Download - FBI Cyber Investigations
![Page 1: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/1.jpg)
![Page 2: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/2.jpg)
![Page 4: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/4.jpg)
Computer Crime Before and After the Attack
![Page 5: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/5.jpg)
Cyber Investigations
• Computer Crimes• Before you’re a Victim• When You’re a Victim
![Page 6: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/6.jpg)
![Page 7: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/7.jpg)
Are you a victim?
• What type of victim are you?• How do you know you’re a victim?• How to protect the information• Getting your system back up• Who should you contact• Who are the hackers/crackers
![Page 8: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/8.jpg)
What type of Victim
• System hacked– Gain information– Gain band width– Revenge (insider)
• Silent host– Capture additional sites– Cover tracks
![Page 9: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/9.jpg)
How do you know you’re a victim?
• Logs show unauthorized access– Telnet– Ftp
• Creation of new accounts• Loss of computer resources
– DOS (denial of service)• New files and directories appear• Information on system, made public
– Grades, salaries, personnel information, credit card information
![Page 10: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/10.jpg)
Protect the information
• Take computer off line• Determine the location of the attack
– What if any information was taken– The identity of the attackers– Methods of intrusion used
![Page 11: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/11.jpg)
Getting system back online
• Replace the computer if possible• Make a copy of system files• Restore the backups from trusted source
– Backups may have back doors installed• Install all upgrades and patches
![Page 12: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/12.jpg)
Who should you contact• Local law enforcement vs. the feds
– Local law enforcement• Can better handle juveniles• Lower thresholds for prosecution• Minimal resources• Limited by boundaries
– The feds• Unlimited resources• Nationally and International coverage• No juvenile system• Minimum threshold for prosecution
![Page 13: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/13.jpg)
When you make contact• Do not make contact from compromised
system• Have procedures in place to control the
situation• Select one individual to control and
maintain evidence• Maintain log of costs and steps taken in the
process
![Page 14: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/14.jpg)
THREATSTHREATS
![Page 15: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/15.jpg)
Hacker/Cracker Criminal Profiles
• Majority are white males• THIS is changing...• 16-40! Most likely 16-26• Interview: most will go as far as they THINK
you know. Often ask for counsel.• Very loyal to friends - to a point
![Page 16: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/16.jpg)
Hacker/Cracker Criminal Profiles
• Ego maniacs• Socially withdrawn• Generally still don’t understand Law
EnforcementAre WE catching the really GOOD ones?
![Page 17: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/17.jpg)
![Page 18: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/18.jpg)
METHODS OF ATTACKS
Dumpster divingBrute force hackingSocial engineeringData scope programsSniffer programsIP spoofingDDOS
![Page 19: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/19.jpg)
“To Watch” Sites/Lists• Sites:
– antionline.com, wired.com, 2600.com, rootshell.com, csu.purdue.edu/coast/, etc.
• Newsgroups/Lists:– Bugtraq, NTbugtraq, Best of Security (BoS)– CERT.org– alt.security, comp.security.misc, etc.
• Tools (www.network-tools.com)
![Page 20: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/20.jpg)
![Page 21: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/21.jpg)
![Page 22: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/22.jpg)
![Page 23: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/23.jpg)
Before you’re a Victim
DEVELOP A PLAN!
![Page 24: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/24.jpg)
Preparation• Post warning banners:
– Every system should display banner• Display at every login – at every port accessed
– FTP, Telnet • System is property of your organization• System is subject to monitoring• No expectation of privacy while using system
– Management and legal counsel should approve– DO NOT reveal system purpose/OS/etc
![Page 25: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/25.jpg)
Preparation
• Be Proactive to Prevent Incidents– Establish Security Policy– Monitor and Analyze Network Traffic– Assess Vulnerabilities (System Scans)– Configure Systems Wisely
• Limit Services (FTP/telnet)• Patches
– Establish Training for Employees
![Page 26: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/26.jpg)
Preparation
• Establish Policy on Employee Privacy– Email: Owned by Corp. or Employee– Data Files– Encryption okay?
• Keys• Disgruntled Employees
![Page 27: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/27.jpg)
Preparation
• Establish Organizational Approach to Intrusions (2 ways)– Contain, Clean and Deny
• STOP Intruder. Remove system from Net• Repair System and block access• IP Filtering, Firewalls, etc.
