Cyber Forensics: Beyond Traditional Detection and Prevention Approaches to Cyber Security

Copyright © 2010 Deloitte Development LLC. All rights reserved.

Technology Executives Dbriefs series presents:

Cyber Forensics: Beyond Traditional Detection and Prevention Approaches to Cyber Security

JR Reagan, Principal, Deloitte & Touche LLP

Rich Baich, Principal, Deloitte & Touche LLP

William Farwell, Director, Deloitte Financial Advisory Services LLP

December 2, 2010


Agenda

• Introduction

• A Scary World

• A Sophisticated Response

• Approach

• Wrap-up


“Data Breaches Cost Hospitals $6

Billion Per Year”The Wall Street Journal, Nov 9, 2010

We’ve all seen the headlines …

“Stuxnet malware is blueprint

for computer attacks on U.S.”The Washington Post, Oct 2, 2010

“The lack of arrests in the case

underscores how difficult it is to find

and apprehend online criminals…”The New York Times, Nov 15, 2010

“A mysterious cyber attack

apparently struck the

computer servers for [a

political group] …”Washington Wire, Oct 21, 2010

“… at least 500 banks were

affected by the Heartland breach”The New York Times, Nov 14, 2010


Poll question #1

How confident are you in your organization’s ability

to detect and prevent cyber attacks?

• Very confident - we have a robust security

program in place and it works

• Somewhat confident - unsure of program

effectiveness

• Not confident - our systems and data are at risk

• Don’t know/not applicable


Who is doing this?

Stuxnet profile:

• Because of its sophistication, thought

to be the work of a foreign government

• Considered to be first known “cyber

super-weapon”

• Found in certain industrial control

systems, primarily in Iranian nuclear

power plant

• Four zero-day exploits, two stolen

certificates for insertion into the O/S

and multi-stage propagation

• Starts with infected USB-sticks; results

in code insertion into industrial control

systems

The Stuxnet worm, targeting

SCADA controls, was found

in >45,000 systems


How do we investigate this?

• Incident response + cyber threat intelligence

• Hard drive forensics + network forensics

• Financial crimes + financial intelligence (FININT)

Maps of Conficker Infections, Source: Conficker Working Group

http://www.confickerworkinggroup.org/wiki/uploads/ANY/conficker_world_map.png

http://www.confickerworkinggroup.org/wiki/uploads/ANY/conficker_us_map.png


Re-thinking cyber response

•Cyber crime

•Military espionage

•Economic espionage

•Cyber warfare


Cyber threat profiles - cyber adversary targeting and attack

methodology

Cyber adversaries collect open source intelligence in order to generate

schemes and methodologies for carrying out well-planned attacks in

order to achieve their goals.

Open Source

Intelligence

Collection

• Peer to peer

networks

• Search engines

• Social

networking

• Job sites

Denial of

Service

Espionage

System and

Network

Access

• Available

exploits

• Target

information

• Target

systems

• Target

employees

• Vulnerabilities

• System

information

• Supply chain

data

• Credentials

• Privileged

users

Attack Sequence

Goals

• Anonymization

• Obfuscation

• Schedule

Targets

Customer lists

Control systems

Intellectual property

On-line credentials

Personal identity information

System access

Financial data

Patents & research

Protected health information

Secret formulas

Intelligence

Analysis

& Review

Attack

Planning &

Target

Selection

Attack

Execution


Poll question #2

How aware are you of your organization’s cyber

threat profile?

• Very aware - we have a robust threat analysis

program in place and it works

• Somewhat aware - unsure of our cyber threat profile

• Not aware



Why is cyber threat intelligence required?

Our experience highlights the following challenges which organizations should take steps to address:

Current “signature-based” information

security controls may not be effective

against sophisticated, evolving cyber

threats and exploits

What kind of security controls are

necessary to detect cyber threats

that are currently flying under the

security radar?

A large number of unique security

appliances are generating even larger

numbers of false positives and false

negatives

How do we collect data from

multiple disparate sources and

generate normalized, enriched, and

actionable information?

Lack of automated capability to

rapidly identify, contain, analyze and

remediate compromised devices

How do we quickly find and contain

compromised devices?

Information provided by various

intelligence sources is often outdated,

high level, and not actionable

How do we collect timely, relevant,

and actionable cyber intelligence

data?

Many organizations lack technology

and process capabilities for taking

timely action on near real-time

intelligence data

How can cyber intelligence data be

used to automatically challenge or

stop fraudulent transactions?


