding to Cyber Intrusions
29/29
Q & A