incident reponse unravelled
|
|
- Roderick Stokes
- 6 years ago
- Views:
Transcription
1 Tux's Angels: Incident Response Unravelled linux.conf.au MEL8OURNE2008
2 Tux's Angels: Incident Response Unravelled Something to lighten the mood...
3
4 Who we are Amelia, Kate, Vanessa IT Security Geeks Department of Defence Information Security Group Computer Network Vulnerability Team (CNVT)
5 What we do For Federal and State Government: 24/7 Incident response IT Security advice and assistance Vulnerability assessments Penetration testing / red teaming Research and Development Education and Training angels@lca:~/what_we_do
6 Agenda Incident response Linux + FOSS Investigation Conclusion angels@lca:~/agenda
7 Agenda Incident response Linux + FOSS Investigation Conclusion angels@lca:~/incident_response
8 Incident response Incident: Events that threaten IT Security Incident response: Process of handling this situation Things to keep in mind: Inform management Involve law enforcement for criminal activity Preserve forensic integrity
9 Incident response IR life cycle: Detection Collection Analysis Detection Analysis Collection
10 Agenda Incident response Linux + FOSS Investigation Conclusion angels@lca:~/incident_response
11 Agenda Incident response Linux + FOSS Investigation Conclusion angels@lca:~/linux_+_foss
12 Linux + FOSS: why? Why do we use Linux in Incident Response? Not invasive Multiple filesystem support More OS control Loopback device Why FOSS? Cutting edge technology Customisable, and more control Free! angels@lca:~/linux_+_foss
13 Linux + FOSS: tool selection How do we select tools for IR? Ease of installation Easy to understand, use and configure How accurate and updated it is Support and documentation available Reputation of the developers angels@lca:~/linux_+_foss
14 Agenda Incident response Linux + FOSS Investigation Conclusion angels@lca:~/linux_+_foss
15 Agenda Incident response Linux + FOSS Investigation Conclusion angels@lca:~/investigation
16 Investigation The incident IR life cycle Detection Collection Analysis
17 Investigation The incident IR life cycle Detection Collection Analysis
18 The incident Who? Administrator from Playground Inc. What? Suspected compromise of workstation ALPHA When? Reported at 4:30pm on 19th Dec 2007 playground.net1.myturf.net domain Requested on site assistance from Tux's Angels
19 The network
20 The network
21 Timeline: what we know
22 Timeline: what we know
23 Timeline: what we know Simile Timeline:
24 Investigation The incident IR life cycle Detection Collection Analysis
25 Investigation The incident IR life cycle Detection Collection Analysis Detection Analysis Collection
26 Investigation The incident IR life cycle Detection Collection Analysis Detection Analysis Collection
27 Detection Finding out if a security incident occurred May come from a variety of sources: IDS Logs Users Odd system behaviour Use all tools and resources available angels@lca:~/investigation/ir_life_cycle/detection
28 Detection Variety of tools can be used to detect a security incident These can be broken down into: Network Based Intrusion Detection Systems (NIDS) Host Based Intrusion Detection Systems (HIDS) Log watch and alerting tools angels@lca:~/investigation/ir_life_cycle/detection
29 Detection: NIDS Network based Intrusion Detection System NIDS tools they considered using Squil EasyIDS Their NIDS tool of choice Snort with BASE
30 Detection: HIDS Host based Intrusion Detection System HIDS tools they considered using AIDE Labrador Their HIDS tool of choice Afick
31 Detection: Log watch and alerting Log watch and alerting Logging and alerting tools they considered using LogCheck Devialog Their logging and alerting tool of choice Swatch