Use Case #1 – Using external domain intelligence to find

internal Zeus infections

• Zeus installs on machine by:

Email attachments or links to

a malicious site

Drive-by downloads from a

legitimate site

Peer- to-peer file sharing

Social networking site

Initial InfectionCustom Configuration

DownloadZeus Trojan Activation

• Once installed, the Trojan

attempts to contact a

preconfigured set of sites to

obtain a custom, updated

configuration file which has been

generated to exploit specific

financial services companies

• Zeus silently monitors web access

to targeted financial services, after

which it actively compromises

credentials and token codes. The

Trojan typically manifests by

injecting additional fields

displayed in the browser.

Zeus Functionality and Capabilities

• Acts as client proxy server:

criminal can use customer PC

• Automatic software update

capability

• Ability to steal token information

at near real-time speed and

send results over IM to money

mule agent

• Polymorphic encrypter for

generating unique copies in

order to evade Antivirus

• Can capture and steal digital

certificates

• Can add additional fields to

bank login page being displayed

on customer PC

• Can modify name resolution

configuration files on Local PC

• Screen capture capability

• Can remove cookies in order to

force customer to re-enter

credentials

Understanding How Zeus Works

Scenario: Intelligence is given to an organization which provides the latest domains used by the Zeus

botnet. The organization must now determine if any internal devices are communicating with the

domain, as content filters have not yet been created and deployed.


Use Case #2 – Detecting and responding to a compromised

remote access user

Company

Deloitte FAS

Cyber Threat

IntelligenceThreat Patterns

Supplier Websites

CTI AutomationThis presentation contains general

information only and is based on the

experiences and research of Deloitte

practitioners. Deloitte is not, by

means of this presentation, rendering

business, financial, investment, or

other professional advice or services.

This presentation is not a substitute

for such professional advice or

services, nor should it be used as a

basis for any decision or action that

may affect your business. Before

making any decision or taking any

action that may affect your business,

you should consult a qualified

professional advisor.

DataApps

Remote Access

DNS

Web

Email

Reports

Social Network Company

Internet

Most companies lack

behavioral automation

to detect compromised

websites.

DataApps

DNS

WebCLegitimate

Traffic

Virtual Extended Enterprise

Remote

Access

User

Customers redirected to

malicious hosts

Legitimate Surfing

Keylog Data

Attacker

Silent Malware Install

Malicious redirect

Attackers

compromise social

networks

C

C Compromised Website

Social networking

companies are often

unaware that their sites

have been compromised

1

2

34

5

Remote Access

Email

Virtual ExtendedEnterprise

Internet

DNS

Web

Email

RemoteAccess

Company

Company

SubsidiaryDNS

Web

Email

RemoteAccess

Attackers have the ability

to control and communicate

with a large variety of

compromised hosts that

are sitting in private networks

around the world.

Attacker

An organization is often focussed

on ensuring that its own devices and

remote access users are

not compromised and being controlled

by cyber criminals.

Smaller subsidiaries may not have the

ability and sophistication

to aggregate, normalize, and

correlate cyber threat information

against their internet profile.

Applications

Data

Applications

Data

Deloitte

Cyber Threat

Intelligence

CTI Automation

Company &Subsidiary

Profiles

Open SourceIntelligence

Addresses and names of known

compromised devices can be

found in many sources on the Internet.

Reports &

Alerts

Compro

mised

devices

Queries

CompromiseIntelligence

Blacklists Botnets

Malware

CCompromised

Device

C

Compromised User

BotnetController

C


Use Case #3– Using external IP intelligence to find

compromised subsidiary devices

Company

Deloitte FAS

Cyber Threat

IntelligenceCompromise Intelligence

Company & Subsidiary

ProfilesCTI Automation

This presentation contains general

information only and is based on the

experiences and research of Deloitte

practitioners. Deloitte is not, by

means of this presentation, rendering

business, financial, investment, or

other professional advice or services.

This presentation is not a substitute

for such professional advice or

services, nor should it be used as a

basis for any decision or action that

may affect your business. Before

making any decision or taking any

action that may affect your business,

you should consult a qualified

professional advisor.

