CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX
Cybersecurity – Prospects and challengesNuix - ITU Cyber DrillChisinau, Moldova - 21st November 2017
CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX
James BillingsleyPrincipal Solutions Consultant, Cybersecurity & investigations: Nuix• Decade of experience in the field of Computer Forensics• Worked as Senior Breach Investigation Consultant - Security
Investigation & Assessment team, leading PCI Forensic Investigations for clients including Visa and MasterCard.
• A Certified Administrator - worked as senior eDiscovery Consultant supporting data collections and legal reviews as part of enterprise scale global investigations.
• A Certified Examiner - worked for a number of years as a senior Computer Forensics Investigator serving UK Police Forces and Government Agencies and providing expert witness in UK Courts, completing over 100 cases.
• Co-authored software tools focusing on Internet Browser Forensics - used globally by a number of law enforcement agencies, international corporations and as part of SANS training courses.
• Speaker at Industry events on behalf of Nuix in Forensic Investigations, Cyber Security, eDiscovery and Information Governance over the last 5 years in over 20 countries.
CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX
Prospects & Challenges• Time taken to identify and respond to attack
• Lack of comprehensive visibility• Lack of understanding of environment and data
sources• Lack of real time data sources
• Skills gap• Complex technologies involved• Experience, education and development takes time
• Expanding threat landscape through increased technology adoption• Internet of Things (IoT)• Continuing challenge to parse and centralise all
intelligence sources
CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX
Prospects & Challenges
Time taken to to identify and respond to attack
• Visibility is key• Data at rest• Data in motion
• Data at rest• Information Governance and risk assessment
• Data in motion• Real time data as events happen
CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX
Prospects & ChallengesVisibility of what is happening in real time is key
• Scanning for known threats is not enough• What about the threats we haven’t yet
classified?
CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX
Prospects & ChallengesVisibility of what is happening in real time is key
• We need to move to behavioral analysis and intervention
CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX
Prospects & ChallengesRegardless of motivation the end goal for attackers is often the same.• Observe and understand target(s)• Gain limited control of system• Raise to full control of system• Harvest sensitive data• Extract sensitive data• Maintain full control to system
The zero-day exploit, filenames, file locations and processes used to achieve these goals are not as important as the ACTIONS being carried out.
We don’t protect our banks by only by looking for known criminals… • We collect and secure valuables in a vault• Install security systems to monitor and audit behaviours of any/all people
interacting with the bank • Allows for prevention and intervention in real time.
CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX
Prospects & ChallengesSkills gap
• Better programs and policies to facilitate intelligence sharing
• Improved use of technology to simply complex analysis tasks• Methods for integrating knowledge of experienced analysts
to allow less skilled operators to target relevant findings more quickly
• Evolution of technology platforms to allow for easier access to project data and effective collaboration across investigation team on a global scale
CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX
Prospects & Challenges
Continuing challenge to parse and centralise all intelligence source
• Collate all available data/intelligence sources
• Effectively parse data sources enabling meaningful analysis
• Better leverage technology to more efficiently correlate patterns and trends
• Feed intelligence back into the loop to ensure a growing intelligence database
CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX
Analyst A …uses a CLI… …to GREP through logs
Analyst B …uses a sandbox……to examine malware
Analyst C …uses a Wireshark……to examine network traffic
All of this is
done in silos!
We miss the
bigger picture!
!
CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX
Microsoft:• EDB, STM, EWS (Microsoft Exchange) • PST, OST (Microsoft Outlook storage files) • MSG (Microsoft Outlook single mail files) Lotus:• NSF (Lotus Notes / Domino)Other:• MBOX, DBX, MBX (Microsoft Outlook
Express) • EML, EMLX, BOX, SML• Webmail – HTML Scraped from browser
cache• Browser history, cache, bookmarks, and
downloadsDocument Types:• HTML , Plain text, RTF, PDF • DOCX, DOC, DOT (Microsoft Word) • XLSX, XLS, XLT (Microsoft Excel) • PPTX, PPT, POT, PPS (Microsoft PowerPoint) • WKS, XLR (Microsoft Works spreadsheets)Image Types:• PNG, JPEG, JP2, TIFF, GIF, BMP, PBM, PPM,
PGM, RAW, WBMP, WMF, WMZ, EMF, EMZ
Forensic Image Files:• Nuix logical images• EnCase Images (E01, L01)• Access Data (AD1)• Linux DD Files• Mobile Images (Cellebrite / XRY / Oxygen)Log Files:• Windows Event Logs (EVT/EVTX)• Web Logs (IIS, Apache)• Firewall & FTP Logs• Logstash Output• CSV/TSV, syslog, setupAPI Network Captures:• PCAP packet parsing & TCP/UDP stream
buildingSystem Files:• EXE/DLLs• LNK, Prefetch & Jump List Files• Windows Registry Hives inc. decodingFile System Artefacts:• $LogFile, $UserJrml, Object ID• Apple property lists• Carving from unallocated & file slack• Recycle Bin & Volume Shadow CopyFuzzy Hashing - SSDeep
Structured Data:• MS SQL (Live & MDF/LDF are text
stripped)• SQLLiteBrowser & Cloud Artifacts:• IE, Safari, Chrome, Firefox• Dropbox, AWSContainer Files:• ZIP, RAR, LZH, LHA, ARC, TAR, GZ,
BZ2, ISOVirtual Machine Images:• VDK, VMDK (Virtual Disk Images)• ParallelsArchive Systems:• EMC EmailXtender (*.emx)/Source
One• Symantec 2007, 8, 9, 10• HP EASDMS Systems:• MS SharePointUnknown File Types:• Unknown file types are text stripped
EMAI
L & LO
OSE F
ILES
INCI
DENT
RES
PONS
E
Throw the net wide - File Support
MIS
CELL
ANEO
US
CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX
Summary
Technology is only part of the solution but can be better leveraged to allow for;
• Better understanding of data environment at rest
• More real time data sources to ensure comprehensive visibility
• Real time data should focus on behaviours not just hunting known threat profiles
• Increased integration of analyst knowledge/experience to help bridge skills gap
• Better platform for global collaborative response
CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX
www nuix.com
nuix.com/blog
twitter.com/nuix
facebook.com/nuixsoftware
linkedin.com/company/nuix
youtube.com/nuixsoftware
FIND OUT MORE AT: