SlideShare una empresa de Scribd logo

How Insiders Evade Forensics & How to Reveal Their Hidden Tracks (less than 40 chars

Descargar como PPTX, PDF
Veriato
Veriato

This document discusses counterforensics techniques used by insiders to evade detection. It describes how counterforensics is derived from counterintelligence and aims to prevent or thwart investigations. Common tactics discussed include hiding and concealing activities and data through steganography, encryption, and destroying evidence by deleting files and overwriting data. The document also recommends tools for user behavior monitoring and activity replay to help reveal hidden insider tracks.

Tecnología
1 de 21
Confidential Patrick Knight Sr. Dir. Cyber Strategy and Product Management
Confidential Counterforensics How Insiders Evade Forensics & How to Reveal Their Hidden Tracks
What is Counterforensics?  aka - Anti-Forensics  Derived from Counterintelligence: “activities designed to prevent or thwart spying, intelligence gathering, and sabotage by an enemy or other foreign entity.”  Counterforensics “activities designed to prevent or thwart forensics investigations through data destruction, data and activity concealment, deception or sabotage.”
Confidential • Hiding/concealing activities • Deception • Destroying evidence • Sabotage Counterforensics Tactics
Hiding/Concealing Activities and Data  Steganography  Utilize common file formats/channels – hide in plain sight  File concatenation  File/data encryption  Encrypted comms channels This Photo by Unknown Author is licensed under CC BY
Confidential  Video and image files typically are large enough to carry additional data (e.g. messages, files)  Casual viewer will never know message/data is present  Can transport encrypted messages/data  Intended recipient can be difficult to identify  Anti-virus and endpoint security typically do not scan for hidden messages Why Steganography?
Confidential # ping -p feedfacedeadbeef Dest-B # tcpdump -i eth0 host Dest-B -x 21:03:32.601102 IP Source-A > Dest-B: icmp 64: echo request seq 56 0x0000: 4500 0054 0038 4000 4001 6e1c 4655 1fe9 E..T.8@.@.n.FU.. 0x0010: 4655 1fc2 0800 8120 5006 0038 e414 9942 FU......P..8...B 0x0020: 142a 0900 feed face dead beef feed face .*.............. 0x0030: dead beef feed face dead beef feed face ................ 0x0040: dead beef feed face dead beef feed face ................ 0x0050: dead ..  IPV4 Max Size 65535 bytes - headers = 65507 bytes for messages via ICMP Concealed message in ICMP
Hiding Activities in Plain Sight  Google Chrome extension - Netflix Hangouts  Watch Netflix at work, while appearing to be on a conference call
Hiding/Concealing Activities and Data: Encryption  Use of non-sanctioned encryption tools to encrypt files and data  Use encryption tools to obscure communications  Tor Browser or Tor proxy  Command line tools: OpenSSL, cryptcat
Destroying Evidence • Deleting files • Deleting records • Overwrite/wipe files • Overwrite/wipe selective records/data • Overwrite/wipe entire disks/external media
Deceptive Tactics  Alter timestamps/timelines  Alter logs or other data  Obfuscation of data, URLs, commands, etc.  C:>cmd.exe /c c^^a^^l^^c^^.^^e^^x^^e  Stolen credential use
Destroying Evidence  Deleting data  Deleting browser history - incognito mode  Disk and data wiping
Deleting Alone May Not Destroy the Data  Filesystems usually free the location of a deleted file, but do not overwrite/destro  Email servers typically free the location of a deleted email, but do not overwrite/destroy  Secure deletion can include:  Overwriting/wiping one or more times  Defragmenting  Overwriting/wiping all free and slack space  Webmail and SaaS products are typically under the control of the service provider
Data Wiping Tools  Sdelete  KillDisk  BCWipe  Darik’s Boot and Nuke (DBAN)  Format.exe (Windows tool)  Secure Eraser  100’s more…
Sabotage  Denial Of Service (DOS)  Intentional malware/ransomware infection  Logic/time bombs
What can you do?  Visibility into activities when they happen  Full crime scene playback  Alert on suspicious activities  malicious application use  suspect website access  Tor Browser activity
What can you do?  Block access to unwanted sites and network applications  Inventory sanctioned tools - know what is allowed and by whom  disk encryption  data deletion policies  cloud file storage  Employee Monitoring & User Behavior Analytics tools
User & Entity Behavioral Analytics (UEBA) & User Activity Monitoring (UAM)
Seeing Exactly What Happened (UAM) • Time-Capsule DVR video review • See all onscreen actions • Play it back like your DVR • Export as BMP, JPG or AVI Video Playback
Confidential The Global Leader Technology Financial Health 8 out of 10 7 out of 10 6 out of 10 in 110+ countries In 3,000+ enterprises & thousands of SMBs DeployedThe Biggest & Best use Veriato
Confidential Thank You! pknight@Veriato.com