DataApps

Remote Access

DNS

Web

Email

Reports & Alerts Company Subsidiary

DataApps

DNS

Web

Attacker

Botnet controller

Attackers control and

communicate with

compromised hosts sitting in

private networks

C

C Compromised Website

Remote Access

Email

Open Source

Intelligence

• Black Lists• Botnets• Malware

Queries

Compromised user

An organization is often

focused its own devices and

remote access users

Virtual Extended Enterprise

Internet

Smaller subsidiaries may lack

the ability to aggregate,

normalize and correlate cyber

threat data

Compromised devices

C


Poll question #3

Which is currently your weakest link in terms of the cyber

security skills within your organization?

• Identity and access management

• Intelligence gathering/threat analysis

• Forensics

• Network operations analysis

• Inbound and outbound firewall inspection teams



Cyber Threat Intelligence & Analytics

14

Cyber Threat

Intelligence Database

Security

Control

Data

Technology

Configuration

Data Replica

Technology

Vulnerability

Data Replica

Application

Log Data

Infrastructure

Log Data

Shared Intelligence Data Architecture

SIEM &

Database

Management

Real-Time

Security

Monitoring

Security Operations & Monitoring

Threat Intel

Acquisition

Cyber

Criminal

Profiling

Correlation Engine

Enrichment Engine

Fusion Engine

Playbook

Development

Inte

llig

en

ce

Co

lle

ctio

n E

ngi

ne

Inte

lligen

ceD

istribu

tion

Engin

e

eCommerce

Team

Fraud Team

Brand

Intelligence

Development

& Integration

Incident

Detection

Red

Team

Risk

Assessment

Incident

Escalation

Supplier

Threat

Monitoring

Monitoring Requirements

Operational Procedures

New Threat Intel Sources

Security Incident

Escalation

Security

Controls

Emerging Threat

Definitions Near real-time

intelligence

Rapid deployment

of security control

updates

Data Normalization

Application

Team

Analytics &

Investigations

Threat Prevention

Security Operations & Monitoring

Proactive Monitoring

Investigations

Investigations Involving Law Enforcement

Incident

Response

Malware

Analysis

Phishing

Takedowns

Security

Event

Management

Portal

Threat

Modeling

Emerging

Threat

Research

Investigation Intelligence

Threat

Intelligence

Analysis

Portal

Establishing an integrated cyber threat management capability


Poll question #4

With which of the following outside agencies are you

most comfortable sharing incident investigation

findings and malware events?

• FBI InfraGard Program

• U.S. Secret Service - Cyber Crime Unit

• Regional Electronic Crimes Task Force

• Other law enforcement agency

• Not comfortable sharing with outside agencies

• Don't know/not applicable


CHALLENGE

An independent committee was established to investigate a government agency program. The committee worked

to identify wrong doing, corruption and improper use and concealment of funds. The primary mandate was to

identify how funds were diverted, to whom, and volumes misused. The challenge faced by the committee included

global identification and collection of data, understanding the real parties with whom business was done globally,

the true financial transactions v/s the accounted transactions and identifying complex international schemes.

ENGAGEMENT

Deloitte FAS provided forensic data collection services, hosted electronic files, developed a sophisticated

analytical database of the transactions, and collected international business intelligence (e.g. incorporation

documents, local real estate filings, public records, etc.) to obtain information on previously unknown subjects.

• Data Collection & Fusion: Electronic records and hard copy documentation were shipped to a central Deloitte

FAS location for ingestion. We built database to house, link, and present data to investigators in unified platform.

• Research: Business intelligence specialists gathered identifying information on target subjects of interest and

through various research, including corporate registry documents, were able to link known agency employees

with payment recipients. The intelligence group also assisted in locating potential witnesses.

• Analytics: Using FININT techniques such as transaction analysis, evidence provided by banks and government

organizations, flow of payments from vendors, through various banks, to accounts controlled by the government

was developed. This funds flow provided attribution where the bribes were actually paid and was also the basis

for recovery efforts.

RESULTS

• Identified that approximately $1.8 billion in bribes was paid to the foreign government by contractors and that this

amount was illicitly taken by contractors from the program fund.

• Identified that certain vendors over-charged the program fund by approximately $50 million.

Government Agency Program Investigation


Decision Making

Under Uncertainty

Kickbacks

Bribes

Deductive Analysis

Hypothesis-based Testing

Inductive Analysis

Factor Analysis, Self

Organizing Maps

Government Agency Program Investigation (cont.)

