Cyber Defense in Depth: Designing Cyber Security Agency Organization for Turkey
Cyber Forensics: Beyond Traditional Detection and Prevention Approaches to Cyber Security
Transcript of Cyber Forensics: Beyond Traditional Detection and Prevention Approaches to Cyber Security
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Technology Executives Dbriefs series presents:
Cyber Forensics: Beyond Traditional Detection and Prevention Approaches to Cyber Security
JR Reagan, Principal, Deloitte & Touche LLP
Rich Baich, Principal, Deloitte & Touche LLP
William Farwell, Director, Deloitte Financial Advisory Services LLP
December 2, 2010
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Agenda
• Introduction
• A Scary World
• A Sophisticated Response
• Approach
• Wrap-up
Copyright © 2010 Deloitte Development LLC. All rights reserved.
“Data Breaches Cost Hospitals $6
Billion Per Year”The Wall Street Journal, Nov 9, 2010
We’ve all seen the headlines …
“Stuxnet malware is blueprint
for computer attacks on U.S.”The Washington Post, Oct 2, 2010
“The lack of arrests in the case
underscores how difficult it is to find
and apprehend online criminals…”The New York Times, Nov 15, 2010
“A mysterious cyber attack
apparently struck the
computer servers for [a
political group] …”Washington Wire, Oct 21, 2010
“… at least 500 banks were
affected by the Heartland breach”The New York Times, Nov 14, 2010
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Poll question #1
How confident are you in your organization’s ability
to detect and prevent cyber attacks?
• Very confident - we have a robust security
program in place and it works
• Somewhat confident - unsure of program
effectiveness
• Not confident - our systems and data are at risk
• Don’t know/not applicable
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Who is doing this?
Stuxnet profile:
• Because of its sophistication, thought
to be the work of a foreign government
• Considered to be first known “cyber
super-weapon”
• Found in certain industrial control
systems, primarily in Iranian nuclear
power plant
• Four zero-day exploits, two stolen
certificates for insertion into the O/S
and multi-stage propagation
• Starts with infected USB-sticks; results
in code insertion into industrial control
systems
The Stuxnet worm, targeting
SCADA controls, was found
in >45,000 systems
Copyright © 2010 Deloitte Development LLC. All rights reserved.
How do we investigate this?
• Incident response + cyber threat intelligence
• Hard drive forensics + network forensics
• Financial crimes + financial intelligence (FININT)
Maps of Conficker Infections, Source: Conficker Working Group
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Re-thinking cyber response
•Cyber crime
•Military espionage
•Economic espionage
•Cyber warfare
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Cyber threat profiles - cyber adversary targeting and attack
methodology
Cyber adversaries collect open source intelligence in order to generate
schemes and methodologies for carrying out well-planned attacks in
order to achieve their goals.
Open Source
Intelligence
Collection
• Peer to peer
networks
• Search engines
• Social
networking
• Job sites
Denial of
Service
Espionage
System and
Network
Access
• Available
exploits
• Target
information
• Target
systems
• Target
employees
• Vulnerabilities
• System
information
• Supply chain
data
• Credentials
• Privileged
users
Attack Sequence
Goals
• Anonymization
• Obfuscation
• Schedule
Targets
Customer lists
Control systems
Intellectual property
On-line credentials
Personal identity information
System access
Financial data
Patents & research
Protected health information
Secret formulas
Intelligence
Analysis
& Review
Attack
Planning &
Target
Selection
Attack
Execution
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Poll question #2
How aware are you of your organization’s cyber
threat profile?
• Very aware - we have a robust threat analysis
program in place and it works
• Somewhat aware - unsure of our cyber threat profile
• Not aware
• Don’t know/not applicable
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Why is cyber threat intelligence required?
Our experience highlights the following challenges which organizations should take steps to address:
Current “signature-based” information
security controls may not be effective
against sophisticated, evolving cyber
threats and exploits
What kind of security controls are
necessary to detect cyber threats
that are currently flying under the
security radar?
A large number of unique security
appliances are generating even larger
numbers of false positives and false
negatives
How do we collect data from
multiple disparate sources and
generate normalized, enriched, and
actionable information?
Lack of automated capability to
rapidly identify, contain, analyze and
remediate compromised devices
How do we quickly find and contain
compromised devices?
Information provided by various
intelligence sources is often outdated,
high level, and not actionable
How do we collect timely, relevant,
and actionable cyber intelligence
data?
