SolarWinds-Enabled Hacks Widespread

Hostile actors associated with Russian cyber-security organizations used SolarWinds Orion technology to enable unauthorized long-running elevated rights access throughout the U.S. government and as many as hundreds of the Fortune 500 corporations. This access may have included the Office of the President of the United States.

There is no reason for me to copy the operational details here. There are some good write-ups in the REFERENCES section below.

I just wanted to add to their content with this abuse case:

These hostile actors are getting a lot of attention for data & secrets exfiltration. In global financial services enterprises, we move trillions of dollars a day. These hostile actors were able to acquire elevated rights credentials and move laterally for months. They had enough time to figure out the cash management, account management, portfolio management, and back room accounting processes as well as the chains of approvers required to authorize the maintenance of external target accounts and authorizations for the movement of funds/securities. If so motivated, it seems likely they could have moved large amounts of the financial assets for which we are responsible to target accounts of their choosing. If this did not happen, financial services organizations dodged a big one.

In that case, it was only ‘luck’ that protected the financial services industry. Luck is a terrible risk management tool/technique. This hack is a loud signal that our resistance to and detection of attacks needs to be a lot better than it is today. The FireEye and Krebs references below include the types of details that support changes that will help fill some of that gap.

REFERENCES:

“U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise.” By Brian Krebs, 14 Dec 2020.
https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/

“Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor.” By FireEye, 13 December 2020.
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

“Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce.” By Ellen Nakashima and Craig Timberg, 13 Dec 2020.
https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html

“Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect,” By David E. Sanger, 13 Dec 2020.
https://www.nytimes.com/2020/12/13/us/politics/russian-hackers-us-government-treasury-commerce.html

“Suspected Russian hackers spied on U.S. Treasury emails – sources.” By Christopher Bing, 13 Dec 2020.
https://www.reuters.com/article/us-usa-cyber-treasury-exclsuive/exclusive-u-s-treasury-breached-by-hackers-backed-by-foreign-government-sources-idUSKBN28N0PG

17 Dec 2020 Addition:
“Sunburst Backdoor: A Deeper Look Into The SolarWinds’ Supply Chain Malware.” By Sergei Shevchenko, 15 Dec 2020 https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html

New Technology and Service Options Do Not Trump Law and Regulations

A couple weeks ago I received a letter from Wells Fargo. After mentioning some brokerage account details there were a couple paragraphs of disclosure about $2.5 M in penalties for failing to effectively protect business-related electronic records.  Wells Fargo has been having a rough time lately.  But this situation is just so self-inflicted, and so likely to happen elseware as Financial Services organization’s technology personnel attempt to demonstrate that they can “deliver more for less…” that I thought it might be worth sharing as a cautionary tale.

The disclosures outlined that the bank’s brokerage and independent wealth management businesses paid $1 million and another $1.5 million in fines & penalties because they failed to keep hundreds of millions of electronic documents in a “write once, read many” format — as required by the regulations under which they do business.

Federal securities laws and Financial Industry Regulatory Authority (FINRA) rules require that electronic storage media hosting certain business-related electronic records “preserve the records exclusively in a non-rewriteable and non-erasable format.” This type of storage media has a legacy of being referred to as WORM or “write once, read many” technology that prevents the alteration or destruction of the data they store. The SEC has stated that these requirements are an essential part of the investor protection function because a firm’s books and records are the “primary means of monitoring compliance with applicable securities laws, including anti-fraud provisions and financial responsibility standards.”  Requiring WORM technology is associated with maintaining the integrity of certain financial records.

Over the past decade, the volume of sensitive financial data stored electronically has risen exponentially and there have been increasingly aggressive attempts to hack into electronic data repositories, posing a threat to inadequately protected records, further emphasizing the need to maintain records in WORM format. At the same time, in some financial services organizations “productivity” measures have resulted in large scale, internally-initiated customer fraud, again posing a threat to inadequately protected records.

My letter resulted from a set of FINRA actions announced late last December that imposed fines against 12 firms for a total of $14.4 million “for significant deficiencies relating to the preservation of broker-dealer and customer records in a format that prevents alteration.” In their December 21st press release FINRA said that they “found that at various times, and in most cases for prolonged periods, the firms failed to maintain electronic records in ‘write once, read many,” or WORM, format.”

FINRA reported that each of these 12 firms had technology, procedural and supervisory deficiencies that affected millions, and in some cases, hundreds of millions, of records core to the firms’ brokerage businesses, spanning multiple systems and categories of records. FINRA also announced that three of the firms failed to retain certain broker-dealer records the firms were required to keep under applicable record retention rules.

