Encase Cybersecurity and proactiv corporate IT security Damir Delija INSIG2
Jan 12, 2015
Encase Cybersecurity and proactiv corporate IT securityDamir DelijaINSIG2
Agenda
» Security, Threats, Incidents , tools» The Foundation — EnCase
Enterprise» EnCase Cybersecurity» Benefits and Features of EnCase
Cybersecurity
Worms Remain Top Threat toEnterprise
» SANS NewsBites Vol. 11 Num. 87
According to Microsoft's Security Intelligence Report, Conficker was thetop threat to enterprise computers during the first half of 2009. Worminfections overall doubled between the second half of 2008 and the firsthalf of this year; worms rose from the fifth most prevalent cyber threatto the second most prevalent. Worms are not as big a security concernto home users; the most prevalent cyber security threat in the homeenvironment during the first half of 2009 was miscellaneous Trojans,including rogue security software. The volume of phishing was fourtimes higher in May and June of this year than in the preceding 10months due to concentrated attacks on social networking sites.
» http://www.informationweek.com/news/global-cio/security/showArticle.jhtml?articleID=221400323
» http://www.darkreading.com/vulnerability_management/security/attacks/showArticle.jhtml?articleID=221500012&subSection=Attacks/breaches
» http://www.microsoft.com/downloads/details.aspx?FamilyID=037f3771-330e-4457-a52c-5b085dc0a4cd&displaylang=en
Unauthorised software
Human error
Inappropriate content
Deliberate attack (hackers)
Competitors
Virus outbreaks
Regulatory compliance IP theft (eg. external consultants)
Fraud
What are our threats?
Disgruntled employeesClassifiedData leakage
Others (Unknown)
Client
Reactively• We manually investigate incidents, which is time consuming
• We employ 3rd party consultancies to collect data for compliance
• We quarantine computers from the network (disrupting operations)
• We need multiple tools to investigate and solve problems
• We have to wait for our AV vendor to supply signatures for new outbreaks
Proactively• We cannot search the network for IP or other sensitive data
• We cannot search for unauthorised software or malicious code
• We cannot forensically remove data or malicious processes
• We don’t have time to investigate disgruntled employees
• We can’t identify potential risks comprehensively
How do we deal with these threats today?
What is Incident ?
» What is an incident to you?
Virus outbreak? Stolen laptop? Inappropriate usage? Legal requirement for
electronic data? Unauthorised software? Inappropriate content? Classified data appearing in
the wrong environments? Data leakage? IP theft? Disgruntled employee?
» How do you respond? Manual processes? Take Computers off the
network? Suspend Employees? External investigative
consultancy? Outsource data collection? Press release / PR? Hope and Pray? Ignore?
Some Analytics (1)
» Who is behind data breaches? 73% resulted from external sources 18% were caused by insiders 39% implicated business partners 30% involved multiple parties How do breaches occur? 62% were attributed to a significant error 59% resulted from hacking and intrusions 31% incorporated malicious code 22% exploited a vulnerability 15% were due to physical threats
Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
Some Analytics (2)
» What commonalities exist?
66% involved data the victim did not know was on the system
75% of breaches were not discovered by the victim 83% of attacks were not highly difficult 85% of breaches were the result of opportunistic attacks 87% were considered avoidable through reasonable
controls
Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
Some Analytics (3)
» Nine out of 10 data breaches incidents involved one of the following:
• A system unknown to the organization (or business group affected)
• A system storing data that the organization did not know existed on that system
• A system that had unknown network connections or accessibility
• A system that had unknown accounts or privileges
⧖ Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
Sample of 2009 Data Breaches» Check Free Corp January 6
160,000 - 5,000,000 credit card records exposed to a web site hosted in the Ukraine
» Heartland Payment Systems January 20100M transaction/month for several months routed by malicious software
» Federal Aviation Administration February 948,000 records of employee information compromised
» US Army March 12PII of 1,600 soldiers potentially breached
» University of California, Berkeley May 7PII of 160,000 students and alumni (including SSIs and medical records) compromised in hack
» Aviva June 3Account information of 550 customers compromised by malware
“We originally thought of EnCase Enterprise as an e-forensic tool only. However, Guidance
Software’s solution addresses virtually every aspect of information security and eDiscovery.” Litigation Counsel, Dell
EnCase® Enterprise – The Industry Standard Platform for Conducting Network Investigations
EnCase Enterprise and EnCase Cybersecurity
» EnCase Enterprise› Reactive investigations
~ HR Matters~ Fraud~ Network Breaches
› Manual processes› “We need to be able to investigate internal matters”
» EnCase Cybersecurity› Proactive security auditing and system recovery› Automated processes tailored to the challenge› “We need to protect our IP”› “We need technology that can keep up with emerging
threats”› “We need to take a more proactive stance in regards to
information security”
.