Recomendados

Sujit
SujitSujit
SujitSujit George
 
Owasp modern information gathering
Owasp modern information gatheringOwasp modern information gathering
Owasp modern information gatheringKZA
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsBense Tony
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesSeccuris Inc.
 
Session Slide
Session SlideSession Slide
Session SlideMuralidharan Radhakrishnan
 
Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavorSatria Ady Pradana
 
Logs vs Insiders
Logs vs InsidersLogs vs Insiders
Logs vs InsidersAnton Chuvakin
 
(Workshop) Memory Forensic - Investigating Memory Artefact
(Workshop) Memory Forensic - Investigating Memory Artefact(Workshop) Memory Forensic - Investigating Memory Artefact
(Workshop) Memory Forensic - Investigating Memory ArtefactSatria Ady Pradana
 

Recomendados

Sujit
SujitSujit
SujitSujit George
 
Owasp modern information gathering
Owasp modern information gatheringOwasp modern information gathering
Owasp modern information gatheringKZA
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsBense Tony
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesSeccuris Inc.
 
Session Slide
Session SlideSession Slide
Session SlideMuralidharan Radhakrishnan
 
Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavorSatria Ady Pradana
 
Logs vs Insiders
Logs vs InsidersLogs vs Insiders
Logs vs InsidersAnton Chuvakin
 
(Workshop) Memory Forensic - Investigating Memory Artefact
(Workshop) Memory Forensic - Investigating Memory Artefact(Workshop) Memory Forensic - Investigating Memory Artefact
(Workshop) Memory Forensic - Investigating Memory ArtefactSatria Ady Pradana
 
InsiderThreat-2016NDITS
InsiderThreat-2016NDITSInsiderThreat-2016NDITS
InsiderThreat-2016NDITSMike Saunders
 
OWASP_Training.pptx
OWASP_Training.pptxOWASP_Training.pptx
OWASP_Training.pptxPradip Bhattarai
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionNicholas Davis
 
Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss PreventionNicholas Davis
 
Lecture data classification_and_data_loss_prevention
Lecture data classification_and_data_loss_preventionLecture data classification_and_data_loss_prevention
Lecture data classification_and_data_loss_preventionNicholas Davis
 
Database Security Presentation Why database Security is important
Database Security Presentation Why database Security is importantDatabase Security Presentation Why database Security is important
Database Security Presentation Why database Security is importantKamruzzamansohel2
 
SCB 2013 DLP, công nghệ, và phương pháp triển khai
SCB 2013 DLP, công nghệ, và phương pháp triển khaiSCB 2013 DLP, công nghệ, và phương pháp triển khai
SCB 2013 DLP, công nghệ, và phương pháp triển khaiSecurity Bootcamp
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
dlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptxdlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptxalex hincapie
 
Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6sabtolinux
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issuesErnest Staats
 
Securing data at rest with encryption
Securing data at rest with encryptionSecuring data at rest with encryption
Securing data at rest with encryptionRuban Deventhiran
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security ResilienceJoel Aleburu
 
Data security
Data securityData security
Data securitysbmiller87
 
Data Leakage Prevention
Data Leakage Prevention Data Leakage Prevention
Data Leakage Prevention Dhananjay Aloorkar
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsAbdallah Hodieb
 
