SlideShare una empresa de Scribd logo

The Practice of Cyber Crime Investigations

Albert Hui
Albert Hui

A beginner's introduction to Case Theory approach for Cyber Crime Investigations.

Tecnología
1 de 16
The Practice of Cyber Crime Investigations Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, GSEC, CISA, CISM, CRISC S ec urI ty Ro ni n November 19th 2016 @ HKUST Cybersecurity Lab Security Day
Who am I? Copyright © 2016 Albert Hui 2  Co-designed the first Cyber Forensics curriculum for Hong Kong Police, trained cops  CSIRT Manager at an Investment Bank  ACFE (Association of Certified Fraud Examiner) Asia Pacific Fraud Conference keynote speaker  HTCIA (High Tech Crime Investigation Association) Asia Pacific Forensics Conference speaker  Technology Risk Manager at Multinational Banks  Risk Consultant for Government and Critical Infrastructures  Black Hat speaker Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, GSEC, CISA, CISM, CRISC Security RonI n IncidentResponse& Investigations Technology RiskManagement
Main Types of Cyber Crimes Copyright © 2016 Albert Hui 3 Theft SabotageExtortion
The “Whys” of Cyber Crime Copyright © 2016 Albert Hui 4 Secular Sacred egomoney ideology (e.g. hacktivists) revenge (e.g. former employees) curiosity industrial espionage war & terrorism (e.g. state-sponsored hackers) political (e.g. foreign government policies) Hui’s Cyber Threat Intent Taxonomy
Objectives of Private Investigations  Find bad actors, for legal action and/or settlement  Gather concrete evidences for suspect wrongdoings, for legal action and/or settlement  Recover lost assets  Independent assessment of incident for insurance claims  Determine control weaknesses for risk mitigation (…and many others) Copyright © 2016 Albert Hui 5
Common Practice Areas Cyber Crime Investigation Cyber Forensics Evidence Collection Forensic Analysis Incident Response Intrusion Analysis Malware Reverse Engineering E-Discovery Forensic Accounting Intelligence Cyber Intelligence (CYBINT) Open Source Intelligence (OSINT) Human Intelligence (HUMINT) Copyright © 2016 Albert Hui 6
Copyright © 2016 Albert Hui 7 Investigation Methodology
Methodology Copyright © 2016 Albert Hui 8 You know my method. It is founded upon the observation of trifles.” Sherlock Holmes “
Locard’s Exchange Principle Copyright © 2016 Albert Hui 9 Every contact leaves a trace.” Edmond Locard “
Red Flags Lead to Smoking Gun Copyright © 2016 Albert Hui 10
Case Theory Approach Gather & Analyze all relevant facts Construct Hypotheses based on knowledge of Hacking Operations, Crime Modus Operandi, Fraud Scheme Mechanics, etc. Test Hypotheses via Forensic Examination, Data Analysis, Document Review, etc. Copyright © 2016 Albert Hui 11 Revise & Refine
Copyright © 2016 Albert Hui 12 http://www.acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2016/fraud-tree.pdf Example Model 1: Occupational Fraud Schemes  Vendor profiles  Incomplete profile  Non-business address  Payments  Duplicate payments  To unauthorized vendors  Without matching POs or invoices  Small amount below approval limit  Unusual short turn-around time  Excessive purchase of particular items  Excessive purchase from particular vendors  Received goods or services  Inventory missing purchased goods  Unusual non-goods purchases  Unusual shipment destinations (...and many many more) Billing Scheme red flags to test for:
Example Model 2: Cyber Kill Chain Copyright © 2016 Albert Hui 13 Recon Weaponize Deliver Exploit Install C2 Action
 Check IDS / SIEM for intrusion attempts Data Theft via Web Intrusion Scenario Copyright © 2016 Albert Hui 14 Recon Weaponize Deliver Exploit Install C2 Action Intrusion Artifacts to Check for:  Check web server log for malicious requests  Check file access timeline for post-breach exploitation and malware installation  Check DNS resolution for data exfiltration attempts  Reverse engineer malware  Check web proxy log for data exfiltration  Check IDS / SIEM for scans (…and many many more)
Summary  Case Theory Approach  Forensics is but one method out of many (use the right method and right tool for the job!)  In-Depth Domain Knowledge required Copyright © 2016 Albert Hui 15
Thank You! 16 albert@securityronin.com Security Roni n