Brad Bennett, FINRA’s Executive Vice President and Chief of Enforcement, said, “These disciplinary actions are a result of FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records. Ensuring the integrity of these records is critical to the investor protection function because they are a primary means by which regulators examine for misconduct in the securities industry.”

FINRA reported 99 related “books and records” cases in 2016, which resulted in $22.5 million in fines. That seems like real money…

Failure to effectively protect these types of regulated electronic records may result in reputational (impacting brand & sales) and financial (fines & penalties) harm. Keep that in mind as vendors and hype-sters attempt to sell us services that persist regulated data. New technology and service options do not supersede or replace established law and regulations underwhich our Financial Services companies operate.

REFERENCES:
“FINRA Fines 12 Firms a Total of $14.4 Million for Failing to Protect Records From Alteration.”
December 21, 2016
http://www.finra.org/newsroom/2016/finra-fines-12-firms-total-144-million-failing-protect-records-alteration

“Annual Eversheds Sutherland Analysis of FINRA Cases Shows Record-Breaking 2016.”
February 28, 2017
https://us.eversheds-sutherland.com/NewsCommentary/Press-Releases/197511/Annual-Eversheds-Sutherland-Analysis-of-FINRA-Cases-Shows-Record-Breaking-2016

“Is Compliance in FINRA’s Crosshairs?”
http://www.napa-net.org/news/technical-competence/regulatory-agencies/is-compliance-in-finras-crosshairs/

SEC Rule 17a-4 & 17a-3 of the Securities Exchange Act of 1934:
“SEC Rule 17a-4 & 17a-3 – Records to be made by and preserved by certain exchange members, brokers and dealers.” (vendor summary)
http://www.17a-4.com/regulations-summary/

“SEC Interpretation: Electronic Storage of Broker-Dealer Records.”
https://www.sec.gov/rules/interp/34-47806.htm

“(17a-3) Records to be Made by Certain Exchange Members, Brokers and Dealers.”
http://www.finra.org/industry/interpretationsfor/sea-rule-17a-3

“(17a-4) Records to be Preserved by Certain Exchange Members, Brokers and Dealers.”
http://www.finra.org/industry/interpretationsfor/sea-rule-17a-4

Protect Your USB

Physical and logical PC controls still matter.

Just one more reason to resist the shared madness of “bring your own device” and/or “anywhere/anytime/any-endpoint” in global Financial Services.  We hold trillions of dollars for our customers (under the guise of a broad and evolving range of relationships)!  To add value to those relationships, we turn that money into units that are inter-business (and Internet) friendly to enable complex webs of financial transactions and services.  The concentration of “cash” and its transformation into bits results in an attractive target for hostile parties of many types.  How could endpoint anarchy ever be a risk-appropriate behavior for any but a microscopically few roles within our ranks?  It seems like something we should expect to fail the “reasonable person” test.

I was just catching up on some of my random reading and bumped into this demonstration of Windows credential stealing with just 15 seconds of access to a PC’s USB port.

15 seconds of social engineering is not that hard to pull off, so all you have left are serious controls administering the use of your USB ports, physically destroying your USB ports (yes, that is a serious option), along with multi-layer physical & logical security to the location of the PC at any given time.

Take a look st the video below along with the supporting paper.  Then voice your professional opinion and conscience wherever appropriate to resist elevated risk endpoint behaviors.  And if your role permits, ensure that your Financial Services organization has the goals and resources to effectively deal with attacks like the ones enabled by this automated, USB enabled assault.

REFERENCES:

15 Second Password Hack, Mr Robot Style
Video:
https://www.hak5.org/episodes/season-21/hak5-2101-15-second-password-hack-mr-robot-style
Supporting Paper
https://www.hak5.org/blog/15-second-password-hack-mr-robot-style

Another Demonstration of How Mobile Phones & their Supporting Networks are Vulnerable to Abuse

Some continue to hype “bring your own device” (sometimes just BYOD) as near-term technology and business goal for global Financial Services enterprises.  At its most shrill, the argument hammers on the idea like ‘we all have a smart phone and it has become the center of our lives…‘  In this industry we are all responsible for protecting trillions of dollars of other people’s money as well as digital information about customers (individuals & companies), partners, and deals, all of which must remain highly secure, or the foundation of our business erodes.  That responsibility is wildly out of alignment with most BYOD realities.  In that context, this blog entry is an offering to help risk management teams educate their Financial Services organizations about some of the risks associated with using mobile phones for work activities.

Here is some content that may be useful in your security awareness campaign…

Financial Services executives “private” communications could be of high value to cyber criminals. So too could be your Finance staff, Help Desk, Reporting Admin, Database Admin, System Admin, and Network Admin communications. There are a lot of high value avenues into Financial Services organizations.

Under the title “Hacking Your Phone,” the 60-Minutes team have security professionals demonstrate the following in a 13 minute video:

• Any attacker needs just their target’s phone number, to track the whereabouts, the text traffic, and the details of phone conversations initiated or received by their prey. Turning off your “location status” or other GPS technology does not inhibit this attack. It depends upon features in the SS7 (Signalling System #7) network that have been overly permissive and vulnerable to abuse for decades. These SS7 vulnerabilities appear to remain after all this time because of nation-state pressures to support “lawful interception.”
  They demonstrate their assertion in an experiment with U.S. Representative Ted Lieu, a congressman from California.
• Attackers can own all or some of your phone when you attach to a hostile WiFi. Never trust “public” or “convenience” (for example “hotel”) WiFi. Attackers present look-alike WiFi (sometimes called “spoofing”) and then use human’s weakness for “trustworthy” names to suck targets in.
  They demonstrate this approach by stealing a target’s mobile phone number, account ID, and all the credit cards associated with– with that account, along with their email.
• Attackers use social engineering to get their software installed on targeted devices. One outcome is that they can also monitor all your activity via your mobile phone’s camera and microphone — without any indication from the mobile device screen or LEDs, and the attacker’s software does not show up via any user interface even if you tried to find it.
  They demonstrate this approach with the 60 Minutes interviewer’s device.

Remember, not everyone employed throughout Financial Services enterprises understands the risks associated with performing business activities via mobile devices.  Use materials like this video to augment your risk awareness program.

REFERENCES:
“Hacking Your Phone.” aired on April 17, 2016
http://www.cbsnews.com/news/60-minutes-hacking-your-phone/

SS7, Signalling System #7 https://en.wikipedia.org/wiki/Signalling_System_No._7

“Lawful interception.” https://en.wikipedia.org/wiki/Lawful_interception

 

 

Predictable Techniques Succeed in Big Bank Theft

In a report to be published on Monday, and provided in advance to The New York Times, Kaspersky Lab says it has seen evidence of $300 million (or much more) stolen from more than 100 banks and other financial institutions in Russia, in Japan, the United States, and in at least 27 other nations.

The attack appears to have been initiated via a phishing campaign, followed by long-running surveillance malware, remote access trojans (low and slow), and finally exfiltration of large amounts of money — part via manipulation of bank accounting systems.  …Nothing new there, the story highlights the scale of cyber-crime successes.

The rest of the story will be outlined by Kaspersky on Monday.

Or you can watch a condensed version via YouTube.

This should also be a reminder that there are no security ‘ruby slippers.’  We need to keep rejecting vacuous vendor and pundit preaching about replacing our security perimeters with (pick your hot solution-of-the-moment) ‘the cloud,’ ‘an appliance,’ or some other replacement for common sense, intelligence, and hard work.  Optimizing a layered defense on top of active resistance to phishing (along with all other types of social engineering) and malware remains our primary path to risk-reasonable due diligence.  Announcements of cyber-thefts like the one mentioned above are reminders that there are still tough challenges for all of us in financial services security and risk management.

 

REFERENCES:
“Bank Hackers Steal Millions via Malware.”
By David E. Sanger and Nicole Perlroth, 02-14-2015
http://mobile.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html

Updated 02-16-2015:

Report from Kaspersky:
http://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
and the full report at http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Carbanak_APT_eng.pdf (downloaded 02-16-2015 @ 1 PM CST)

Video: “The Great Bank Robbery: Carbanak cybergang steals $1bn from 100 financial institutions worldwide.”
https://www.youtube.com/watch?v=ez9LNudxRIU

For some context, see:

The Great Bank Heist, or Death by 1,000 Cuts?, By Brian Krebs, 02-15-2015
https://krebsonsecurity.com/2015/02/the-great-bank-heist-or-death-by-1000-cuts/

Will Governments Increase Their Involvement in Incident Response?