Digital forensics.abdallah
Digital forensics.abdallahDigital forensics.abdallah
Digital forensics.abdallahahmad abdelhafeez
 
Data protection in Practice
Data protection in PracticeData protection in Practice
Data protection in PracticeTomppa Järvinen
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyVeriato
 
What do your employees do all day? - Veriato + Digital Boardwalk
What do your employees do all day? - Veriato + Digital BoardwalkWhat do your employees do all day? - Veriato + Digital Boardwalk
What do your employees do all day? - Veriato + Digital BoardwalkVeriato
 

Más contenido relacionado

Similar a How Insiders Evade Forensics & How to Reveal Their Hidden Tracks (less than 40 chars

InsiderThreat-2016NDITS
InsiderThreat-2016NDITSInsiderThreat-2016NDITS
InsiderThreat-2016NDITSMike Saunders
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionNicholas Davis
 
Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss PreventionNicholas Davis
 
Lecture data classification_and_data_loss_prevention
Lecture data classification_and_data_loss_preventionLecture data classification_and_data_loss_prevention
Lecture data classification_and_data_loss_preventionNicholas Davis
 
Database Security Presentation Why database Security is important
Database Security Presentation Why database Security is importantDatabase Security Presentation Why database Security is important
Database Security Presentation Why database Security is importantKamruzzamansohel2
 
SCB 2013 DLP, công nghệ, và phương pháp triển khai
SCB 2013 DLP, công nghệ, và phương pháp triển khaiSCB 2013 DLP, công nghệ, và phương pháp triển khai
SCB 2013 DLP, công nghệ, và phương pháp triển khaiSecurity Bootcamp
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
dlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptxdlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptxalex hincapie
 
Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6sabtolinux
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issuesErnest Staats
 
Securing data at rest with encryption
Securing data at rest with encryptionSecuring data at rest with encryption
Securing data at rest with encryptionRuban Deventhiran
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security ResilienceJoel Aleburu
 
Data protection in Practice
Data protection in PracticeData protection in Practice
Data protection in PracticeTomppa Järvinen
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 

Similar a How Insiders Evade Forensics & How to Reveal Their Hidden Tracks (less than 40 chars (20)

InsiderThreat-2016NDITS
InsiderThreat-2016NDITSInsiderThreat-2016NDITS
InsiderThreat-2016NDITS
 
OWASP_Training.pptx
OWASP_Training.pptxOWASP_Training.pptx
OWASP_Training.pptx
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss Prevention
 
Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss Prevention
 
Lecture data classification_and_data_loss_prevention
Lecture data classification_and_data_loss_preventionLecture data classification_and_data_loss_prevention
Lecture data classification_and_data_loss_prevention
 
Database Security Presentation Why database Security is important
Database Security Presentation Why database Security is importantDatabase Security Presentation Why database Security is important
Database Security Presentation Why database Security is important
 
SCB 2013 DLP, công nghệ, và phương pháp triển khai
SCB 2013 DLP, công nghệ, và phương pháp triển khaiSCB 2013 DLP, công nghệ, và phương pháp triển khai
SCB 2013 DLP, công nghệ, và phương pháp triển khai
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
dlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptxdlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptx
 
Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
 
Securing data at rest with encryption
Securing data at rest with encryptionSecuring data at rest with encryption
Securing data at rest with encryption
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security Resilience
 
Data security
Data securityData security
Data security
 
Data Leakage Prevention
Data Leakage Prevention Data Leakage Prevention
Data Leakage Prevention
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Digital forensics.abdallah
Digital forensics.abdallahDigital forensics.abdallah
Digital forensics.abdallah
 
Data protection in Practice
Data protection in PracticeData protection in Practice
Data protection in Practice
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 

Más de Veriato

Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyVeriato
 
What do your employees do all day? - Veriato + Digital Boardwalk
What do your employees do all day? - Veriato + Digital BoardwalkWhat do your employees do all day? - Veriato + Digital Boardwalk
What do your employees do all day? - Veriato + Digital BoardwalkVeriato
 
