cyber attack investigative tools and technologies
TRANSCRIPT
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
1/27
HTCIA Silicon Valley
7 May 2003
Cyber Attack Investigative
Tools and Technologies
Cyber Attack Investigative
Tools and TechnologiesKevin OShea
Technical Analysis GroupInstitute for Security Technology Studies at
Dartmouth College
Hanover, NH
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
2/27
For more information:
www.ists.dartmouth.edu
603-646-0700
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
3/27
ISTS is located at an academic
institution in Hanover NH
ISTS is located at an academic
institution in Hanover NH
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
4/27
ISTSs core purpose: research
and development
ISTSs core purpose: research
and development serve as a center for counterterrorism
technology research, development, testingand evaluation (RDT&E) with a particularfocus on cyber-security and protection oftelecommunications and critical information
infrastructure
serve as a national point of contact for
antiterrorism information sharing amongFederal, State and local preparednessagencies, as well as private and public
organizations
Senate Appropriations Committee Report on H.R. 4690, Department of Commerce, Justice, and State, the Judiciary and Related Agencies
Appropriations Bill, 2001 (U.S. Senate, September 8, 2000)
Department of Commerce, Justice, and State, the Judiciary and related agencies Appropriations Bill 2001 and the Congressional record
(House of Representatives, November, 1999)
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
5/27
Technical Analysis Group (TAG):
Mandate
Technical Analysis Group (TAG):
Mandate1. Produce strategic analytical reports in
critical areas not currently addressed byother national resources
2. Research and test a prototype national
contact database for cyber attackinvestigators
3. Complete the ISTSs mission to produce a
national research and development agendain the specific area of investigative toolsand technologies for cyber attack
investigators
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
6/27
DefinitionDefinition
Cyber Attacks: computer-to-
computer attack that underminesthe confidentiality, integrity, or
availability of a computer orinformation resident on it.
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
7/27
National Research &
Development Agenda for CyberAttack Investigative Tools andTechnologies
National Research &Development Agenda for CyberAttack Investigative Tools and
Technologies
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
8/27
Problem StatementProblem Statement
The tools and technologies
available to law enforcement arenot keeping pace with the
advances made by attackers Knowledge of and use of tools is
not homogenous across LEcommunities
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
9/27
2002 Law Enforcement
Needs Assessment
2002 Law Enforcement
Needs AssessmentObjective:
Identify the problemsand technological
impediments facing lawenforcement wheninvestigating andresponding to cyber attacks
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
10/27
Study FindingsStudy Findings
Preliminary Investigation and Data
Collection Data and Log Analysis
IP Tracing and Real-time Interception
Emerging Technologies RequiringResearch and Development
National Data and Information Sharing Law Enforcement Specific DevelopmentIssues
Training
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
11/27
Preliminary Investigation
and Data Collection
Preliminary Investigation
and Data Collection Collection of data from multiple
operating systems
Mapping network topology
Digital evidence recovery Capturing resident memory data
Analyzing excessively large mediastorage devices
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
12/27
Data and Log AnalysisData and Log Analysis
Log compilation
recognize and import logs across multipleplatforms
correct for errors in time stamping and
place events into an organized timeline
Log analysis and reporting
perform analysis on the logs
have the ability to be linked to otherservices, such as exploit signaturedatabases
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
13/27
IP Tracing and Real-time
Interception
IP Tracing and Real-time
Interception IP tracing
policy and other non-technologicalissues
Real-time interception of digitaldata
available technologies were reportedto be too complex to implement anduse
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
14/27
Emerging TechnologiesEmerging Technologies
Encryption
Wireless technologies
Steganography
Magnetic microscopy
Forensic data archiving
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
15/27
National Data and
Information Sharing
National Data and
Information Sharing Cyber attack profile database
Virus and worm signaturedatabase
Attack tool signature database Law enforcement cyber attack
contact database Legacy hardware and software
database
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
16/27
Law Enforcement Specific
Development Issues
Law Enforcement Specific
Development Issues Skill levels
Investigative support tools
Help files
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
17/27
TrainingTraining
Training is critical to successfully
investigate cyber attacks Training programs that fit law
enforcement (i.e. in service training
blocks) National initiatives should be
undertaken to:
Benchmark current training programs, identify gaps Create a national training strategy for cyber attack
investigators, prosecutors, and the judiciary
Benchmark distance learning solutions for LE use
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
18/27
Next StepsNext Steps
Follow on research:
Assess existing solutions
Perform gap analysis
Define gaps and initiate targetedresearch
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
19/27
Gap AnalysisGap Analysis
The Gap Analysis is the second step
towards a national R&D agenda for LEcyber attack investigative tools andtechnologies
Primary: Identify technology gaps where future R&D may
be initiated
Secondary: Establish internal knowledge base & tech
capabilities to produce LE tools
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
20/27
Submit a Tool Web SiteSubmit a Tool Web Site
www.ists.dartmouth.edu/TAG/sub_tool/register.htm
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
21/27
The Matrix
(knock, knock, Neo)
The Matrix
(knock, knock, Neo)
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
22/27
Gap AnalysisGap Analysis
Preliminary Policy Findings
The universe of cases involving acomputer (used in, at the scene of, orthe target of a crime) is increasing
exponentially Current laws have not kept pace with
technological advancements
specifically jurisdictional boundaries,rules of evidence, and forensic storage.
The probability of successfully
prosecuting a cyber attack crime is low
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
23/27
Preliminary Findings ContPreliminary Findings Cont
Software Development for LE
LE is not seen as a large market for highreturn ($$) specialized softwaredevelopment
LE specific development requirementsfor software (transparent architecture,courtroom support, etc.) conflict with
good business practices Tool use by LE not proportionate to
number and types of tools available
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
24/27
No One Can Be Told What the
Matrix Is
No One Can Be Told What the
Matrix Is
The following Needs are under-
represented in the Matrix : Help present complex computer crime
related case information to a judge andjury in court
Capability to detect IP spoofing
Search a network to retrieve logs
Captures RAM resident data
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
25/27
One Must Experience It for
Themselves.
One Must Experience It for
Themselves.
What the Matrix is telling us cont:
Provides LE with added capability tocircumvent encrypted data
Recover data deleted / wiped / or off ofdamaged drives, i.e. magneticmicroscopy
Database of virus / worm / cyber attacktools and code accessible to LE
Legacy hardware clearinghouse
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
26/27
Then what?Then what?
Frame the National R&D Agenda
Methodology
National decision maker / subject
matter expert level meeting toprioritize research areas identified inthe gap analysis
Working meeting with the resultingmaterial drafted into the ISTSNational R&D agenda
I f ti C ll tiI f ti C ll ti
-
8/3/2019 Cyber Attack Investigative Tools and Technologies
27/27
Information Collection
and Analysis
Information Collection
and Analysis
http://news.ists.dartmouth.edu/todaysnews.htmlhttp://news.ists.dartmouth.edu/todaysnews.html
National
Resource Mirrored by
the SANSInstitute
Over 2000subscribers