Time (and others) reported that NSA Director Admiral Michael Rogers told the International Conference on Cyber Security (ICCS) at Fordham University in New York:
“Sony is important to me because the entire world is watching how we as a nation are going to respond to [the attack on Sony].” “If we don’t name names here, it will only encourage others to decide, ‘Well this must not be a red line for the United States.'”
The attacks against Sony had begun in September, he said, with a flurry of tightly focused phishing attacks against key individuals. This was then used to gain full access to the company’s servers and to steal data.
Rogers stated, “I remain very confident: this was North Korea.”

Some cyber security experts seem less sure that accurately described what happened.

Rogers also said that hacks against private companies may require economic sanctions.

How did terabytes of data get stolen from Sony’s private network? Did Sony invest enough in attack resistance, identification, & response? Should there be more objective criteria upon which to help frame decision-making on this topic?

Since November I have been hearing a lot of discussion about “Sony” and “The Sony Hack.”   Should we in Financial Services begin including NSA monitoring, forensic assistance, and consulting in our incident response planing?
How will the U.S. (along with other nations in this global business environment) decide which hacks against private companies deserve a governmental response, and which will not?  And what if your company has business in both the source and target countries of a given attack?  It seems like each of our organizations need to work through these issues before the day they become critically important — and a small herd of corporate officers on an incident response call are waiting for your direction.

What do you think?

REFERENCES:
“NSA Director on Sony Hack: ‘The Entire World is Watching’.”
http://time.com/3660757/nsa-michael-rogers-sony-hack/
By Sam Frizell, 01-08-2015

“FBI fingering Norks for Sony hack: The Truth – by the NSA’s spyboss.”
http://www.theregister.co.uk/2015/01/09/fbi_nsa_sony_pictures_north_korea/
By Iain Thomson, 01-09-2015

“Are We Asking the Right Questions in the Wake of the Sony Pictures Breach?”
http://www.wired.com/2015/01/right-questions-sony-pictures-breach/
By Paul Martini, 01-09-2015

WSJ-WP-NYT Re-Tell ZeuS Infection for The Masses

WSJ, WP, and NYT Re-Tell ZeuS Infection for The Masses.

In a trio of stories today, the Wall Street Journal, the Washington Post, and the New York Times may have created some traction where corporate security staff have been struggling.  I am certain that many information security leaders in the financial services industry have fallen short in attempts to effectively describe the complexity of the attacks against our organization.  These three versions of the same story may have broken through…

Sure, from the perspective of an IT or information security professional they were a little off on some of the facts, and didn’t include some of what might seem like the most telling technical details, but they just might have gotten through.  For that they deserve some attention.  If you have not done so already, I strongly recommend passing the stories along to leaders in your organizations.  Or better — write your own summary of the source material from NetWitness and ship it as the cover letter to introduce the links.

The botnet discovered by NetWitness is not unique.  Cisco Systems documented the state of Zeus botnets in their 2009 Annual Security Report — mentioning that the Zeus Trojan infected 3.6 million computers worldwide by October 2009.

So what else will you find in the NetWitness report?

The Zeus code was delivered by obfuscated executables.  NetWitness wrote that “this particular malicious executable had less than a 10 percent detection rate among all antivirus products and the botnet communication was not identified by existing intrusion detection systems.” (page 3)

The overwhelming majority of compromised PCs were running Windows XP Professional SP2, with Windows XP Professional SP3, Windows XP Home Edition SP3, and Windows XP Home Edition SP2 (together amounting to more than 95% of all infected PCs). (page 5)

“The data we analyzed contain over 68,000 stolen credentials during a 4-week period.” (page 5)  The data included 75GB representing only a one-month snapshot from an attack that has lasted more than a year.

Not only were 68K username/password pairs stolen, NetWitness wrote that “the ZeuS Trojan allows for the theft of any file that is resident on an infected system, and a common target for this capability are encryption certificates used for access to banking, corporate VPN and other sensitive systems.  There were 1972 unique certificates files in the data set.” (page 6)  So, in nearly 2000 cases, the combination of a login credential and a certificate that identified the corresponding user’s PC were stolen.  Remember the “something you know plus something you have” requirement of entry-level strong authentication, this was a material loss for some number of targeted organizations.