Extending CyberSecurity Beyond The Office Perimeter
Extending CyberSecurity Beyond The Office PerimeterExtending CyberSecurity Beyond The Office Perimeter
Extending CyberSecurity Beyond The Office PerimeterVeriato
 
Monitoring a hybrid workforce - veriato and prianto
Monitoring a hybrid workforce - veriato and priantoMonitoring a hybrid workforce - veriato and prianto
Monitoring a hybrid workforce - veriato and priantoVeriato
 
Fraud Detection With User Behavior Analytics
Fraud Detection With User Behavior AnalyticsFraud Detection With User Behavior Analytics
Fraud Detection With User Behavior AnalyticsVeriato
 
The Rise of Ransomware As a Service
The Rise of Ransomware As a ServiceThe Rise of Ransomware As a Service
The Rise of Ransomware As a ServiceVeriato
 
Revealing the dark web
Revealing the dark webRevealing the dark web
Revealing the dark webVeriato
 
Monitoring employees in a remote workplace
Monitoring employees in a remote workplaceMonitoring employees in a remote workplace
Monitoring employees in a remote workplaceVeriato
 
Building an insider threat program
Building an insider threat programBuilding an insider threat program
Building an insider threat programVeriato
 
Implementing A User Activity & Behavior Monitoring Program
Implementing A User Activity & Behavior Monitoring ProgramImplementing A User Activity & Behavior Monitoring Program
Implementing A User Activity & Behavior Monitoring ProgramVeriato
 

Más de Veriato (10)

Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your Company
 
What do your employees do all day? - Veriato + Digital Boardwalk
What do your employees do all day? - Veriato + Digital BoardwalkWhat do your employees do all day? - Veriato + Digital Boardwalk
What do your employees do all day? - Veriato + Digital Boardwalk
 
Extending CyberSecurity Beyond The Office Perimeter
Extending CyberSecurity Beyond The Office PerimeterExtending CyberSecurity Beyond The Office Perimeter
Extending CyberSecurity Beyond The Office Perimeter
 
Monitoring a hybrid workforce - veriato and prianto
Monitoring a hybrid workforce - veriato and priantoMonitoring a hybrid workforce - veriato and prianto
Monitoring a hybrid workforce - veriato and prianto
 
Fraud Detection With User Behavior Analytics
Fraud Detection With User Behavior AnalyticsFraud Detection With User Behavior Analytics
Fraud Detection With User Behavior Analytics
 
The Rise of Ransomware As a Service
The Rise of Ransomware As a ServiceThe Rise of Ransomware As a Service
The Rise of Ransomware As a Service
 
Revealing the dark web
Revealing the dark webRevealing the dark web
Revealing the dark web
 
Monitoring employees in a remote workplace
Monitoring employees in a remote workplaceMonitoring employees in a remote workplace
Monitoring employees in a remote workplace
 
Building an insider threat program
Building an insider threat programBuilding an insider threat program
Building an insider threat program
 
Implementing A User Activity & Behavior Monitoring Program
Implementing A User Activity & Behavior Monitoring ProgramImplementing A User Activity & Behavior Monitoring Program
Implementing A User Activity & Behavior Monitoring Program
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Último (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

How Insiders Evade Forensics & How to Reveal Their Hidden Tracks (less than 40 chars