Recomendados

Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersAlbert Hui
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsAlbert Hui
 
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Kroll
 
The Rise of California Cybercrime
The Rise of California Cybercrime The Rise of California Cybercrime
The Rise of California Cybercrime SecureAuth
 
Server-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityServer-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityDavid Freeman
 
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseData Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseDavid Freeman
 
Preventing P2P Fraud with Aite Group
Preventing P2P Fraud with Aite GroupPreventing P2P Fraud with Aite Group
Preventing P2P Fraud with Aite GroupLaurent Pacalin
 
Digital banking Account Take Over
Digital banking Account Take OverDigital banking Account Take Over
Digital banking Account Take OverLaurent Pacalin
 

Recomendados

Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersAlbert Hui
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsAlbert Hui
 
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Kroll
 
The Rise of California Cybercrime
The Rise of California Cybercrime The Rise of California Cybercrime
The Rise of California Cybercrime SecureAuth
 
Server-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityServer-Side Second Factors: Approaches to Measuring User Authenticity
Server-Side Second Factors: Approaches to Measuring User AuthenticityDavid Freeman
 
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseData Science vs. the Bad Guys: Defending LinkedIn from Fraud and Abuse
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseDavid Freeman
 
Preventing P2P Fraud with Aite Group
Preventing P2P Fraud with Aite GroupPreventing P2P Fraud with Aite Group
Preventing P2P Fraud with Aite GroupLaurent Pacalin
 
Digital banking Account Take Over
Digital banking Account Take OverDigital banking Account Take Over
Digital banking Account Take OverLaurent Pacalin
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersAlbert Hui
 
Detecting Wire Fraud in Real-Time
Detecting Wire Fraud in Real-TimeDetecting Wire Fraud in Real-Time
Detecting Wire Fraud in Real-TimeLaurent Pacalin
 
SRIG Immediate Long-Term CONUS Opportunity
SRIG Immediate Long-Term CONUS OpportunitySRIG Immediate Long-Term CONUS Opportunity
SRIG Immediate Long-Term CONUS OpportunityCyberHive Foundation
 
Same day ach bec fraud detection prevention webinar 3 1-18
Same day ach bec fraud detection prevention webinar 3 1-18 Same day ach bec fraud detection prevention webinar 3 1-18
Same day ach bec fraud detection prevention webinar 3 1-18 Laurent Pacalin
 
2020 NYS Shield Act Webinar
2020 NYS Shield Act Webinar2020 NYS Shield Act Webinar
2020 NYS Shield Act WebinarInnovative Solutions
 
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las VegasGet the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las VegasShawn Tuma
 
5 Reasons to Support Cybersecurity Information Sharing Act (CISA)
5 Reasons to Support Cybersecurity Information Sharing Act (CISA)5 Reasons to Support Cybersecurity Information Sharing Act (CISA)
5 Reasons to Support Cybersecurity Information Sharing Act (CISA)U.S. Chamber of Commerce
 
AML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning WebinarAML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning WebinarIdan Tohami
 
Target data breach case study
Target data breach case studyTarget data breach case study
Target data breach case studyAbhilash vijayan
 
Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017reconvillage
 
Identity Live Singapore: Just Ask 'Em
Identity Live Singapore: Just Ask 'EmIdentity Live Singapore: Just Ask 'Em
Identity Live Singapore: Just Ask 'EmForgeRock
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachTeri Radichel
 
Cybersecurity- What Retailers Need To Know
Cybersecurity- What Retailers Need To KnowCybersecurity- What Retailers Need To Know
Cybersecurity- What Retailers Need To KnowShantam Goel
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response TriageAlbert Hui
 
Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber CrimeBrian Baskin
 
Cyber Crime Investigation
Cyber Crime InvestigationCyber Crime Investigation
Cyber Crime InvestigationHarshita Ved
 
Internet Librarian International #ili2016 Phil's Faves
Internet Librarian International #ili2016 Phil's FavesInternet Librarian International #ili2016 Phil's Faves
Internet Librarian International #ili2016 Phil's FavesPhil Bradley
 
Incident Response Swimlanes
Incident Response SwimlanesIncident Response Swimlanes
Incident Response SwimlanesDaniel P Wallace
 
Cybercrime investigation
Cybercrime investigationCybercrime investigation
Cybercrime investigationProf. (Dr.) Tabrez Ahmad
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityBen Liu
 
Cybercrime presentation
Cybercrime presentationCybercrime presentation
Cybercrime presentationRajat Jain
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Albert Hui
 

Más contenido relacionado

La actualidad más candente

Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersAlbert Hui
 
Detecting Wire Fraud in Real-Time
Detecting Wire Fraud in Real-TimeDetecting Wire Fraud in Real-Time
Detecting Wire Fraud in Real-TimeLaurent Pacalin
 
SRIG Immediate Long-Term CONUS Opportunity
SRIG Immediate Long-Term CONUS OpportunitySRIG Immediate Long-Term CONUS Opportunity
SRIG Immediate Long-Term CONUS OpportunityCyberHive Foundation
 
Same day ach bec fraud detection prevention webinar 3 1-18
Same day ach bec fraud detection prevention webinar 3 1-18 Same day ach bec fraud detection prevention webinar 3 1-18
Same day ach bec fraud detection prevention webinar 3 1-18 Laurent Pacalin
 
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las VegasGet the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las VegasShawn Tuma
 
5 Reasons to Support Cybersecurity Information Sharing Act (CISA)
5 Reasons to Support Cybersecurity Information Sharing Act (CISA)5 Reasons to Support Cybersecurity Information Sharing Act (CISA)
5 Reasons to Support Cybersecurity Information Sharing Act (CISA)U.S. Chamber of Commerce
 
AML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning WebinarAML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning WebinarIdan Tohami
 
Target data breach case study
Target data breach case studyTarget data breach case study
Target data breach case studyAbhilash vijayan
 
Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017reconvillage
 
Identity Live Singapore: Just Ask 'Em
Identity Live Singapore: Just Ask 'EmIdentity Live Singapore: Just Ask 'Em
Identity Live Singapore: Just Ask 'EmForgeRock
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachTeri Radichel
 
Cybersecurity- What Retailers Need To Know
Cybersecurity- What Retailers Need To KnowCybersecurity- What Retailers Need To Know
Cybersecurity- What Retailers Need To KnowShantam Goel
 

La actualidad más candente (13)

Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
 
Detecting Wire Fraud in Real-Time
Detecting Wire Fraud in Real-TimeDetecting Wire Fraud in Real-Time
Detecting Wire Fraud in Real-Time
 
SRIG Immediate Long-Term CONUS Opportunity
SRIG Immediate Long-Term CONUS OpportunitySRIG Immediate Long-Term CONUS Opportunity
SRIG Immediate Long-Term CONUS Opportunity
 
Same day ach bec fraud detection prevention webinar 3 1-18
Same day ach bec fraud detection prevention webinar 3 1-18 Same day ach bec fraud detection prevention webinar 3 1-18
Same day ach bec fraud detection prevention webinar 3 1-18
 
2020 NYS Shield Act Webinar
2020 NYS Shield Act Webinar2020 NYS Shield Act Webinar
2020 NYS Shield Act Webinar
 
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las VegasGet the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
 
5 Reasons to Support Cybersecurity Information Sharing Act (CISA)
5 Reasons to Support Cybersecurity Information Sharing Act (CISA)5 Reasons to Support Cybersecurity Information Sharing Act (CISA)
5 Reasons to Support Cybersecurity Information Sharing Act (CISA)
 
AML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning WebinarAML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning Webinar
 
