Forensics Readiness in the Company, how to prepare the company for forensics tracking of data breach or computer incidents by reducing costs and increasing efficiency. Forensics Readiness is a framework for corporate protection in order to be able to act in court and with insurance companies to document and detail the "deft"
1. +
GDPR & Forensics Readiness
How prepare the company to management and forensic
tracking of data breach and cyber incidents
2. Presentazioni
Doctor of computer science (computer science)
I deal with computer security and Digital Forensics for over 15 years
Enrolled in the panel of experts of civil cases # 7519 since 2003 of the court of Florence and enrolled in the panel of experts of criminal case # 422 from 2011 of the court of
Florence
Enrolled in the panel of and experts of Chamber of Commerce CCIAA of Florence # 1130 from 2004
Organizer and speaker for conferences on the topic of information security and computer forensics
Co Author for the aspects of computer forensics to the book "Internet e il danno alla persona " published by Giappichelli in 2012
ECCE Certificate European Certificate on the fight against Cybercrime and Electronic Evidence (ECCE) 2009
ISO27001 Lead Auditor
Board of Directors of ONIF – National Observatory on Digital Forensics
CTS CLUSIT – Technical Committee CLUSIT Member
IISFA-International Information System Forensics Association
2
3. Data breach and computer incident
Data breach: a security incident in which sensitive
data, protected or reserved are accessed, viewed,
copied, transmitted, or used by a third party not
authorized.
incident: any event which is not part of the standard
operation of a service and which causes, or may
cause, an interruption and a reduction in the quality
of that service
3
4. GDPR & Breach notification:
• Who has breached
• How has breached
• When has breached
• Where the breach has start
72 hours
• Sanitize the systems
• Restore data
• Patch systems to keep data and applications secure
few hours
• Find the digital evidence sources
• Collect the evidence in forensic mode
• Live Analysis of the breach
• Offline Analysis of collections
• Find a security solution
Very short
time
4
5. Handle The Breach: Time, team and skill
Crisis Units
Incident Response Team
Sys admins: dba, win, linux, network,
firewall
Forensics Team
Legal
Comunication
HR
Finance
5
6. Forensics, IR, DR e BC: Agevolare e non ostacolare
Security Policy
BC/DR
Forensic
Readiness Policy
Incident
Handling
Process and
Operational
rules
Facilitate and not hinder
6
7. Forensics Readiness:
Forensics
Readiness Policy
•Goals
•Roles and
responsibilities
•Implementation
•Scope of Application
•Legislation
•Training
Forensics
Readiness Plan
•Roles and
responsibilities
•Team Specialist
(int/ext)
•Resource
•Economic
•Software,tools
•Storage, etc..
•Task Flow
•Testing
•Training & awarnes
Forensics
Readiness
Procedure
•Evidence Collection
•Live
•Post mortem
•Network etc..
•Analysis procedure
•Reporting
•Procedure
Recovering
"Forensics Readiness" is defined as the ability of an organization
to maximize its ability to collect and use digital evidence,
minimizing the cost of a digital forensics investigation
7
9. FR Operational Steps
Identify possible sources and types of digital evidence
useful to the business
Determine the technical and legal requirements for
collecting digital evidence
Identify and define the resources needed to safely
collect digital evidence so as to make them legally
compliant
Review resources allocated to keep mail protection.
Establish a Policy for Safe Management and
Conservation of Potential Information Sources
Implement and ensure that the monitoring system is
able to detect major accidents
Define under what circumstances it is necessary to
activate a complete computer investigation
Forming and raising staff awareness of accidents in
order to understand their role in the management of
evidence in a context of legal admissibility
Document real cases describing the accident and its
impact
Ensure a legal review of the procedures to facilitate
accident response actions
Define corporate business scenarios that may require
digital evidence
Ensure that SLA contracts with vendors meet the
requirements and goals of forensics readiness.
9
10. FR, let’s consider E-Commerce Internet Service
Switch
Reverse Proxy
Router
Application Server
DataBase Server
backoffice
Mailsever
Fornitori- contenuti /
manutentori
programmatori
sistemisti
10
Internet
11. FR – lets’ start with alt least:
1. NTP Server e GMT
2. DNS
3. DHCP
4. Directory Server
5. Log Management system (SIEM)
Log collection
Parsing
Log correlation
Analysis & Alerting
Log storing Tamper Proof
11
12. FR – Go on collecting logs..
having a log collection system available we could collect logs from:
Router
Firewalls
VPN terminator
Switchs
Servers: system logs
Log complex service asi :SAP, CRM, SharePoint, print server,
physical access controletc..
Is it enough… to detect an accident or a breach?
12
13. What we want to watch :
Where can the threats
come from?
• Internet
• Extranet
• Insider
How:
• Direct attacks to exploit system
and application vulnerabilities
• Brush force attacks
• DOS Attacks
• Trusted Channel Attacks (vpn /
extranet, internal connections:
sysadmin, backoffice)
13
14. We have a SIEM, let’s use its power
Also collect the log from
• Reverse Proxy
• Application server
• Applicativo in esecuzione sull’AS
• Database audit log (tuned!)