  • 1. Confidential Patrick Knight Sr. Dir. Cyber Strategy and Product Management
  • 2. Confidential Counterforensics How Insiders Evade Forensics & How to Reveal Their Hidden Tracks
  • 3. What is Counterforensics?  aka - Anti-Forensics  Derived from Counterintelligence: “activities designed to prevent or thwart spying, intelligence gathering, and sabotage by an enemy or other foreign entity.”  Counterforensics “activities designed to prevent or thwart forensics investigations through data destruction, data and activity concealment, deception or sabotage.”
  • 4. Confidential • Hiding/concealing activities • Deception • Destroying evidence • Sabotage Counterforensics Tactics
  • 5. Hiding/Concealing Activities and Data  Steganography  Utilize common file formats/channels – hide in plain sight  File concatenation  File/data encryption  Encrypted comms channels This Photo by Unknown Author is licensed under CC BY
  • 6. Confidential  Video and image files typically are large enough to carry additional data (e.g. messages, files)  Casual viewer will never know message/data is present  Can transport encrypted messages/data  Intended recipient can be difficult to identify  Anti-virus and endpoint security typically do not scan for hidden messages Why Steganography?
  • 7. Confidential # ping -p feedfacedeadbeef Dest-B # tcpdump -i eth0 host Dest-B -x 21:03:32.601102 IP Source-A > Dest-B: icmp 64: echo request seq 56 0x0000: 4500 0054 0038 4000 4001 6e1c 4655 1fe9 E..T.8@.@.n.FU.. 0x0010: 4655 1fc2 0800 8120 5006 0038 e414 9942 FU......P..8...B 0x0020: 142a 0900 feed face dead beef feed face .*.............. 0x0030: dead beef feed face dead beef feed face ................ 0x0040: dead beef feed face dead beef feed face ................ 0x0050: dead ..  IPV4 Max Size 65535 bytes - headers = 65507 bytes for messages via ICMP Concealed message in ICMP
  • 8. Hiding Activities in Plain Sight  Google Chrome extension - Netflix Hangouts  Watch Netflix at work, while appearing to be on a conference call
  • 9. Hiding/Concealing Activities and Data: Encryption  Use of non-sanctioned encryption tools to encrypt files and data  Use encryption tools to obscure communications  Tor Browser or Tor proxy  Command line tools: OpenSSL, cryptcat
  • 10. Destroying Evidence • Deleting files • Deleting records • Overwrite/wipe files • Overwrite/wipe selective records/data • Overwrite/wipe entire disks/external media
  • 11. Deceptive Tactics  Alter timestamps/timelines  Alter logs or other data  Obfuscation of data, URLs, commands, etc.  C:>cmd.exe /c c^^a^^l^^c^^.^^e^^x^^e  Stolen credential use
  • 12. Destroying Evidence  Deleting data  Deleting browser history - incognito mode  Disk and data wiping
  • 13. Deleting Alone May Not Destroy the Data  Filesystems usually free the location of a deleted file, but do not overwrite/destro  Email servers typically free the location of a deleted email, but do not overwrite/destroy  Secure deletion can include:  Overwriting/wiping one or more times  Defragmenting  Overwriting/wiping all free and slack space  Webmail and SaaS products are typically under the control of the service provider
  • 14. Data Wiping Tools  Sdelete  KillDisk  BCWipe  Darik’s Boot and Nuke (DBAN)  Format.exe (Windows tool)  Secure Eraser  100’s more…
  • 15. Sabotage  Denial Of Service (DOS)  Intentional malware/ransomware infection  Logic/time bombs
  • 16. What can you do?  Visibility into activities when they happen  Full crime scene playback  Alert on suspicious activities  malicious application use  suspect website access  Tor Browser activity
  • 17. What can you do?  Block access to unwanted sites and network applications  Inventory sanctioned tools - know what is allowed and by whom  disk encryption  data deletion policies  cloud file storage  Employee Monitoring & User Behavior Analytics tools
  • 18. User & Entity Behavioral Analytics (UEBA) & User Activity Monitoring (UAM)
  • 19. Seeing Exactly What Happened (UAM) • Time-Capsule DVR video review • See all onscreen actions • Play it back like your DVR • Export as BMP, JPG or AVI Video Playback
  • 20. Confidential The Global Leader Technology Financial Health 8 out of 10 7 out of 10 6 out of 10 in 110+ countries In 3,000+ enterprises & thousands of SMBs DeployedThe Biggest & Best use Veriato

Notas del editor

  1. With Veriato’s Cerebral. It’s an end to end, integrated, insider threat intelligence platform.
  2. Cerebral’s eyes on glass technology gives you immediate visibility, so you know exactly what’s going on. If the alert comes in at 9:35 am, security can immediately go back in time and cue up video of Joey’s screen from 30 minutes before the alert and watch everything he does. Is he just working on a big report or is he encrypting the data and hiding it in a PowerPoint presentation? Do you give him a raise for working hard… or call HR and the police? Now you know exactly what to do within minutes!