Archive | Security RSS feed for this section

Security content from Leo Nelson

Deconstructing The Cyber Kill Chain

Giora Engel on The Cyber Kill Chain:

If you must use the Chain model, zero in on No. 7. Focus on detecting ongoing attacks — attackers that have already breached your perimeter — before the damage is done. Instead of analyzing old malware, deploy a breach detection system that automatically detects and analyzes the changes in user and computer behavior that indicate a breach. These subtle changes are usually low-key and slow, and affect only a small number of computers, but the right analysis and context can flag them as malicious.

Source: Deconstructing The Cyber Kill Chain

Cyber Kill Chain

Lockheed Martin's Cyber Kill Chain

Conventional network defense tools such as intrusion detection systems and anti-virus focus on the vulnerability component of risk, and traditional incident response methodology presupposes a
successful intrusion. An evolution in the goals and sophistication of computer network intrusions has rendered these approaches insucient for certain actors. A new class of threats, appropriately dubbed the Advanced Persistent Threat” (APT), represents well-resourced and trained adversaries that conduct multi-year intrusion campaigns targeting highly sensitive economic, proprietary, or national security information. These adversaries accomplish their goals using advanced tools and techniques designed to defeat most conventional computer network defense mechanisms. Network defense techniques which leverage knowledge about these adversaries can create an intelligence feedback loop, enabling defenders to establish a state of information superiority which decreases the adversary’s likelihood of success with each subsequent intrusion attempt. Using a kill chain model to
describe phases of intrusions, mapping adversary kill chain indicators to defender courses of action, identifying patterns that link individual intrusions into broader campaigns, and understanding the iterative nature of intelligence gathering form the basis of intelligence-driven computer network defense (CND). Institutionalization of this approach reduces the likelihood of adversary success, informs network defense investment and resource prioritization, and yields relevant metrics of performance and e ectiveness. The evolution of advanced persistent threats necessitates an intelligence-based model because in this model the defenders mitigate not just vulnerability, but the threat component of risk, too.

Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

Computer Forensics 101

Tools

WinHex, FTK, EnCase and SMART

Basic Process

1. Device is imaged using a tool. The image created is a clone with an exact bit-for-bit copy of the source device

2. Device is searched to collect items of interest and to recover data as needed