Target data breach case study
Target data breach case studyTarget data breach case study
Target data breach case study
 
Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017
 
Identity Live Singapore: Just Ask 'Em
Identity Live Singapore: Just Ask 'EmIdentity Live Singapore: Just Ask 'Em
Identity Live Singapore: Just Ask 'Em
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target Breach
 
Cybersecurity- What Retailers Need To Know
Cybersecurity- What Retailers Need To KnowCybersecurity- What Retailers Need To Know
Cybersecurity- What Retailers Need To Know
 

Destacado

Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response TriageAlbert Hui
 
Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber CrimeBrian Baskin
 
Cyber Crime Investigation
Cyber Crime InvestigationCyber Crime Investigation
Cyber Crime InvestigationHarshita Ved
 
Internet Librarian International #ili2016 Phil's Faves
Internet Librarian International #ili2016 Phil's FavesInternet Librarian International #ili2016 Phil's Faves
Internet Librarian International #ili2016 Phil's FavesPhil Bradley
 
Incident Response Swimlanes
Incident Response SwimlanesIncident Response Swimlanes
Incident Response SwimlanesDaniel P Wallace
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityBen Liu
 
Cybercrime presentation
Cybercrime presentationCybercrime presentation
Cybercrime presentationRajat Jain
 

Destacado (8)

Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
 
Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber Crime
 
Cyber Crime Investigation
Cyber Crime InvestigationCyber Crime Investigation
Cyber Crime Investigation
 
Internet Librarian International #ili2016 Phil's Faves
Internet Librarian International #ili2016 Phil's FavesInternet Librarian International #ili2016 Phil's Faves
Internet Librarian International #ili2016 Phil's Faves
 
Incident Response Swimlanes
Incident Response SwimlanesIncident Response Swimlanes
Incident Response Swimlanes
 
Cybercrime investigation
Cybercrime investigationCybercrime investigation
Cybercrime investigation
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Cybercrime presentation
Cybercrime presentationCybercrime presentation
Cybercrime presentation
 

Similar a The Practice of Cyber Crime Investigations

Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Albert Hui
 
Krupin kirill (fraud) research proposal
Krupin kirill (fraud) research proposalKrupin kirill (fraud) research proposal
Krupin kirill (fraud) research proposalKirill Krupin
 
Conducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudConducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudGoutama Bachtiar
 
[CB20] Illicit QQ Communities: What's Being Shared? by Aaron Shraberg
[CB20] Illicit QQ Communities: What's Being Shared? by Aaron Shraberg[CB20] Illicit QQ Communities: What's Being Shared? by Aaron Shraberg
[CB20] Illicit QQ Communities: What's Being Shared? by Aaron ShrabergCODE BLUE
 
Lgp Asia Enforcement Leave Behind Sept 09
Lgp Asia Enforcement Leave Behind Sept 09Lgp Asia Enforcement Leave Behind Sept 09
Lgp Asia Enforcement Leave Behind Sept 09Eddie Kelly
 
Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and DesignAlbert Hui
 
Hydra AML - Game changing AML platform - Pitch - November 2016
Hydra AML - Game changing AML platform - Pitch - November 2016Hydra AML - Game changing AML platform - Pitch - November 2016
Hydra AML - Game changing AML platform - Pitch - November 2016hydraaml
 
Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...
Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...
Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...REVULN
 
Ict forensics and audit bb
Ict forensics and audit bbIct forensics and audit bb
Ict forensics and audit bbmarukanda
 
The effectiveness of policing cybercrime
The effectiveness of policing cybercrimeThe effectiveness of policing cybercrime
The effectiveness of policing cybercrimeRoel Palmaers
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk
 
106 Threat defense and information security development trends
106 Threat defense and information security development trends106 Threat defense and information security development trends
106 Threat defense and information security development trendsSsendiSamuel
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalPriyanka Aash
 
Insider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsInsider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsButlerRubin
 