They reported that the most recent activity seemed to have been directed as stealing credentials used with financial services organizations…  “The infected machines were simply scraping information when users communicated…” with the sites listed.  Web sites for most of the major global financial services organizations are listed as being specifically targeted by this attack, including, but not limited to: Citibank, HSBC, Suntrust, Bank of America, Wells Fargo, e-gold, US Bank, TD Canada Trust, National City, Citizens Bank, S3, WaMu, Wachovia, Chase, Barclays, Lloyds, Paypal, and many more.  (see pages 6-7 for the list)

“The attacks are continuing and corporate losses are still being compiled, said Tim Belcher, chief technology officer at Herndon, Virginia-based NetWitness Corp. ” (Jeff Bliss, Business Week)

A range of reporting appears to support that login credentials appear to have material monetary value in the criminal underground, and using this story as an example, criminals are using sophisticated techniques to steal user’s security phrases and corresponding answers as well.

This attack was based on a foundation of luring unsuspecting employees at targeted firms into downloading malicious applications from sites that are either controlled by the hackers or legitimate sites that have been compromised, or by coaxing the users into opening e-mail containing malicious attachments or links to the same (see my discussion of this topic earlier this month).

What can we do?  The usual measures…

1. Set up users with least privilege on all platforms.
2. Employ up-to-date AV with heuristics enabled on PCs and on email choke points, and on web proxies.
3. Ensure that multiple layers of controls are enabled on a network-edge web proxies.
4. Confirm that application security considerations baked into the full software development life-cycle.
5. Write and enforce the use of
   1. Minimum security (configuration) standards,
   2. Aggressive vulnerability assessments,
   3. Ongoing configuration monitoring and
   4. Fine-grained configuration management.
6. Configure enough event logging, and then
   1. Maintain effective event correlation & analysis,
   2. Alarming, and
   3. Multi-level reporting and
   4. Trending.
   5. May also need new categories of monitoring, correlation, alarming, and reporting — for example, excessive login attempts (failed and successful).
7. Comprehensively protect “internal” identities (user name/password pairs, digital certificates, and anything else used to identify your user base).
8. Resist the use of internal identities in uncontrolled environments where they are much more likely to be stolen.  This may take some planning and organized roll-out if you have this issue already.
9. Integrate employee background checking and monitoring into HR processes.
10. Consider investing in DLP technology.

What did you think was the most important message of the NetWitness-based reporting?

–References–

“Broad New Hacking Attack Detected — Global Offensive Snagged Corporate, Personal Data at nearly 2,500 Companies; Operation Is Still Running.” By Siobhan Gorman, Feb 18, 2010, http://online.wsj.com/article/SB10001424052748704398804575071103834150536.html?mod=WSJ_hpp_LEFTTopStories
and then an excellent supporting illustration at:
http://online.wsj.com/media/wsj_HACKb100217.gif

“More than 75,000 computer systems hacked in one of largest cyber attacks, security firm says.” http://www.washingtonpost.com/wp-dyn/content/article/2010/02/17/AR2010021705816.html, By Ellen Nakashima, Feb 18, 2010

“Malicious Software Infects Computers.” http://www.nytimes.com/2010/02/19/technology/19cyber.html, By John Markoff, Feb 18, 2010

The source report — “The ‘Kneber’ BotNet — A ZeuS Discovery and Analysis.” http://www.netwitness.com/nwwp10/20100216-febnw/NetWitness_wp_tkbn021610.pdf, Feb 17, 2010

“Cisco 2009 Annual Security Report.” http://cisco.com/en/US/prod/vpndevc/annual_security_report.html and the full report at: http://cisco.com/en/US/prod/collateral/vpndevc/cisco_2009_asr.pdf

“Newly Discovered Zeus Spinoff Botnet has Wide Impact.” http://www.scmagazineus.com/newly-discovered-zeus-spinoff-botnet-has-wide-impact/article/164059/, by Angela Moscaritolo, Feb 18, 2010

“Over 75,000 systems compromised in cyberattack.” http://www.computerworld.com.au/article/336726/over_75_000_systems_compromised_cyberattack/, By Jaikumar Vijayan, Feb 18, 2010

“Global Hackers Breached 2,400 Companies, Security Firm Says.” http://www.businessweek.com/news/2010-02-18/global-hackers-breached-2-400-companies-security-firm-says.html, By Jeff Bliss, Feb 18, 2010

Ready For Employee Theft and Sabotage

Are You Ready For Employee Theft and Sabotage?

For many in the financial services industry, the global economic catastrophe has increased the frequency of employee theft and sabotage (broadly-defined).  While some of these incidents are little more than inconvenient reminders that “people are our weakest link…” others will require an immediate and comprehensive response, along with the creation of court-ready evidence (identification, copying, preservation, and documentation of the incident-relevant digital evidence).  We all need to ensure that we are effectively resisting these behaviors, but those efforts will necessarily be imperfect.