32 Detection: Custom IDS Solution Their custom IDS solution!
33 Detection: Custom IDS Solution
34 Detection: Custom IDS Solution ON AT BOOT MYSQL SNORT LOGS VIEWED BASE LOGS SYSLOG
35 Detection: Custom IDS Solution ON AT BOOT MYSQL SNORT LOGS VIEWED BASE LOGS SYSLOG DUMPCAP CREATES ROLLING PCAPS
36 Detection: Custom IDS Solution ON AT BOOT MYSQL SNORT LOGS VIEWED BASE LOGS SYSLOG SWATCH WATCHES ON ALERT BASH SCRIPT KICKS OFF DUMPCAP GETS 1 BEFORE, 3 AFTER ALERT CREATES ROLLING PCAPS angels@lca:~/investigation/ir_life_cycle/detection
37 Detection: Custom IDS Solution ON AT BOOT MYSQL SNORT LOGS VIEWED BASE LOGS SWATCH SYSLOG ANALYSED BASH SCRIPT TCPFLOW WATCHES ON ALERT KICKS OFF DUMPCAP GETS 1 BEFORE, 3 AFTER ALERT CREATES ROLLING PCAPS angels@lca:~/investigation/ir_life_cycle/detection MERGES EXTRACTS FLOWS MERGECAP
38 DEMO: Detecting an incident using snort, swatch, tcpflow and BASE
39 Detection: results Suspect compromise: YES Snort unsuccessful TELNET login from ALPHA to Internet box Afick 3 new unexplained exe's: inst.exe inst2.exe MS Indexer.exe Information passed to Tux's Angels angels@lca:~/investigation/ir_life_cycle/detection
40 Timeline + Detection: what we know angels@lca:~/investigation/ir_life_cycle/detection
41 Investigation The incident IR life cycle Detection Collection Analysis Detection Analysis Collection
42 Investigation The incident IR life cycle Detection Collection Analysis Detection Analysis Collection
43 Collection Acquiring data to determine occurrences related to a specific event Collect data Verify data angels@lca:~/investigation/ir_life_cycle/collection
44 Collection Data can come from a variety of sources: network memory disk angels@lca:~/investigation/ir_life_cycle/collection
45 Collection: network Collecting network data Tools we considered using: dumpcap Wireshark Tool of choice: tcpdump
46 Collection: memory Collecting memory data Techniques we considered using: Crash dumps Hibernation file Tool of choice: FAU dd
47 Collection: disk Collecting disk data Tools we considered using: dd sdd Tool of choice: dcfldd
48 Collection What happened onsite?
49
50 Collection What happened onsite? Physical memory: FAU dd and dcfldd Disk image: dcfldd Startup pcaps: tcpdump Gateway pcaps: dumpcap
51 DEMO: Memory acquisition using FAU dd and dcfldd
52 Timeline + Collection: what we know angels@lca:~/investigation/ir_life_cycle/collection
53 Investigation The incident IR life cycle Detection Collection Analysis Detection Analysis Collection
54 Investigation The incident IR life cycle Detection Collection Analysis Detection Analysis Collection
55 Analysis Analysing the data acquired in collection phase Confirmatory analysis and event reconstruction Data is Surveyed, Extracted and Examined (SEE data analytic approach)
56 Analysis Our priorities: 1) Cause of compromise 2) Extent of compromise 3) Malware functionality & identity
57 Analysis Data from collection phase: network disk memory Tools to analyse each dataset
58 Analysis: network
59 Analysis: network Network tools we considered: tcpxtract ngrep netdude Our network tool of choice: wireshark
60 Analysis: network
61 The network
62 Analysis: network Network capture ( pcap): From :28 to :00 Taken on external gateway interface ( ) First observation: At 14:05 ALPHA starts using a proxy rather than a DIRECT connection to the Internet Proxy is an untrusted IP address: angels@lca:~/investigation/ir_life_cycle/analysis/network
63 Timeline: wpad DNS request
64 Timeline: wpad DNS request
65 Analysis: wpad.dat function FindProxyForURL(url, host) { if (shexpmatch(url, "*.playground.net1.myturf.net/*")) { return "DIRECT"; } return "PROXY proxy.myturf.net:3128"; } angels@lca:~/investigation/ir_life_cycle/analysis/network
66 Analysis: wpad.dat function FindProxyForURL(url, host) { if (shexpmatch(url, "*.playground.net1.myturf.net/*")) { return "DIRECT"; } return "PROXY proxy.myturf.net:3128"; } angels@lca:~/investigation/ir_life_cycle/analysis/network
67 Analysis: wpad refresher Web Proxy Autodiscovery protocol Used by web browsers set to auto detect proxy settings DHCP and DNS wpad.<domain> Moves up hierarchy until it gets a hit angels@lca:~/investigation/ir_life_cycle/analysis/network