Webinar: 10 steps you can take to protect your business from phishing attacks
Webinar: 10 steps you can take to protect your business from phishing attacksWebinar: 10 steps you can take to protect your business from phishing attacks
Webinar: 10 steps you can take to protect your business from phishing attacksCyren, Inc
 
Proactive security: The Opensource Security Testing Methodology Manual (OSSTM...
Proactive security: The Opensource Security Testing Methodology Manual (OSSTM...Proactive security: The Opensource Security Testing Methodology Manual (OSSTM...
Proactive security: The Opensource Security Testing Methodology Manual (OSSTM...DATA SECURITY SOLUTIONS
 
Assignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docx
Assignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docxAssignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docx
Assignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docxcarlibradley31429
 
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...Dana Gardner
 
Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018Entersoft Security
 

Similar a The Practice of Cyber Crime Investigations (20)

Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
 
Krupin kirill (fraud) research proposal
Krupin kirill (fraud) research proposalKrupin kirill (fraud) research proposal
Krupin kirill (fraud) research proposal
 
Conducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudConducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and Fraud
 
[CB20] Illicit QQ Communities: What's Being Shared? by Aaron Shraberg
[CB20] Illicit QQ Communities: What's Being Shared? by Aaron Shraberg[CB20] Illicit QQ Communities: What's Being Shared? by Aaron Shraberg
[CB20] Illicit QQ Communities: What's Being Shared? by Aaron Shraberg
 
Lgp Asia Enforcement Leave Behind Sept 09
Lgp Asia Enforcement Leave Behind Sept 09Lgp Asia Enforcement Leave Behind Sept 09
Lgp Asia Enforcement Leave Behind Sept 09
 
Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and Design
 
Ipctoolkit shared by absoluteproducers
Ipctoolkit shared by absoluteproducersIpctoolkit shared by absoluteproducers
Ipctoolkit shared by absoluteproducers
 
Hydra AML - Game changing AML platform - Pitch - November 2016
Hydra AML - Game changing AML platform - Pitch - November 2016Hydra AML - Game changing AML platform - Pitch - November 2016
Hydra AML - Game changing AML platform - Pitch - November 2016
 
Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...
Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...
Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...
 
Ict forensics and audit bb
Ict forensics and audit bbIct forensics and audit bb
Ict forensics and audit bb
 
The effectiveness of policing cybercrime
The effectiveness of policing cybercrimeThe effectiveness of policing cybercrime
The effectiveness of policing cybercrime
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud Detection
 
106 Threat defense and information security development trends
106 Threat defense and information security development trends106 Threat defense and information security development trends
106 Threat defense and information security development trends
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New Normal
 
Insider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsInsider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and Contractors
 
Webinar: 10 steps you can take to protect your business from phishing attacks
Webinar: 10 steps you can take to protect your business from phishing attacksWebinar: 10 steps you can take to protect your business from phishing attacks
Webinar: 10 steps you can take to protect your business from phishing attacks
 
Proactive security: The Opensource Security Testing Methodology Manual (OSSTM...
Proactive security: The Opensource Security Testing Methodology Manual (OSSTM...Proactive security: The Opensource Security Testing Methodology Manual (OSSTM...
Proactive security: The Opensource Security Testing Methodology Manual (OSSTM...
 
Assignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docx
Assignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docxAssignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docx
Assignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docx
 
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
 
Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018Fintech Cyber Security Survey Hong Knog 2018
Fintech Cyber Security Survey Hong Knog 2018
 

Más de Albert Hui

Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationAlbert Hui
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerAlbert Hui
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber eraAlbert Hui
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassAlbert Hui
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateAlbert Hui
 
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?Albert Hui
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemAlbert Hui
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 

Más de Albert Hui (8)

Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident Investigation
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an Attacker
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber era
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the Corporate
 
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 

Último

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Último (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