Many organizations lack technology
and process capabilities for taking
timely action on near real-time
intelligence data
How can cyber intelligence data be
used to automatically challenge or
stop fraudulent transactions?
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Use Case #1 – Using external domain intelligence to find
internal Zeus infections
• Zeus installs on machine by:
Email attachments or links to
a malicious site
Drive-by downloads from a
legitimate site
Peer- to-peer file sharing
Social networking site
Initial InfectionCustom Configuration
DownloadZeus Trojan Activation
• Once installed, the Trojan
attempts to contact a
preconfigured set of sites to
obtain a custom, updated
configuration file which has been
generated to exploit specific
financial services companies
• Zeus silently monitors web access
to targeted financial services, after
which it actively compromises
credentials and token codes. The
Trojan typically manifests by
injecting additional fields
displayed in the browser.
Zeus Functionality and Capabilities
• Acts as client proxy server:
criminal can use customer PC
• Automatic software update
capability
• Ability to steal token information
at near real-time speed and
send results over IM to money
mule agent
• Polymorphic encrypter for
generating unique copies in
order to evade Antivirus
• Can capture and steal digital
certificates
• Can add additional fields to
bank login page being displayed
on customer PC
• Can modify name resolution
configuration files on Local PC
• Screen capture capability
• Can remove cookies in order to
force customer to re-enter
credentials
Understanding How Zeus Works
Scenario: Intelligence is given to an organization which provides the latest domains used by the Zeus
botnet. The organization must now determine if any internal devices are communicating with the
domain, as content filters have not yet been created and deployed.
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Use Case #2 – Detecting and responding to a compromised
remote access user
Company
Deloitte FAS
Cyber Threat
IntelligenceThreat Patterns
Supplier Websites
CTI AutomationThis presentation contains general
information only and is based on the
experiences and research of Deloitte
practitioners. Deloitte is not, by
means of this presentation, rendering
business, financial, investment, or
other professional advice or services.
This presentation is not a substitute
for such professional advice or
services, nor should it be used as a
basis for any decision or action that
may affect your business. Before
making any decision or taking any
action that may affect your business,
you should consult a qualified
professional advisor.
DataApps
Remote Access
DNS
Web
Reports
Social Network Company
Internet
Most companies lack
behavioral automation
to detect compromised
websites.
DataApps
DNS
WebCLegitimate
Traffic
Virtual Extended Enterprise
Remote
Access
User
Customers redirected to
malicious hosts
Legitimate Surfing
Keylog Data
Attacker
Silent Malware Install
Malicious redirect
Attackers
compromise social
networks
C
C Compromised Website
Social networking
companies are often
unaware that their sites
have been compromised
1
2
34
5
Remote Access
Virtual ExtendedEnterprise
Internet
DNS
Web
RemoteAccess
Company
Company
SubsidiaryDNS
Web
RemoteAccess
Attackers have the ability
to control and communicate
with a large variety of
compromised hosts that
are sitting in private networks
around the world.
Attacker
An organization is often focussed
on ensuring that its own devices and
remote access users are
not compromised and being controlled
by cyber criminals.
Smaller subsidiaries may not have the
ability and sophistication
to aggregate, normalize, and
correlate cyber threat information
against their internet profile.
Applications
Data
Applications
Data
Deloitte
Cyber Threat
Intelligence
CTI Automation
Company &Subsidiary
Profiles
Open SourceIntelligence
Addresses and names of known
compromised devices can be
found in many sources on the Internet.
Reports &
Alerts
Compro
mised
devices
Queries
CompromiseIntelligence
Blacklists Botnets
Malware
CCompromised
Device
C
Compromised User
BotnetController
C
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Use Case #3– Using external IP intelligence to find
compromised subsidiary devices
Company
Deloitte FAS
Cyber Threat
IntelligenceCompromise Intelligence
Company & Subsidiary
ProfilesCTI Automation
This presentation contains general
information only and is based on the
experiences and research of Deloitte
practitioners. Deloitte is not, by
means of this presentation, rendering
business, financial, investment, or
other professional advice or services.
This presentation is not a substitute
for such professional advice or
services, nor should it be used as a
basis for any decision or action that
may affect your business. Before
making any decision or taking any
action that may affect your business,
you should consult a qualified
professional advisor.