68 Analysis: wpad resolving
69 Timeline: Firefox setup.exe downloaded
70
71
72
73
74 Analysis: network Is this the real firefox setup.exe?
75 Analysis: network Is this the real firefox setup.exe? NO WAY!
76 Analysis: network Is this the real firefox setup.exe? NO WAY! Content type: application/octet stream
77 Analysis: network Is this the real firefox setup.exe? NO WAY! Content type: application/octet stream Like this: Two executables Legitimate executable the user requested. e.g. the real firefox setup.exe
78 84d p0rxy
79 Timeline: encrypted comms to malware controller
80 The attack network
81 The attack network
82 Analysis Our priorities: 1) Cause of compromise 2) Extent of compromise 3) Malware functionality & identity
83 Analysis Our priorities: 1) Cause of compromise wpad + malicious firefox 2) Extent of compromise 3) Malware functionality & identity angels@lca:~/investigation/ir_life_cycle/analysis/network
84 Analysis: disk
85 Analysis: disk Disk tools we considered: Suite: sleuthkit + autopsy Utilities: many Tasks: Antivirus scan, MAC time analysis, browser history, event logs, registry, file carving angels@lca:~/investigation/ir_life_cycle/analysis/disk
86 Analysis: disk Our disk tools of choice: Suite: pyflag Utilities: clamav, mork.pl, sleuthkit (fls, mactime, dls), scalpel, md5sum, strings, file
87 Analysis: disk Antivirus scan using clamav Scheduled to update & scan using cron Log file can be easily grep'd Results can be scripted to extract infected files AV can be hit or miss due to variants Infected file: 36 (Trojan.Small 2497) VirusTOTAL: Backdoor.Poison variant?
88 Analysis: disk md5sum identified unique viruses inst.exe inst2.exe == MS Indexer.exe == live.exe Afick hash database identified these same files strings of each executable matched executables in firefox setup.exe
89 Analysis: disk Firefox setup.exe inst.exe inst2.exe/ms Indexer.exe/live.exe Legitimate executable the user requested. e.g. the real firefox setup.exe
90 MAC times (files and registry hives) Event log IE browser cache
91
92 Analysis: disk pyflag enabled us to: Confirm initial compromise Determine how the malware unpacks
93 Analysis: how the malware unpacks Firefox setup.exe inst.exe inst2.exe/ms Indexer.exe/live.exe Legitimate executable the user requested. e.g. the real firefox setup.exe
94 Analysis: how the malware unpacks Firefox setup.exe Unpacker inst2.exe/ms Indexer.exe/live.exe Legitimate executable the user requested. e.g. the real firefox setup.exe
95 Analysis: how the malware unpacks Firefox setup.exe Unpacker Trojan/malware Legitimate executable the user requested. e.g. the real firefox setup.exe
96 Analysis: how the malware unpacks Firefox setup.exe Unpacker THIS IS MY BAD FOOD. BAAAAD FOOD Trojan/malware THIS IS MY BAD FOOD. BAAAAD FOOD Legitimate executable the user requested. e.g. the real firefox setup.exe
97 Timeline: persistence
98 Analysis Our priorities: 1) Cause of compromise wpad + malicious firefox 2) Extent of compromise 3) Malware functionality & identity angels@lca:~/investigation/ir_life_cycle/analysis/disk
99 Analysis Our priorities: 1) Cause of compromise wpad + malicious firefox 2) Extent of compromise Malware: inst2.exe Methods of persistence: reg keys, start up 3) Malware functionality & identity angels@lca:~/investigation/ir_life_cycle/analysis/disk
100 Analysis Our priorities: 1) Cause of compromise wpad + malicious firefox 2) Extent of compromise Malware: inst2.exe Methods of persistence: reg keys, start up 3) Malware functionality & identity angels@lca:~/investigation/ir_life_cycle/analysis/disk
101 Analysis Our priorities: 1) Cause of compromise wpad + malicious firefox 2) Extent of compromise Malware: inst2.exe Methods of persistence: reg keys, start up 3) Malware functionality & identity Functionality: keylogging, password hashes, file upload, encrypted comms angels@lca:~/investigation/ir_life_cycle/analysis/disk
102 Analysis: memory
103 Analysis: memory Memory tools we considered: PTFinder PoolTools Windows IR/CF tools Our memory tool of choice: volatility
104 DEMO: Memory analysis using volatility
105 Analysis: memory pslist: firefox.exe (1812) firefox.exe not running when memory acquired! connections: firefox.exe (1812) to :3460 dlllist: parameters to firefox.exe, non standard?
106 Analysis: memory
107 Analysis: memory
108 Analysis Our priorities: 1) Cause of compromise wpad + malicious firefox 2) Extent of compromise Malware: inst2.exe Methods of persistence: reg keys, start up 3) Malware functionality & identity Functionality: keylogging, password hashes, file upload, encrypted comms Identity: PoisonIvy angels@lca:~/investigation/ir_life_cycle/analysis/memory