EnCase Enterprise – basic elements» Safe
› central communication/authorisation
» Examiner station(s)› workstation for forensic actions
( automated or byhand)» Servelet(s)
› remote agent » Snapshots and connenctions» Scripts and tools integration
EnCase Enterprise vs. EnCase Cybersecurity – High Level OverviewCapability EnCase
Cybersecurity
Multiple Machine Analysis Automated
Machine Tracking Automated
Preservation of Files Automated
Search Status & Interrupted Search Recovery Automated
Static Message File Processing Automated
Network Shares & SharePoint Search Automated
Live Messaging Servers Collection Automated
Master Database for Tracking and Reporting Automated
Processing: Secondary Culling and De-duplication
No
Processing: Attorney Review Platform Load File Creation
No
Pre-Collection File Sampling Included
Enterprise Content Management & Email Archive Search
Included
File Remediation Automated
» Difficulty of identifying and recovering from polymorphic threats› i.e. Conficker
» Undiscovered threats to the network› Heartland breach cost Heartland $12.9
million…so far (100 million records)
› TJX settled for $9.75 million (50 million records)
› Organizations can experience millions of events/day
~ Most just harmless probes, however…
» Inability to efficiently analyze and address
risk presented by sensitive data› Customer records
~ SSNs etc› Intellectual property
~ Source code~ Schematics etc
The Problems to Solve
The Pain — Heartland Payment Systems» In February of this year, it was
made public that Heartland experienced a breach that exposed a record setting 100 million credit card accounts.
» Heartland was certified PCI compliant at the time
» The malware responsible had been present on their network since November of last year, investigation has learned.
» So far, has cost Heartland $12.5 million
» MasterCard imposing addition fine of $6M
The Pain — Polymorphic Malware» Malware that changes each time it
replicates› Evades any attempt at signature based
detection~Changes encryption key~Repacking~Random elements built into code such as
usinga random registry key each time it drops
» Conficker — Polymorphic worm» Swizzor — Polymorphic Adware» Stration — up to 300 variations a
day
Common IT Security Challenges» Proactively identifying and
addressing undiscovered threats› Determining the threat level and purpose of
unknown files or running processes› Identifying and recovering from polymorphic
malware (e.g., Conficker)~ Signature-based detection tools are insufficient
when faced with code that morphs to evade detection
› Quickly triaging and containing an identified threat
» Locating and rapidly responding to data leakage (PII, IP, etc.)› Compliance with data protection and breach
notification laws
EnCase® Cybersecurity
» Identify undiscovered threats: patent-pending technology gives IT Security the advantage against new threats:› Polymorphic Malware› Packed files› Other advanced hacking techniques
» Complete visibility into endpoint risk with the ability to target static and live data to locate sensitive information
» Find and remediate malware: risk mitigation by wiping sensitive information, malware and malware artifacts from hard drives, RAM and the Windows Registry
» Powerful investigative capabilities allow organizations to audit for PII (e.g., credit card numbers, account numbers, etc.), and perform internal investigations such as those dealing with fraud, HR matters and data breaches
» For information security personnel and response teams whose task is to protect sensitive information and proactively identify and respond to network threats 24/7
» Identify, analyze, triage, respond to and recover from internal and external threats to the network, ensure endpoints remain in a trusted state and protect/secure sensitive information
» Unlike traditional methods of using a collection of tools to address network threats, EnCase Cybersecurity is a complete solution that addresses information security risks and the challenges of data protection and unknown threats to the network
EnCase Cybersecurity Employs a Comprehensive Approach to Risk Management
Covert malwareidentification& recovery
Risk assessment;Targeted search &remediation
Breach investigations;Fraud investigations;Malware investigationsEtc.