The Practice of Cyber Crime Investigations

  • 1. The Practice of Cyber Crime Investigations Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, GSEC, CISA, CISM, CRISC S ec urI ty Ro ni n November 19th 2016 @ HKUST Cybersecurity Lab Security Day
  • 2. Who am I? Copyright © 2016 Albert Hui 2  Co-designed the first Cyber Forensics curriculum for Hong Kong Police, trained cops  CSIRT Manager at an Investment Bank  ACFE (Association of Certified Fraud Examiner) Asia Pacific Fraud Conference keynote speaker  HTCIA (High Tech Crime Investigation Association) Asia Pacific Forensics Conference speaker  Technology Risk Manager at Multinational Banks  Risk Consultant for Government and Critical Infrastructures  Black Hat speaker Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, GSEC, CISA, CISM, CRISC Security RonI n IncidentResponse& Investigations Technology RiskManagement
  • 3. Main Types of Cyber Crimes Copyright © 2016 Albert Hui 3 Theft SabotageExtortion
  • 4. The “Whys” of Cyber Crime Copyright © 2016 Albert Hui 4 Secular Sacred egomoney ideology (e.g. hacktivists) revenge (e.g. former employees) curiosity industrial espionage war & terrorism (e.g. state-sponsored hackers) political (e.g. foreign government policies) Hui’s Cyber Threat Intent Taxonomy
  • 5. Objectives of Private Investigations  Find bad actors, for legal action and/or settlement  Gather concrete evidences for suspect wrongdoings, for legal action and/or settlement  Recover lost assets  Independent assessment of incident for insurance claims  Determine control weaknesses for risk mitigation (…and many others) Copyright © 2016 Albert Hui 5
  • 6. Common Practice Areas Cyber Crime Investigation Cyber Forensics Evidence Collection Forensic Analysis Incident Response Intrusion Analysis Malware Reverse Engineering E-Discovery Forensic Accounting Intelligence Cyber Intelligence (CYBINT) Open Source Intelligence (OSINT) Human Intelligence (HUMINT) Copyright © 2016 Albert Hui 6
  • 7. Copyright © 2016 Albert Hui 7 Investigation Methodology
  • 8. Methodology Copyright © 2016 Albert Hui 8 You know my method. It is founded upon the observation of trifles.” Sherlock Holmes “
  • 9. Locard’s Exchange Principle Copyright © 2016 Albert Hui 9 Every contact leaves a trace.” Edmond Locard “
  • 10. Red Flags Lead to Smoking Gun Copyright © 2016 Albert Hui 10
  • 11. Case Theory Approach Gather & Analyze all relevant facts Construct Hypotheses based on knowledge of Hacking Operations, Crime Modus Operandi, Fraud Scheme Mechanics, etc. Test Hypotheses via Forensic Examination, Data Analysis, Document Review, etc. Copyright © 2016 Albert Hui 11 Revise & Refine
  • 12. Copyright © 2016 Albert Hui 12 http://www.acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2016/fraud-tree.pdf Example Model 1: Occupational Fraud Schemes  Vendor profiles  Incomplete profile  Non-business address  Payments  Duplicate payments  To unauthorized vendors  Without matching POs or invoices  Small amount below approval limit  Unusual short turn-around time  Excessive purchase of particular items  Excessive purchase from particular vendors  Received goods or services  Inventory missing purchased goods  Unusual non-goods purchases  Unusual shipment destinations (...and many many more) Billing Scheme red flags to test for:
  • 13. Example Model 2: Cyber Kill Chain Copyright © 2016 Albert Hui 13 Recon Weaponize Deliver Exploit Install C2 Action
  • 14.  Check IDS / SIEM for intrusion attempts Data Theft via Web Intrusion Scenario Copyright © 2016 Albert Hui 14 Recon Weaponize Deliver Exploit Install C2 Action Intrusion Artifacts to Check for:  Check web server log for malicious requests  Check file access timeline for post-breach exploitation and malware installation  Check DNS resolution for data exfiltration attempts  Reverse engineer malware  Check web proxy log for data exfiltration  Check IDS / SIEM for scans (…and many many more)
  • 15. Summary  Case Theory Approach  Forensics is but one method out of many (use the right method and right tool for the job!)  In-Depth Domain Knowledge required Copyright © 2016 Albert Hui 15