109 Investigation The incident IR life cycle Detection Collection Analysis Detection Analysis Collection
110 Investigation The incident IR life cycle Detection Collection Analysis Detection Analysis Collection
111 Agenda Incident response Linux + FOSS Investigation Conclusion angels@lca:~/investigation
112 Agenda Incident response Linux + FOSS Investigation Conclusion angels@lca:~/conclusion
113 Final Timeline: Investigation SOLVED!
114 Ok, so what now? Block outbound comms Prevent further compromise Reimage infected machines Ensure no mechanism for persistence Assess damage
115 Linux + FOSS Tool wrap up Detection: swatch/snort/dumpcap/base Collection: dcfldd/faudd/tcpdump Analysis: wireshark/pyflag (and others)/volatility How you can use these tools, even if you're not in an IR team? angels@lca:~/conclusion
116 Thanks... Our bad guy: Eddie Cornejo LCA
117 Thank you. Any questions? References (images): Alpha DC home server from hp.png Gateway %20Server.jpg Internet Badguy Dragons
Windows Forensics Advanced
Windows Forensics Advanced Index: CF102 Description Windows Forensics - Advanced is the next step for forensics specialists, diving deeper into diverse processes on Windows OS serving computer investigators.
More informationGuide to Computer Forensics. Third Edition. Chapter 11 Chapter 11 Network Forensics
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Chapter 11 Network Forensics Objectives Describe the importance of network forensics Explain standard procedures for performing a
More informationTraining for the cyber professionals of tomorrow
Hands-On Labs Training for the cyber professionals of tomorrow CYBRScore is a demonstrated leader in professional cyber security training. Our unique training approach utilizes immersive hands-on lab environments
More informationCNIT 121: Computer Forensics. 9 Network Evidence
CNIT 121: Computer Forensics 9 Network Evidence The Case for Network Monitoring Types of Network Monitoring Types of Network Monitoring Event-based alerts Snort, Suricata, SourceFire, RSA NetWitness Require
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationS23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group
S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill
More informationIntroduction to Computer Forensics
Introduction to Computer Forensics Subrahmani Babu Scientist- C, Computer Forensic Laboratory Indian Computer Emergency Response Team (CERT-In) Department of Information Technology, Govt of India. babu_sivakami@cert-in.org.in
More informationn Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic
Chapter Objectives n Understand how to use appropriate software tools to assess the security posture of an organization Chapter #7: Technologies and Tools n Given a scenario, analyze and interpret output
More informationWeek Date Teaching Attended 9 Mar 2013 Lab 9: Network Forensics
Week Date Teaching Attended 9 Mar 2013 Lab 9: Network Forensics Aim: The aim of this lab is to further investigate network-based forensic investigations, including network evidence capture and analysis
More informationBlue Team Handbook: Incident Response Edition
Blue Team Handbook: Incident Response Edition A condensed field guide for the Cyber Security Incident Responder. By: Don Murdoch, GSE, MBA, CISSP+14 Version 2.0 1. Blue Team Handbook - Introduction 3 2.
More informationTanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018
Tanium Endpoint Detection and Response (ISC)² East Bay Chapter Training Day July 13, 2018 $> WhoamI 11 Years of Security Experience Multiple Verticals (Technology, Industrial, Healthcare, Biotech) 9 Years
More informationFREE ONLINE WEBSITE MALWARE SCANNER WEBSITE SECURITY
PDF 11 AWESOME TOOLS FOR WEBSITE MALWARE SCANNING FREE ONLINE WEBSITE SECURITY 1 / 5 2 / 5 3 / 5 website malware scanner pdf Qualys Malware Detection helps you to scan continuously for malware against
More informationForensic and Log Analysis GUI
Forensic and Log Analysis GUI David Collett I am not representing my Employer April 2005 1 Introduction motivations and goals For sysadmins Agenda log analysis basic investigations, data recovery For forensics
More informationIT Services IT LOGGING POLICY
IT LOGGING POLICY UoW IT Logging Policy -Restricted- 1 Contents 1. Overview... 3 2. Purpose... 3 3. Scope... 3 4. General Requirements... 3 5. Activities to be logged... 4 6. Formatting, Transmission and
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationStandard Categories for Incident Response (definitions) V2.1. Standard Categories for Incident Response Teams. Definitions V2.1.