EndpointSecurity
DigitalInvestigations
DataDiscovery
& Protection
EnCase® Cybersecurity Values» Identify and recover from polymorphic and
metamorphic malware» Proactively identify and recover from undiscovered
threats› Determine threat level of endpoints› Analyze process code› Remediate registry entries, files, processes
» Proactively audit for sensitive data and recover from data spillage
» Triage incidents across worldwide networks» Combat insider threats» Maintain endpoints in a trusted state» Ensure IAVA compliance
Benefits & Features
BENEFIT FEATURE
Proactively identify and recover from covert network threats
threat level analysis, memory analysis
Find similar files over the network Patent-pending bit transition analysis method
Proactively identify and recover from data leakage
Targeted search and remediation
Ensure endpoints remain in a trusted state Hash database comparison, system profiling
Accurately triage an incident anywhere in the world from a central location
Network-enabled, security protocols
Combat insider threat by proactively identifying and investigating suspicious activity
Log file analysis, Snapshot, core EE functionality
View all data on a hard drive, even what the OS cannot see
Operates at the kernel level, sees what the OS cannot
Determine the extent of data breaches Log file analysis, memory analysis, core functionality
EnCase Cybersecurity Components» Data Audit & Policy Enforcement» System Profiling & Analysis» Attribution Set Manager» EnCase Code Analyzer» EnCase Bit9 Analyzer» Configuration Assessment» Source Processor
Data Audit
» Organizations have a need to perform full networks audits for sensitive information for the following purposes …› Risk assessment and mitigation› IP/PII theft prevention› Data spillage› Compliance with laws mandating the security of PII› Regulatory requirements
» Payment Card Industry Data Security Standard» Records retention enforcement
Data Audit Key Benefits
» Reduce the threat and risk of data loss from the endpoints by identifying sensitive information and removing it from unauthorized locations across the enterprise…
» Reduce the cost of eDiscovery and electronic storage with the ability to enforce records retention policies
» Understand where sensitive data is located across the enterprise in order to more effectively design compliance initiatives
ResultsSolutionSituation» Global 100 computer
entertainment company suspected IP leakage across the network
» Need to search global network spanning 91 countries
» Goal was to identify source, all instances of leaked IP, identify the trail to external sites, preserve evidence, and remediate
» Process required significant stealth so as to not alert employees
» EnCase Data Audit & Policy Enforcement implemented in 24 hours at a central site
» EnCase identified the suspect had access to numerous other workstations & servers across the network
» Audit performed overnight on all endpoints, including a 4 terabyte server, to find files
» v1.0 version of video-game identified in several locations and matched version leaked to public sites
» Targeted audit of over 50 devices in one day including; laptops, desktops, servers, email accounts, USB’s and internet histories
» Zero disruption to the business
» Entire investigation took 2 weeks from start to finish with significant cost savings vs. outsource options
» EnCase Data Audit deployed as part of a standard IP & HR audit process company-wide
“The non-disruptive element of EnCase minimized the financial, commercial and operational
impact of the leaked IP and accelerated the successful resolution of this incident.”
CEO & President - European Operations, Global Entertainment Software Co.
Case StudyGlobal 100 Entertainment Software Company EnCase Cybersecurity
System Profiling & Analysis
» Drivers› Challenge of controlling what software is on
company computers
» Use› Compare network endpoints to a trusted build
of hashes
» Value/Use› Ensure employees are not running
unapproved/harmful software~ File sharing software~ Unapproved communication clients~ Vulnerable software
› Help triage for malware by exposing unknown files
› Do not need to visit each node to return to trusted state
› Baselining
Keeping Up» Technical Challenges:
› High profile attacks - Good vectors need concealment› Malware becoming more sophisticated, landscape changes› We’re not looking for a single file, many artifacts dropped› Designed to evade detection› Designed to persist defensive techniques› We’re trying to find the needle in the haystack› No Magic Pill to take or Silver Bullet to shoot
Use Cases for Attribution Set Manager» Polymorphic and Metamorphic
malware identification› Rely on commonalities to morph/adapt
» Other types of undiscovered malware
» “Packed” file detection» Data Auditing
› Intellectual property› Embedded files
» Attribution
Polymorphic and Metamorphic Malware Defined» Polymorphic (adj.) - Literally meaning having
more than one form. Able to have several shapes or formsPolymorphic code (e.g., malware) can exist in a number of “physical” forms, each outwardly different yet retaining all of the original/intended functionality. The changes are notably spontaneous and follow no discernable pattern while still functioning exactly as they did in the original or previous form(s).
» Metamorphic (adj.) – Having been changed from one form to another by the application of an external force – as in metamorphic rocks: A rock that has been changed from its original form by subjection to heat and/or pressureIn contrast to polymorphic code, metamorphic code needs to have some external impetus in order to change its form. This could be a conscious (manual) change to the code, a date or time triggered event, movement from one operating system to another, and etc. These changes often entail some fundamental modification of an original function – it does something new or different from the original form.