DATA

COLLECTION

& FUSION

RULES &

PREDICTIVE

MODELING

STRUCTURED UNSTRUCTURED DATA

• Contracts

• Letters of credit

• Side letters

• Bill of lading

• Customs entry records

• Emails

• Government agency

payments

• Agency banking records

• Statements from

international banks

• Wire transfer records

+

Relational

Database

Data Visualization

Business

Reporting

Optical Character

Recognition

Indexing Tools

Conceptual

Search

Business Intelligence Service

[manual linking / research]

Entity Resolution Software

Link / Network AnalysisEmail / Document

Analysis

12 Languages

15 Systems

$100B in Funds

– Tools –

– Scope –

RELATIONSHIP

ANALYSIS


CHALLENGE

The defense agency needed to conduct pattern analysis on four subjects within a specific industry – two

individuals and two entities – to better understand the subjects’ business practices and mode of operation in

several foreign jurisdictions.

ENGAGEMENT

Business intelligence specialists conducted in-depth research on the individuals and entities of interest through

commercially available sources to ascertain unique identifiers, true ownership records, relationships between

subjects, additional subjects of interest, and red flag issues. Over 20 different public record databases were

utilized to gather this information, and included worldwide corporate registries, business record databases, lists

of domestic and international security risks, and international media and trade publications. In addition to the

online element of research, our work consisted of gathering information through a trusted industry expert who

identified local contacts of interest within the target industry, and provided specific information on travel patterns,

as well as specifications on the vehicles used during cargo transportation. All information was collected in a

database and the corporate ecosystem was mapped to visually highlight the nodes of activity across geographic

regions.

RESULTS

• The two individuals were found to be the center of a large node of cross-border activity within target industry.

• Several addresses of interest, located in four countries, were determined to be the hub of activity specifically

used to incorporate shell companies to obfuscate ownership.

• Patterns of specific law firms and registration offices were found to be the common thread between hundreds

of companies incorporated by the same group of individuals.

• Subjects were found to have direct connections (through common corporate ownership) to multiple

international sanction lists.

Cross-border forensic patterns analysis for a government

defense agency


Cyber Forensic Model of the Future

• Identification of

structured and

unstructured data

Network IP

Logs

• Identify relevant

third-party data

Threat Intel

• Forensic

Investigation

Memory RAM

• Malware Analysis

New Patterns

Structured Data

• Data Normalization

• Use temporal and entity

keys to integrate

structured and

unstructured dataUnstructured Data

• Apply rules-

based detection

on 100% of traffic

data to identify

anomalies

• Statistically-

based predictive

models to identify

previously

unknown

patterns and

suspect entities

• Optimize

predictive models

through a

feedback loop

with threat

intelligence from

Research

DATA

COLLECTION

1

DATA

FUSION

2

RESEARCH

3

FORENSIC

ANALYTICS

4

• Threat intelligence

information through

US and Intl sources/

agencies

• Develop emerging

threat models

• Brand Intelligence

• Risk Assessments

• Playbook

development


Poll question #5

Are you interested in receiving follow-up information

on this topic?

• Yes

• No


Join us January 6 at 2 PM ET as our Technology Executives series presents

Social Computing:Important Questions CxOswill Face in 2011


Thank you for joining today’s webcast.

To request CPE credit, click the link below.


Contact information

Mark White

Principal, Deloitte Consulting LLP

[email protected]

JR Reagan

Principal, Deloitte & Touche LLP

[email protected]

Rich Baich

Principal, Deloitte & Touche LLP

[email protected]

Bill Farwell

Director, Deloitte Financial Advisory Services LLP

[email protected]

Question and Answer


This presentation contains general information only and is based on the experiences and

research of Deloitte practitioners. Deloitte is not, by means of this presentation, rendering

business, financial, investment, or other professional advice or services. This presentation is not a

substitute for such professional advice or services, nor should it be used as a basis for any

decision or action that may affect your business. Before making any decision or taking any action

that may affect your business, you should consult a qualified professional advisor. Deloitte, its

affiliates, and related entities shall not be responsible for any loss sustained by any person who

relies on this presentation.


About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee,

and its network of member firms, each of which is a legally separate and independent entity. Please see

www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and

its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of

Deloitte LLP and its subsidiaries.

http://www.deloitte.com/about

http://www.deloitte.com/us/about

Cyber Forensics: Beyond Traditional Detection and Prevention Approaches to Cyber Security

Documents

Transcript of Cyber Forensics: Beyond Traditional Detection and Prevention Approaches to Cyber Security