Standard Categories for Incident Response Teams Definitions V2.1 February 2018 Standard Categories for Incident Response (definitions) V2.1 1 Introduction This document outlines categories that Incident
More informationForensic analysis Local Incident Response Toolset, Document for students 1.0 DECEMBER European Union Agency For Network And Information Security
Local Incident Response Toolset, Document for students 1.0 DECEMBER 2016 www.enisa.europa.eu European Union Agency For Network And Information Security About ENISA The European Union Agency for Network
More informationNetwork Intrusion Analysis (Hands on)
Network Intrusion Analysis (Hands on) TCP/IP protocol suite is the core of the Internet and it is vital to understand how it works together, its strengths and weaknesses and how it can be used to detect
More informationRansomware A case study of the impact, recovery and remediation events
Ransomware A case study of the impact, recovery and remediation events Peter Thermos President & CTO Tel: (732) 688-0413 peter.thermos@palindrometech.com Palindrome Technologies 100 Village Court Suite
More informationRansomware A case study of the impact, recovery and remediation events
Ransomware A case study of the impact, recovery and remediation events Palindrome Technologies 100 Village Court Suite 102 Hazlet, NJ 07730 www.palindrometech.com Peter Thermos President & CTO Tel: (732)
More informationDigital Forensics Practicum CAINE 8.0. Review and User s Guide
Digital Forensics Practicum CAINE 8.0 Review and User s Guide Ana L. Hernandez Master of Science in Cybersecurity Digital Forensics Concentration University of South Florida 12-8-2017 Table of Contents
More informationEmerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan
Emerging Threat Intelligence using IDS/IPS Chris Arman Kiloyan Who Am I? Chris AUA Graduate (CS) Thesis : Cyber Deception Automation and Threat Intelligence Evaluation Using IDS Integration with Next-Gen
More informationCyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems
Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational
More informationMemory Analysis. CSF: Forensics Cyber-Security. Part II. Basic Techniques and Tools for Digital Forensics. Fall 2018 Nuno Santos
Memory Analysis Part II. Basic Techniques and Tools for Digital Forensics CSF: Forensics Cyber-Security Fall 2018 Nuno Santos Previous classes Files, steganography, watermarking Source of digital evidence
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationCIS Controls Measures and Metrics for Version 7
Level One Level Two Level Three Level Four Level Five Level Six 1.1 Utilize an Active Discovery Tool Utilize an active discovery tool to identify devices connected to the organization's network and update
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationForensic Analysis. The Treachery of Images. Alexandre Dulaunoy. February 5, Forensic Analysis Bibliography Use case Q and A
Bibliography Use case Q and A The Treachery of Images February 5, 2016 Bibliography Use case Q and A Introduction Disclaimer Images ( The Treachery of Images ) (1928) Rene Magritte La Trahison des Bibliography
More informationCIS Controls Measures and Metrics for Version 7
Level 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.3 Use DHCP Logging to Update Asset Inventory 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information
More informationTraining UNIFIED SECURITY. Signature based packet analysis
Training UNIFIED SECURITY Signature based packet analysis At the core of its scanning technology, Kerio Control integrates a packet analyzer based on Snort. Snort is an open source IDS/IPS system that
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationIndigoVision. Control Center. Security Hardening Guide
IndigoVision Control Center Security Hardening Guide Control Center THIS MANUAL WAS CREATED ON MONDAY, JANUARY 15, 2018. DOCUMENT ID: IU-SMS-MAN011-2 Legal Considerations LAWS THAT CAN VARY FROM COUNTRY
More informationSonicWall Capture Client 1.0. Operations
SonicWall Capture Client 1.0 Operations Contents Part 1. Introduction About Capture Client................................................................5 Description...........................................................................
More informationPresentation by Brett Meyer
Presentation by Brett Meyer Traditional AV Software Problem 1: Signature generation Signature based detection model Sheer volume of new threats limits number of signatures created by one vendor Not good
More informationCourse Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture
About this Course This course will best position your organization to analyse threats and detect anomalies that could indicate cybercriminal behaviour. The payoff for this new proactive approach would
More informationDigital Forensics Lecture 01- Disk Forensics
Digital Forensics Lecture 01- Disk Forensics An Introduction to Akbar S. Namin Texas Tech University Spring 2017 Digital Investigations and Evidence Investigation of some type of digital device that has
More informationFastResponder: New Open Source weapon to detect and understand a large scale compromise