Current Methods for Finding Polymorphic Malware» Hashing
› MD5/SHA Formats › Context Triggered Piecewise Hashing (ie, rolling hash)
~ “Fuzzy Hashing”~ Easy to fool
» Signature based detection› Relies on Hashes or other Code fragments › Computationally expensive, takes time
» Deep Packet Inspection› Indexing DOESN’T scale to Enterprise
Code mutation used to change malware attributes makes
identification difficult
How is the Use of Entropy Superior?» Speed
› No pre-processing or “pre-hashing” required› Can compute thousands of entropy values in
minutes
» Accuracy› Based comparing smaller units against each
other~ Byte transitions versus “logical sections”~ Foreign languages~ Not just limited to text
» Network-enabled› Other methods require source and
target repository be stored locally
Using Entropy» What is?
› Entropy is “randomness”› Entropy expressed as value of 1-8 (ie,
4.59087346598796)› Like file types have same Entropy value
~Compressed/packed files have high (ie, +7.0) Entropy~Binary files are very structured, similar Entropy
EnCase Cybersecurity CombatsPolymorphic Malware
Listed below are six iterations of the same malware: signature-based detection (top six) doesn’t help, but EnCase Cybersecurity shows the most similar binaries (bottom section) for a computer or network
Using Entropy for Intellectual Property
» All are derivatives of the declaration of independence› Hashes all different, Entropy values real close› Use Entropy threshold to mine likeness; not percentage
Source Match Tolerance
Declaration_of_Independence.doc Single Files\Declaration_of_Independence.doc
0
Declaration_of_Independence_new_pasted.doc Single Files\Declaration_of_Independence.doc
0.00431
Declaration_of_Independence_new_pasted_three_quarters_file.doc
Single Files\Declaration_of_Independence.doc
0.222825
EnCase Code Analyzer
» Powered by HBGary Responder Professional integration› Threat Analyzer
~ Canned & user defined threat criteria- i.e. processes that can change registry entries
~ Returns 0 (no threat) to 100 (severe threat) based on total of all identified matches to threat criteria among processes
~ Very fast execution~ High level “Gut Check”
› Memory Analyzer~ Code and behavioral analysis of running RAM or a
single process~ Provides intelligence on how any given process “does
its thing”~ Can determine if a piece of Malware is polymorphic, if it
can transfer files, etc.
EnCase Bit9 Analyzer
» Powered via integration with Bit9 Global Software Registry› 6 Billion records’
~ Known good and bad files, processes and applications
› Grows at rate of 20 million files every day› Screen out known to find unknown› Scan for known malware› Scan for out of date or unapproved executables
» Adds value to every component of EnCase Cybersecurity
»DoD specific EnScript› Used to audit against the
DISA STIG xml database~DoD mandated configuration
settings
Configuration Assessment
EnCase Source Processor
» Collection of time saving utilities that comes with every order launched from an easy to use interface for common tasks› Used only to analyze & report; no file collection
EXIF Viewer*
Extension Report Module*
Snapshot Module
Link File Parser*
Linux Initialize Case*
Linux Syslog Parser*
Linux Event Log Parser
Mac Initialize Case Module*
Personal Information Inquiry
Protected File Finder*
Scan Registry*
Recycle Bin Info Finder*
Windows Event Log Parser
Windows Initialize Case*
WTMP-UTMP Log File Parser
*Available in second release of EnCase Cybersecurity
The whole is much morepowerful than the individual parts» Scan suspect machines using the Threat Analyzer
module of EnCase Code Analyzer» Utilize System Profiling & analysis and EnCase
Bit 9 Analyzer to exclude all known good files & processes (and identify any known bad) from a machine with a Severe Threat
» Capture an identified unknown process with EnCase Code Analyzer, using the Memory Analyzer module to perform code and behavioral analysis of the unknown process
» After determining an unknown process has the ability to morph, utilize Attribution Set Manager to identify like binaries on the network
» Once all iteration of the polymorphic malware is identified, utilize Data Audit & Policy Enforcement and core functionality to remediate associated files, processes and registry entries, recovering systems from the threat before it had a chance to act
Key Differentiators
» Single solution, many applications» Threat and Memory Analytics» Leverages worlds largest hash database» Patented “Entropy Analysis” method» Certifications (Federal Space)
› DIACAP› FIPS 140-2› Common Criteria EAL-2
» Optimized distributed search» Forensic backbone ensures activity remains
transparent» Does not rely on active monitoring or AV
signatures» Remediation