DataApps
Remote Access
DNS
Web
Reports & Alerts Company Subsidiary
DataApps
DNS
Web
Attacker
Botnet controller
Attackers control and
communicate with
compromised hosts sitting in
private networks
C
C Compromised Website
Remote Access
Open Source
Intelligence
• Black Lists• Botnets• Malware
Queries
Compromised user
An organization is often
focused its own devices and
remote access users
Virtual Extended Enterprise
Internet
Smaller subsidiaries may lack
the ability to aggregate,
normalize and correlate cyber
threat data
Compromised devices
C
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Poll question #3
Which is currently your weakest link in terms of the cyber
security skills within your organization?
• Identity and access management
• Intelligence gathering/threat analysis
• Forensics
• Network operations analysis
• Inbound and outbound firewall inspection teams
• Don’t know/not applicable
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Cyber Threat Intelligence & Analytics
14
Cyber Threat
Intelligence Database
Security
Control
Data
Technology
Configuration
Data Replica
Technology
Vulnerability
Data Replica
Application
Log Data
Infrastructure
Log Data
Shared Intelligence Data Architecture
SIEM &
Database
Management
Real-Time
Security
Monitoring
Security Operations & Monitoring
Threat Intel
Acquisition
Cyber
Criminal
Profiling
Correlation Engine
Enrichment Engine
Fusion Engine
Playbook
Development
Inte
llig
en
ce
Co
lle
ctio
n E
ngi
ne
Inte
lligen
ceD
istribu
tion
Engin
e
eCommerce
Team
Fraud Team
Brand
Intelligence
Development
& Integration
Incident
Detection
Red
Team
Risk
Assessment
Incident
Escalation
Supplier
Threat
Monitoring
Monitoring Requirements
Operational Procedures
New Threat Intel Sources
Security Incident
Escalation
Security
Controls
Emerging Threat
Definitions Near real-time
intelligence
Rapid deployment
of security control
updates
Data Normalization
Application
Team
Analytics &
Investigations
Threat Prevention
Security Operations & Monitoring
Proactive Monitoring
Investigations
Investigations Involving Law Enforcement
Incident
Response
Malware
Analysis
Phishing
Takedowns
Security
Event
Management
Portal
Threat
Modeling
Emerging
Threat
Research
Investigation Intelligence
Threat
Intelligence
Analysis
Portal
Establishing an integrated cyber threat management capability
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Poll question #4
With which of the following outside agencies are you
most comfortable sharing incident investigation
findings and malware events?
• FBI InfraGard Program
• U.S. Secret Service - Cyber Crime Unit
• Regional Electronic Crimes Task Force
• Other law enforcement agency
• Not comfortable sharing with outside agencies
• Don't know/not applicable
Copyright © 2010 Deloitte Development LLC. All rights reserved.
CHALLENGE
An independent committee was established to investigate a government agency program. The committee worked
to identify wrong doing, corruption and improper use and concealment of funds. The primary mandate was to
identify how funds were diverted, to whom, and volumes misused. The challenge faced by the committee included
global identification and collection of data, understanding the real parties with whom business was done globally,
the true financial transactions v/s the accounted transactions and identifying complex international schemes.
ENGAGEMENT
Deloitte FAS provided forensic data collection services, hosted electronic files, developed a sophisticated
analytical database of the transactions, and collected international business intelligence (e.g. incorporation
documents, local real estate filings, public records, etc.) to obtain information on previously unknown subjects.
• Data Collection & Fusion: Electronic records and hard copy documentation were shipped to a central Deloitte
FAS location for ingestion. We built database to house, link, and present data to investigators in unified platform.
• Research: Business intelligence specialists gathered identifying information on target subjects of interest and
through various research, including corporate registry documents, were able to link known agency employees
with payment recipients. The intelligence group also assisted in locating potential witnesses.
• Analytics: Using FININT techniques such as transaction analysis, evidence provided by banks and government
organizations, flow of payments from vendors, through various banks, to accounts controlled by the government
was developed. This funds flow provided attribution where the bribes were actually paid and was also the basis
for recovery efforts.
RESULTS
• Identified that approximately $1.8 billion in bribes was paid to the foreign government by contractors and that this
amount was illicitly taken by contractors from the program fund.
• Identified that certain vendors over-charged the program fund by approximately $50 million.
Government Agency Program Investigation
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Decision Making
Under Uncertainty
Kickbacks
Bribes
Deductive Analysis
Hypothesis-based Testing
Inductive Analysis
Factor Analysis, Self
Organizing Maps
Government Agency Program Investigation (cont.)