![Page 28: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/28.jpg)
Preparation
• Establish Organizational Approach to Intrusions– Monitor and Gather Information
• Fishbowl• Proceed with Caution
![Page 29: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/29.jpg)
Preparation• Policy for Peer Notification
– DDOS• Remote Computing
– Telecommuters• Laptop Privacy (temps, contractors too)
– Acceptable Use Policy (Sign Yearly)– Revoke Access when no longer required– Log Remote Access (Radius/Caller ID/Remote
Callback)
![Page 30: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/30.jpg)
Preparation
• Develop Management Support• Develop a Incident Response Team
– Assign Specific Duties• Call - duty and phone list• Legal Counsel• PR/Law Enforcement Liaison
• Assign a Person to be Responsible for Incident
![Page 31: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/31.jpg)
System Preparation
• System Backups– Original O/S– Log Files– Admin Files/Applications– Data
• When restoring systems, be careful not to re-introduce problem
![Page 32: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/32.jpg)
System Preparation
• Acquire and install some level of intrusion detection and audit capability.– Advanced Logging programs– TCP Wrappers, Tripwire, etc.
• Install and configure a firewall• Monitor industry information regarding
intrusions/hacker techniques
![Page 33: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/33.jpg)
The Security Investment
• Recruit and hire security capable staff• Keep current on system vulnerabilities• Ensure networked systems are maintained
and patched• Train administrators and users in security
and protection measures• Adequate password security
![Page 34: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/34.jpg)
When you’re a Victim
![Page 35: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/35.jpg)
What the FBI can do• Combine technical skills and investigative experience• National and global coverage• Apply more traditional investigative techniques• Long-term commitment of resources• Integration of law enforcement and national security
concerns• Pattern analysis• Can provide deterrent effect . . . even if hacker not
prosecuted
![Page 36: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/36.jpg)
The FBI won’t:
• Take over your systems• Repair your systems• Share proprietary information with
competitors• Provide investigation-related
information to the media or your shareholders
![Page 37: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/37.jpg)
When You’re a Victim• Stop and Think -- REMAIN CALM
– Take Notes (who, what, why, where, when, how and why)
– Notify appropriate persons• Supervisor• Security Coordinator• Legal Counsel• Etc
– Enforce a Need to Know Policy
![Page 38: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/38.jpg)
When You’re a Victim
• Communicate Wisely– Email/chat -- intruder may be listening– Use telephone/voicemail/fax/etc.– If email, use encryption or secure system
• Remove system from Net
![Page 39: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/39.jpg)
When You’re a Victim
• Make a Bit by Bit copy of system– Use NEW media & VERIFY the backup!!– Initial and date backup…time too– Secure in a locked limited access location
• Chain of Custody
• Collect other evidence in the same manner– Always preserve originals!
![Page 40: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/40.jpg)
When You’re a Victim
• Best Evidence Rule– Original Drives – Bit by Bit Copy
• Linux dd• Safeback
– Copy of relevant files
![Page 41: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/41.jpg)
When You’re a Victim
• Begin analysis to determine what happened– Work from copy– Review system, firewall, router logs– Look for trojan system files– Look for new, suspicious users– Contact ISP for additional logs and possible
filtering
![Page 42: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/42.jpg)
When You’re a Victim
• Start to determine cost of attack– Recovery costs– Lost business– Legal expenses– Salaries– Technical and Security Contractors
• Maintain incident log and chronology
![Page 43: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/43.jpg)
When You’re a Victim
• Know When to Contact Law Enforcement– Intrusions, theft, espionage, child pornography,
hate crimes, and threats– Dollar losses due to intrusions exceed $5K
• Law Enforcement Difficulties– keystroke monitoring and wire taps– legal restrictions (subpoena’s/orders/warrants)
![Page 44: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/44.jpg)
Final Thoughts
• 2001 CSI/FBI security survey revealed:– 91% of respondents had detected security
breach within last year– 64% reported significant loss due to intrusion
• Any computer system is vulnerable– Through Internet or by local user
![Page 45: FBI Cyber Investigations](https://reader035.vdocuments.site/reader035/viewer/2022062306/5868c9a61a28abd33f8c037a/html5/thumbnails/45.jpg)
Contact Us
Federal Bureau of InvestigationComputer Crime Squad
Denver Division(303) 629-7171 (24 Hours)
(303) 628-3267 (Direct)[email protected]