• Antivirus
• Mail Server
And add a bit more information
• CyberThreats Intellingence (IP, url, username list)
• Emerging Threats IP list
• Bad IP (malicius, compromised, TOR, malware etc.. list)
14
15. SIEM: Correlation, Analysis, Alerting
Use the logs and the information contained
therein to understand it
• We're in someone's sights
• There is an abnormal activity
• There is a compromise
• We have unfaithful employees and collaborators
Tuning SIEM correlation roules & allarm
• Develop
• Test
• Eliminate false positives
• Keep up to date to current cyber risk scenario
15
16. SIEM: Correlation, Analysis, Alerting
• Track "legitimate" connections coming from Bad IP on log sources
• Drop / Reject Inbound Connections from Bad IP to FW
• Network scanning
• Off-Hour Internal Activity
IoA
Indicator of Attack
• Outgoing connections "legitimate" towards Bad IP
• Drop / reject connections to Bad IP
• Multiple failed login from a single host
• Multiple login with single username from different region
• Outbound DNS traffic
• Errors in logs Application log errors
IoC
Indicator of
Compromission
• User Profiling Using "Reported"
• Accounts and Cards
• Bad IP
• Behavior analysis IP / user traffic
Antifrode
16
18. FR:over the logs
BC/DR & Forensics Readiness: evidence
could have been archived months ago
Backup
• Monitoring backup outcomes
• recovery test
VM Snapshot
• Monitoring snapshot outcomes
• Recovery test
Export DB
• Export db istances
Capacity Planning Storage
• Log, evidence, retantion
• Systems mangement & planning
Software & configuration versioning
18
19. How do you become aware of incident ofbreach? incident o breach
FR
• Active system
security monitoring
• Accidentally
• Customers and / or
Suppliers
Senza FR
• Accidentally
• Customers and / or
Suppliers
Timeliness
and
proactivity
Too late for
business and
reputation
19
20. Take the alarm: serious accident or data
breach
L’unità di
crisi
convoca:
CEO
Team
Forense
HR
Legal
Incident
Response
BC&DR
20
21. FR :Forensics Team on work
Identifying the perimeter of
system involved
Time evaluation of events
Interruption of maintenance or
extraordinary tasks on systems
within the perimeter Start network dump if threat
agent still present on systems
Start snapshot systems Start of Live investigation
Forensics, Data Recovery, and
eDiscovery over an IP network
Start procedures for recovering
raw log data from SIEM of
systems in the perimeter of
breach
Digital signre with hash time
mark of all collected evidence
acquired
Continuous and analytical
documentation of the operations
undertaken
Analysis of
• log,
• snapshot,
• Live data
• to reconstruct the events that led to the
breach: who, from where, how, how long
and what he did: stolen, modified, consulted
Time and technique
reconstruction of how breach has
come
21
22. Without Forensics Readiness
It detects accident by accident or
for customer or supplier reporting
or worse. From newspapers /
internet
Difficulty determining the
perimeter involved
Unable to estimate time offset
of breach
Start network dump if threat
agent still present on systems
Post-mortem forensic copy of
systems involved in the incident
Digital signature with hash time
mark of all collected evidence
acquired
Continuous and analytical
documentation of the operations
undertaken
Analysis of the few available
evidence
• live data
• Forensics copy fo systems
Extremely complex timing and
technical reconstruction of how
breach has come
22
23. FR: Advanced mod
To have a more complete analysis we could add
IPS/IDS HoneyPot NAC
Wireless Lan
controller
Network
monitoring
(MRTG)
Network
Behaviour
Analysis
Integrity
check of
systems and
of
configurations
Url e content
Filtering
23
24. Forensics Readiness: Why?
Forensics Readiness is incident prevention and not Incident response
Today it is necessary to assume that an incident will occur even if the risk
assessment has low probability, and Forensics Readiness allows us to
handle it in advance
Because Forensics Readiness systematically collects information over
time, and allows you to detect situations where people who are
threatening you, whether inside or outside, will try to
Clear the evidence of the breach
Kepp silent on system for use them for other attack
Permanence for months before "burning" his victims
24
26. Forensiscs Readiness ROI
Fail of adopting forensic readiness
may result in:
Business Loss - Reputable Damage
Loss of revenue - loss of customers
Legal actions - Incapacity to meet SLAs, inappropriate actions,
etc ...
Furto di dati, modifica o distruzione
Inability to effectively restore administrative access / control
Suspension of business delivery systems
26
27. Forensics Readiness ROI
Forensic readiness ensure:
Quickly determine the attack vector
Understand and isolate pertinent
information, minimizing the resources
you need
Interrupt abusive access timely
Contenere i danni e ridurre il tempo
di inattività
Detects trends over time
Get discounts on cyber insurance
premiums
27
28. And at last…
«The future depends on what we do in the present»
Mahatma Gandhi
Dott. Alessandro Fiorenzi
Email af@studiofiorenzi.it
Mobile: +393487920172
https://www.studiofiorenzi.it
28