DATA
COLLECTION
& FUSION
RULES &
PREDICTIVE
MODELING
STRUCTURED UNSTRUCTURED DATA
• Contracts
• Letters of credit
• Side letters
• Bill of lading
• Customs entry records
• Emails
• Government agency
payments
• Agency banking records
• Statements from
international banks
• Wire transfer records
+
Relational
Database
Data Visualization
Business
Reporting
Optical Character
Recognition
Indexing Tools
Conceptual
Search
Business Intelligence Service
[manual linking / research]
Entity Resolution Software
Link / Network AnalysisEmail / Document
Analysis
12 Languages
15 Systems
$100B in Funds
– Tools –
– Scope –
RELATIONSHIP
ANALYSIS
Copyright © 2010 Deloitte Development LLC. All rights reserved.
CHALLENGE
The defense agency needed to conduct pattern analysis on four subjects within a specific industry – two
individuals and two entities – to better understand the subjects’ business practices and mode of operation in
several foreign jurisdictions.
ENGAGEMENT
Business intelligence specialists conducted in-depth research on the individuals and entities of interest through
commercially available sources to ascertain unique identifiers, true ownership records, relationships between
subjects, additional subjects of interest, and red flag issues. Over 20 different public record databases were
utilized to gather this information, and included worldwide corporate registries, business record databases, lists
of domestic and international security risks, and international media and trade publications. In addition to the
online element of research, our work consisted of gathering information through a trusted industry expert who
identified local contacts of interest within the target industry, and provided specific information on travel patterns,
as well as specifications on the vehicles used during cargo transportation. All information was collected in a
database and the corporate ecosystem was mapped to visually highlight the nodes of activity across geographic
regions.
RESULTS
• The two individuals were found to be the center of a large node of cross-border activity within target industry.
• Several addresses of interest, located in four countries, were determined to be the hub of activity specifically
used to incorporate shell companies to obfuscate ownership.
• Patterns of specific law firms and registration offices were found to be the common thread between hundreds
of companies incorporated by the same group of individuals.
• Subjects were found to have direct connections (through common corporate ownership) to multiple
international sanction lists.
Cross-border forensic patterns analysis for a government
defense agency
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Cyber Forensic Model of the Future
• Identification of
structured and
unstructured data
Network IP
Logs
• Identify relevant
third-party data
Threat Intel
• Forensic
Investigation
Memory RAM
• Malware Analysis
New Patterns
Structured Data
• Data Normalization
• Use temporal and entity
keys to integrate
structured and
unstructured dataUnstructured Data
• Apply rules-
based detection
on 100% of traffic
data to identify
anomalies
• Statistically-
based predictive
models to identify
previously
unknown
patterns and
suspect entities
• Optimize
predictive models
through a
feedback loop
with threat
intelligence from
Research
DATA
COLLECTION
1
DATA
FUSION
2
RESEARCH
3
FORENSIC
ANALYTICS
4
• Threat intelligence
information through
US and Intl sources/
agencies
• Develop emerging
threat models
• Brand Intelligence
• Risk Assessments
• Playbook
development
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Poll question #5
Are you interested in receiving follow-up information
on this topic?
• Yes
• No
• Don’t know/not applicable
Join us January 6 at 2 PM ET as our Technology Executives series presents
Social Computing:Important Questions CxOswill Face in 2011
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Thank you for joining today’s webcast.
To request CPE credit, click the link below.
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Contact information
Mark White
Principal, Deloitte Consulting LLP
JR Reagan
Principal, Deloitte & Touche LLP
Rich Baich
Principal, Deloitte & Touche LLP
Bill Farwell
Director, Deloitte Financial Advisory Services LLP
Copyright © 2010 Deloitte Development LLC. All rights reserved.
This presentation contains general information only and is based on the experiences and
research of Deloitte practitioners. Deloitte is not, by means of this presentation, rendering
business, financial, investment, or other professional advice or services. This presentation is not a
substitute for such professional advice or services, nor should it be used as a basis for any
decision or action that may affect your business. Before making any decision or taking any action
that may affect your business, you should consult a qualified professional advisor. Deloitte, its
affiliates, and related entities shall not be responsible for any loss sustained by any person who
relies on this presentation.
Copyright © 2010 Deloitte Development LLC. All rights reserved.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee,
and its network of member firms, each of which is a legally separate and independent entity. Please see
www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and
its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of
Deloitte LLP and its subsidiaries.