what a bank iso should know about forensics - indiana bankers a bank iso should know... ·...
TRANSCRIPT
WhataBankISOShouldKnowAboutForensics
DisclaimerMutualRiskAdvisorsisnotendorsingoraffiliatedwithanyofthecompanieslistedinthefollowingslides.
Doyourownduediligence&riskassessmentsontheproductsandlinksmentioned.
OwenLaChat
SVP&ManagingDirector– MutualRiskAdvisors,Inc.
VP&ISO– MutualBank,Inc.$1.4BCommunityBank– 31 locationsinIN&MI.Nasdaq:MFSF
Former:• CyberSecurityTechnicalTeamLeader• InformationSystemsSecurityAuditor• Detective
WheretoFocusResources?
o Policies&Procedureso RiskAssessmentso VendorManagemento Phishingo System&NetworkMonitoringo Logs/SIEMo IncidentResponse/Forensics
Policies&Procedures
oArethefoundationalpiecesofagoodinformationsecurityprogram.o Shouldoutlineandmemorializeyourexpectations.o Shouldbeviewed,approved,andfollowedfromthetopdown.oOfteneitherspendtoomuchornotenoughtimedevelopingandtuning.
RiskAssessments
o Isthepersoncompletingtheriskassessmentsqualifiedtoassessrisk?oAretheyfocusingonthelargestrisksandquantifyingcorrectly?oDothemitigatingcontrolsactuallymitigate?
VendorManagement
o Vendorscanbealargerisktotheenvironment.oDovendorsfollowyourinfosecpolicies/procedureswhendealingwithyourdata?
o Logs?o Knowyourvendors,whattheydo,howtheydoit,theirweaknesses,etc.Duediligence.
o Testyourtechnicalvendorsregularly.o “Trust,butverify.”
Phishing
oHowmanybreachesoccur.o Fairlydifficulttoconsistentlykickinthefrontdoorofthenetwork.o It’snecessarytoexaminesamplesforintelligencefromnewattackmethods.
o “ButIhaveaspamfilterandemployeesrarelyreportanyphishingemails.”
NetworkMonitoring
o Knowyournetworkmapsandroutes.o Internal/externalsensors.
o DoIneedIDS/IPSsensorsontheinsideandoutside?o Externalsensors– “That’swhatafirewallisfor..”
o 24/7monitoring&internaloversight.oWhattrafficisitmissing?
o TLS/SSL?o HTTPwithanencryptedpayload…o IsTLS/SSLmalwaredataextractioncommon?
o Geolocation.o Fullpacketcaptureisanecessity.
NetworkMonitoring- TrafficAnalysis
oMolocho Fullpacketcapture.ohttp://molo.ch/
oNetworkMineroNetworkanalysistool&offlinePCAPreassemblytool.ohttp://www.netresec.com/?page=Networkminer
oWiresharkohttps://www.wireshark.org
NetworkMonitoring- IDS/IPS
o SecurityOnionohttps://securityonion.net/
o Snort/Suricataohttps://www.snort.org/ https://suricata-ids.org/
oOSSECohttp://ossec.github.io/downloads.html
o Broohttps://www.bro.org/
SystemMonitoring
o Knowyourvulnerabilities.oAssesspatchlevels.oDeviceinventories.
o Applicationsinstalled,versionnumbers,OS,runningservices,etc.oKnowwhereyourdeprecatedappliances/softwarereside.oAttackermindset.
Logs/SIEM
oWhat’sbeinglogged?oAreyouloggingtherightthingsandforenoughtime?oDoyouhavealogcollection/aggregationsystem?oAreyoucapturingWindowsEventLogs,Syslog,netflow,pcap,etc.
oAutomatedalertingbasedonpredefinedthresholds.oUsergetslockedout,VPNs,attemptedsoftwareinstalls,RDP,accountscreated/deleted,andmanymore.
LogSolutions
o ELK(ElasticSearch,LogStash,Kibana)ohttps://www.elastic.co/webinars/introduction-elk-stack
o Solarwinds LEMohttp://www.solarwinds.com/log-event-manager
o Splunkohttps://www.splunk.com/
IncidentResponse/Forensics
oWhoownsresponseactivities?o ITvsIS.Who’sincharge?oNewFFIECguidancefocusingmoreonISactivities.o LargeamountofcontrolplacedinISforhistorically“IT”duties.
o In-houseresources.oHowoftencanyouleverage?oCertificationso Training
oOutsourced– Forensicretainers.
HostBasedForensics(Media)
o ForensicToolkitohttp://www.accessdata.com
o EnCase Forensicohttps://www.guidancesoftware.com/encase-forensic
o InternetEvidenceFinderohttps://www.magnetforensics.com/
oHashcatohttps://hashcat.net/hashcat/
HostBasedForensics(Imaging&Memory)
o RAMCaptureUtilitiesoMagnetRamCapture
o https://www.magnetforensics.com/magnet-ief/o FTKImager
o http://www.accessdata.com
o RAMParsingUtilitiesoVolatility
o http://www.volatilityfoundation.org/
TrackingNetworkAnomalies
PhishingAttempt– Documentw/Macros
IDSAlert– EXEdownloadedoverHTTP
FullPacketCapture
LogSystemAlert
HostBasedForensicEventConfirmation
Questions?