FastResponder: New Open Source weapon to detect and understand a large scale compromise About us French Company in Cyber Security Cert Sekoia Detection Intrusion experts Digital Forensics and Incidence
More informationForensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH
Forensics for Cybersecurity Pete Dedes, CCE, GCFA, GCIH WHO AM I? Pete Dedes, Forensics Analyst, Sword & Shield Enterprise Security Education Bachelor s of Science Computer Science, University of Tennessee
More informationCyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX
Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security HTML PHP Database Linux Operating System and Networking: LINUX NETWORKING Information Gathering:
More informationHackveda Training - Ethical Hacking, Networking & Security
Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass
More informationForensic Analysis - 2nd Lab Session
File System Forensic and Analysis December 12, 2014 File System Analysis File System Analysis can be used for Analysis the activities of an attacker on the honeypot file system. Analysis of a malware leaving
More informationZillya Internet Security User Guide
Zillya Internet Security User Guide Content Download Zillya Internet Security... 4 Installation Zillya Internet Security... 4 System Status... 7 System Scanning... 9 When Zillya Internet Security finds
More informationChapter 9. Firewalls
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link however
More informationNetwork Security Monitoring: An Open Community Approach
Network Security Monitoring: An Open Community Approach IUP- Information Assurance Day, 2011 Greg Porter 11/10/11 Agenda Introduction Current State NSM & Open Community Options Conclusion 2 Introduction
More informationFinancial Forensic Accounting
Financial Forensic Accounting Qualification Scope of Content Version: as at 02 March 2018 6. SCOPE OF CONTENT 1. Digital forensics overview 1.1. History of digital forensics 1.2. Sources of electronic
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationIndicators of Compromise
Indicators of Compromise Effectively apply threat information Factsheet FS-2016-02 version 1.0 1 June 2017 If you are responsible for securing the network of your organisation, you will often hear the
More informationAuthor: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0
Author: Tonny Rabjerg Version: 20150730 Company Presentation WSF 4.0 WSF 4.0 Cybercrime is a growth industry. The returns are great, and the risks are low. We estimate that the likely annual cost to the
More informationCourse 832 EC-Council Computer Hacking Forensic Investigator (CHFI)
Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI) Duration: 5 days You Will Learn How To Understand how perimeter defenses work Scan and attack you own networks, without actually harming
More informationOverview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks
Overview Handling Security Incidents Chapter 7 Lecturer: Pei-yih Ting Attacks Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Standard
More informationHow Breaches Really Happen
How Breaches Really Happen www.10dsecurity.com About Dedicated Information Security Firm Clients Nationwide, primarily in financial industry Services Penetration Testing Social Engineering Vulnerability
More informationDesign your network to aid forensics investigation
18th Annual FIRST Conference Design your network to aid forensics investigation Robert B. Sisk, PhD, CISSP Senior Technical Staff Member IBM Baltimore, Maryland USA Master Outline Introduction Incident
More informationAudience. Overview. Enterprise Protection Platform for PCI DSS & HIPAA Compliance
Enterprise Protection Platform for PCI DSS & HIPAA Compliance Overview Sen$nelOne was founded in 2013 with a vision to develop new and groundbreaking, next genera$on endpoint protec$on solu$ons for enterprises.
More informationComputer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic
Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition Chapter 2 Investigating Network Traffic Objectives After completing this chapter, you should be able to: Understand network
More informationGCIA. GIAC Certified Intrusion Analyst.
GIAC GCIA GIAC Certified Intrusion Analyst TYPE: DEMO http://www.examskey.com/gcia.html Examskey GIAC GCIA exam demo product is here for you to test the quality of the product. This GIAC GCIA demo also
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationTools, Techniques, and Methodologies: A Survey of Digital Forensics for SCADA Systems
Tools, Techniques, and Methodologies: A Survey of Digital Forensics for SCADA Systems Presenters: Rima Asmar Awad, Saeed Beztchi Co-Authors: Jared M. Smith, Stacy Prowell, Bryan Lyles Overview Supervisory
More informationSandboxing and the SOC
Sandboxing and the SOC Place McAfee Advanced Threat Defense at the center of your investigation workflow As you strive to further enable your security operations center (SOC), you want your analysts and
More informationForeword by Todd Heberlein
ConteNTS in Detail About the Author Foreword by Todd Heberlein xvii xix Preface xxv Audience... xxvi Prerequisites... xxvii A Note on Software and Protocols... xxvii Scope.... xxviii Acknowledgments...
More informationCOMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9
COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9 Course Code: 3401 Prepare for the CHFI certification while learning advanced forensics investigation techniques. EC-Council released the most advanced computer
More informationOHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE
OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE I. Description of Course: 1. Department/Course: CNET - 174 2. Title: Computer Forensics 3. Cross Reference: 4. Units: 3 Lec Hrs:
More informationG/On OS Security Model
Whitepaper G/On OS Security Model Technical Whitepaper with Excitor comments on CESG Guidance 1 About this document This document describes the security properties of G/On OS, which is a Linux based, client
More informationCYBERSECURITY RISK LOWERING CHECKLIST
CYBERSECURITY RISK LOWERING CHECKLIST The risks from cybersecurity attacks, whether external or internal, continue to grow. Leaders must make thoughtful and informed decisions as to the level of risk they
More informationGEARS + CounterACT. Advanced Compliance Enforcement for Healthcare. December 16, Presented by:
Advanced Compliance Enforcement for Healthcare Presented by: December 16, 2014 Adam Winn GEARS Product Manager OPSWAT Kevin Mayer Product Manager ForeScout Agenda Challenges for the healthcare industry
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationCEH: CERTIFIED ETHICAL HACKER v9
CEH: CERTIFIED ETHICAL HACKER v9 SUMMARY The Certified Ethical Hacker (CEH) program is the core of the most desired information security training system any information security professional will ever
More informationIncident Response Tools
Incident Response Tools James Madison University Dept. of Computer Science June 13, 2013 1 Introduction Being successfully attacked is inevitable. A determined hacker WILL be able to penetrate your network.
More informationRSA Web Threat Detection
RSA Web Threat Detection Online Threat Detection in Real Time Alaa Abdulnabi. CISSP, CIRM RSA Pre-Sales Manager, TEAM Region 1 Web Threat Landscape In the Wild Begin Session Login Transaction Logout Web
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationDigital Forensics Lecture 7. Network Analysis
Digital Forensics Lecture 7 Network Analysis This Week s Presentations Johnathan Ammons: Web Analysis Kelcey Tietjen: Wireless Network Traffic David Burton: Collection and Analysis of Network Traffic David
More informationSonicOS Standard Release Notes SonicWALL, Inc. Software Release: June 4, 2009
Release Notes SonicOS Standard 3.1.6.3 Release Notes SonicWALL, Inc. Software Release: June 4, 2009 CONTENTS Platform Compatibility...1 Software Release Caveats...1 Known Issues...2 Resolved Issues...2
More informationSecureAPlus User Guide. Version 3.4
SecureAPlus User Guide Version 3.4 September 2015 Copyright Information Information in this document is subject to change without notice. Companies, names and data used in examples herein are fictitious
More informationLab 4: Network Packet Capture and Analysis using Wireshark
Lab 4: Network Packet Capture and Analysis using Wireshark 4.1 Details Aim: To provide a foundation in network packet capture and analysis. You may be faced with network traffic analysis, from traffic
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (9 th Week) 9. Firewalls and Intrusion Prevention Systems 9.Outline The Need for Firewalls Firewall Characterictics and Access Policy Type of Firewalls
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationBuilding Resilience in a Digital Enterprise
Building Resilience in a Digital Enterprise Top five steps to help reduce the risk of advanced targeted attacks To be successful in business today, an enterprise must operate securely in the cyberdomain.
More informationWhen does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009
Packet Sniffers INFO 404 - Lecture 8 24/03/2009 nfoukia@infoscience.otago.ac.nz Definition Sniffer Capabilities How does it work? When does it work? Preventing Sniffing Detection of Sniffing References
More informationHello! we are here to share some stories
SHARING SESSION Hello! Paulus Tamba CISSP, former PCI-QSA Was with Verizon-CyberTrust, BT Global Services, and FireEye Specialize in Threat and Vulnerability Management, Security Operation, and Managed
More informationOperationalizing your Security Data. Presenter: Lee Imrey Splunk, Security Market Specialist
Operationalizing your Security Data Presenter: Lee Imrey Splunk, Security Market Specialist Agenda Introduction Basics Using the right tools for the jobs Identifying (and Exploring) Data Sources Investigation
More informationNot your Father s SIEM
Not your Father s SIEM Getting Better Insights & Results Bill Thorn Director, Security Operations Apollo Education Group Agenda Why use a SIEM? What is a SIEM? Benefits of Using a SIEM Considerations Before
More informationKevin Mandia MANDIANT. Carnegie Mellon University Incident Response Master of Information System Management
The State of the Hack Kevin Mandia MANDIANT Who Am I? Adjunct Professor Carnegie Mellon University 95-856 Incident Response Master of Information System Management The George Washington University Computer
More informationMFP: The Mobile Forensic Platform
MFP: The Mobile Forensic Platform Abstract Digital forensics experts perform investigations of machines for triage to see if there is a problem, as well as to gather evidence and run analyses. When the
More informationCybersecurity for IT Online. kaspersky.com/awareness #truecybersecurity. Kaspersky Enterprise Cybersecurity
Kaspersky Enterprise Cybersecurity Cybersecurity for IT Online First line incident response training for general IT specialists kaspersky.com/awareness #truecybersecurity Cybersecurity for IT Online (CITO)
More informationNetwork Traffic Analysis - Course Outline
Network Traffic Analysis - Course Outline This course is designed for system/network administrations with an overall understanding of computer networking. At the end of this course, students will have
More informationNIST SP Notes Guide to Integrating Forensic Techniques into Incident Response
NIST SP800-86 Notes Guide to Integrating Forensic Techniques into Incident Response Authors: Karen Kent, Suzanne Chevalier, Tim Grance, Hung Dang, August 2006 Computer Forensics The application of science
More informationGRR Rapid Response. An exercise in failing to replace yourself with a small script.
