WhataBankISOShouldKnowAboutForensics

DisclaimerMutualRiskAdvisorsisnotendorsingoraffiliatedwithanyofthecompanieslistedinthefollowingslides.

Doyourownduediligence&riskassessmentsontheproductsandlinksmentioned.

OwenLaChat

SVP&ManagingDirector– MutualRiskAdvisors,Inc.

VP&ISO– MutualBank,Inc.$1.4BCommunityBank– 31 locationsinIN&MI.Nasdaq:MFSF

Former:• CyberSecurityTechnicalTeamLeader• InformationSystemsSecurityAuditor• Detective

WheretoFocusResources?

o Policies&Procedureso RiskAssessmentso VendorManagemento Phishingo System&NetworkMonitoringo Logs/SIEMo IncidentResponse/Forensics

Policies&Procedures

oArethefoundationalpiecesofagoodinformationsecurityprogram.o Shouldoutlineandmemorializeyourexpectations.o Shouldbeviewed,approved,andfollowedfromthetopdown.oOfteneitherspendtoomuchornotenoughtimedevelopingandtuning.

RiskAssessments

o Isthepersoncompletingtheriskassessmentsqualifiedtoassessrisk?oAretheyfocusingonthelargestrisksandquantifyingcorrectly?oDothemitigatingcontrolsactuallymitigate?

VendorManagement

o Vendorscanbealargerisktotheenvironment.oDovendorsfollowyourinfosecpolicies/procedureswhendealingwithyourdata?

o Logs?o Knowyourvendors,whattheydo,howtheydoit,theirweaknesses,etc.Duediligence.

o Testyourtechnicalvendorsregularly.o “Trust,butverify.”

Phishing

oHowmanybreachesoccur.o Fairlydifficulttoconsistentlykickinthefrontdoorofthenetwork.o It’snecessarytoexaminesamplesforintelligencefromnewattackmethods.

o “ButIhaveaspamfilterandemployeesrarelyreportanyphishingemails.”

NetworkMonitoring

o Knowyournetworkmapsandroutes.o Internal/externalsensors.

o DoIneedIDS/IPSsensorsontheinsideandoutside?o Externalsensors– “That’swhatafirewallisfor..”

o 24/7monitoring&internaloversight.oWhattrafficisitmissing?

o TLS/SSL?o HTTPwithanencryptedpayload…o IsTLS/SSLmalwaredataextractioncommon?

o Geolocation.o Fullpacketcaptureisanecessity.

NetworkMonitoring- TrafficAnalysis

oMolocho Fullpacketcapture.ohttp://molo.ch/

oNetworkMineroNetworkanalysistool&offlinePCAPreassemblytool.ohttp://www.netresec.com/?page=Networkminer

oWiresharkohttps://www.wireshark.org

NetworkMonitoring- IDS/IPS

o SecurityOnionohttps://securityonion.net/

o Snort/Suricataohttps://www.snort.org/ https://suricata-ids.org/

oOSSECohttp://ossec.github.io/downloads.html

o Broohttps://www.bro.org/

SystemMonitoring

o Knowyourvulnerabilities.oAssesspatchlevels.oDeviceinventories.

o Applicationsinstalled,versionnumbers,OS,runningservices,etc.oKnowwhereyourdeprecatedappliances/softwarereside.oAttackermindset.

Logs/SIEM

oWhat’sbeinglogged?oAreyouloggingtherightthingsandforenoughtime?oDoyouhavealogcollection/aggregationsystem?oAreyoucapturingWindowsEventLogs,Syslog,netflow,pcap,etc.

oAutomatedalertingbasedonpredefinedthresholds.oUsergetslockedout,VPNs,attemptedsoftwareinstalls,RDP,accountscreated/deleted,andmanymore.

LogSolutions

o ELK(ElasticSearch,LogStash,Kibana)ohttps://www.elastic.co/webinars/introduction-elk-stack

o Solarwinds LEMohttp://www.solarwinds.com/log-event-manager

o Splunkohttps://www.splunk.com/

IncidentResponse/Forensics

oWhoownsresponseactivities?o ITvsIS.Who’sincharge?oNewFFIECguidancefocusingmoreonISactivities.o LargeamountofcontrolplacedinISforhistorically“IT”duties.

o In-houseresources.oHowoftencanyouleverage?oCertificationso Training

oOutsourced– Forensicretainers.

HostBasedForensics(Media)

o ForensicToolkitohttp://www.accessdata.com

o EnCase Forensicohttps://www.guidancesoftware.com/encase-forensic

o InternetEvidenceFinderohttps://www.magnetforensics.com/

oHashcatohttps://hashcat.net/hashcat/

HostBasedForensics(Imaging&Memory)

o RAMCaptureUtilitiesoMagnetRamCapture

o https://www.magnetforensics.com/magnet-ief/o FTKImager

o http://www.accessdata.com

o RAMParsingUtilitiesoVolatility

o http://www.volatilityfoundation.org/

TrackingNetworkAnomalies

PhishingAttempt– Documentw/Macros

IDSAlert– EXEdownloadedoverHTTP

FullPacketCapture

LogSystemAlert

HostBasedForensicEventConfirmation

Questions?

owen.lachat@mutualriskadvisors.com