GRR Rapid Response An exercise in failing to replace yourself with a small script. Darren Bilby - Digital Janitor - Google Tech Lead Incident Response / Forensics Agenda Why GRR? What we built Demo 1 Key
More informationFinIntrusion Kit / Release Notes. FINFISHER: FinIntrusion Kit 4.0 Release Notes
1 FINFISHER: FinIntrusion Kit 4.0 Release Notes 2 Copyright 2013 by Gamma Group International, UK Date 2013-07-12 Release information Version Date Author Remarks 1.0 2010-06-29 ht Initial version 2.0 2011-05-26
More informationUTM Firewall Registration & Activation Manual DFL-260/ 860. Ver 1.00 Network Security Solution
UTM Firewall Registration & Activation Manual DFL-260/ 860 Ver 1.00 curitycu Network Security Solution http://security.dlink.com.tw 1.Introduction...02 2.Apply for a D-Link Membership...03 3.D-Link NetDefend
More informationNetwork Device Forensics. Digital Forensics NETS1032 Winter 2018
Network Device Forensics Digital Forensics NETS1032 Winter 2018 Risks Most data created, stored, and used by users is kept in files on computers running end user oriented operating systems like Windows,
More informationBOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016
BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016 Overview Current Threats Where we fail Cyber Security Lifecycle Key Areas to Continuously Monitor Security Metrics Where to prioritize Security
More informationPHISHING Takedown Process
PHISHING Takedown Process CONGRATULATIONS, you just won a trip to the Bahamas! Update your password now! Please confirm your account information. You have a tax refund waiting for you. These are the common
More informationCisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017
Cisco Security Advanced Malware Protection Guillermo González Security Systems Engineer Octubre 2017 The New Security Model Attack Continuum Before During After Before Discover During Detect After Scope
More informationCSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague
Brmlab, hackerspace Prague Lightning talks, November 2016 in general in general WTF is an? in general WTF is an? Computer Security in general WTF is an? Computer Security Incident Response in general WTF
More informationCounterACT IOC Scanner Plugin
CounterACT IOC Scanner Plugin Version 2.0.1 Table of Contents About the CounterACT IOC Scanner Plugin... 4 Use Cases... 5 Broaden the Scope and Capacity of Scanning Activities... 5 Use CounterACT Policy
More informationCompTIA SY CompTIA Security+
CompTIA SY0-501 CompTIA Security+ https://killexams.com/pass4sure/exam-detail/sy0-501 QUESTION: 338 The help desk is receiving numerous password change alerts from users in the accounting department. These
More informationCompTIA CAS-003. CompTIA Advanced Security Practitioner (CASP)
CompTIA CAS-003 CompTIA Advanced Security Practitioner (CASP) http://killexams.com/pass4sure/exam-detail/cas-003 DEMO Find some pages taken from full version Killexams CAS-003 questions and answers are
More informationTestBraindump. Latest test braindump, braindump actual test
TestBraindump http://www.testbraindump.com Latest test braindump, braindump actual test Exam : CS0-001 Title : CompTIA Cybersecurity Analyst (CySA+) Exam Vendor : CompTIA Version : DEMO Get Latest & Valid
More informationMedical Device Vulnerability Management
Medical Device Vulnerability Management MDISS / NH-ISAC Process Draft Dale Nordenberg, MD June 2015 Market-based public health: collaborative acceleration Objectives Define a trusted and repeatable process
More informationForeScout ControlFabric TM Architecture
ForeScout ControlFabric TM Architecture IMPROVE MULTI-VENDOR SOLUTION EFFECTIVENESS, RESPONSE AND WORKFLOW AUTOMATION THROUGH COLLABORATION WITH INDUSTRY-LEADING TECHNOLOGY PARTNERS. The Challenge 50%
More informationCNIT 50: Network Security Monitoring. 6 Command Line Packet Analysis Tools
CNIT 50: Network Security Monitoring 6 Command Line Packet Analysis Tools Topics SO Tool Categories Running Tcpdump Using Dumpcap and Tshark Running Argus and the Ra Client SO Tool Categories Three Types
More information