This is not a new obligation.  Career criminals continue to expand their use of technology in the course of their illegal activities.  One component (there are many others) of reasonable processes required for dealing with this situation include “computer forensics.”  This is also a key component of our tooling and processes dealing with new insider crime linked to the toxic economic environment.  Increasingly, “computer” includes a broad range of mobile devices, but I will defer that discussion for another post.

If you have not yet prepared for this situation, you (or your surrogate) might go to http://www.sleuthkit.org/, read up on The Sleuth Kit and Autopsy, download a current copy of BackTrack (or one of the many other forensic toolkit bootable CDs) and start training — the important issue is starting somewhere.  Or, alternatively, get in touch with your favorite risk management consulting house and get their advice about becoming better prepared.  They might just point you to one or more of the specialty forensic consulting practices — and you could do a lot worse than to get one of them on retainer.  The time to start getting ready for a criminal incident at your business is not the moment you get the call from your boss, or one of your corporate lawyers, compliance officers, or accountants — even worse, a reporter from the Wall Street Journal.

There are a number of good books on this topic (search google or amazon).

There are a broad spectrum of activities that are included under the label of “computer forensics.”  In order to give you a hint at this range and complexity, a sampling of what they include (but are not limited to) appears below:

• Respond to live incidents (The attack is ongoing).
• Respond to recent incidents (hours or days old).
• Respond to historical incidents (months old or longer).
• Determine whether an attack/theft/sabotage/etc has actually occurred.
• Assemble and maintain a toolkit you can employ at the scene of a computer-related crime.
• Analyze volatile data and nonvolatile data.
• Safely perform and document forensic duplications.
  Create a bitstream image of the evidence.
  Prepare for subsequent verification of the evidence using one-way hash functions.
  Understand hash and signature analysis.
• Collect and analyze network-based evidence.
• Identify and analyze print spool data.
• Identify and analyze files of unknown origin.
• Identify and document all start-up and shutdown activity.
• Identify and document authentication and authorization activity.
• Identify and document system and data access.
• Reconstruct web browsing behaviors.
  Including recovery and analysis of cookies.
• Document all e-mail activity.
• Identify & document domain name ownership and the “real” source/destination of e-mails.
• Identify and analyze system and application changes – invest special effort to privilege changes.
  This includes the Windows registry and event logs, as well as application residual files.
• Identify and analyze data changes – with special attention to creation and destruction activities.
  Includes analysis of slack and unallocated space, and recovery of deleted files.
• Identify and analyze errors and faults.
• Perform keyword and email searches.
• Build time-lines of user and application behaviors.
• and lots, lots, more…

If computer forensics are not something that you or your staff are well prepared to execute, I strongly recommend that you consider moving on an immediate plan to develop a minimum competency in this area starting today.

-Resources-

U.S. Secret Service’s “Best Practices For Seizing Electronic Evidence.” Version 3. http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf

“Searching and Seizing Computers and Obtaining Electronic Evidence Manual — Chapter 5 — Evidence”
http://www.cybercrime.gov/ssmanual/05ssma.html, and more broadly http://www.cybercrime.gov/ssmanual/index.html and the Federal Rules of Evidence: http://www.law.cornell.edu/rules/fre/overview.html, and finally,
http://www.cybercrime.gov/cclaws.html.

The Sleuth Kit and Autopsy Browser are open source digital investigation tools (a.k.a. digital forensic tools).  They run on Windows and Unix/linux systems.  They can be used to analyze NTFS, FAT, HFS+, Ext2, Ext3, UFS1, and UFS2 file systems and several volume system types.  The Sleuth Kit (TSK) is a C library and a collection of command line tools. Autopsy is a graphical interface to TSK.  http://www.sleuthkit.org/

The Sleuth Kit: http://sourceforge.net/projects/sleuthkit/
Autopsy: http://sourceforge.net/projects/autopsy/
BackTrack: http://www.backtrack-linux.org/

A list of bootable CDs with The Sleuth Kit & Autopsy, as well as large collections of additional utilities designed to assist you in your forensic work: http://wiki.sleuthkit.org/index.php?title=Tools_Using_TSK_or_Autopsy

“Computer Forensics Procedures and Methods.” By Dr, J. Philip Craiger, Assistant Director for Digital Evidence, National Center for Forensic Science & Department of Engineering Technology University of Central Florida
http://ncfs.ucf.edu/craiger.forensics.methods.procedures.final.pdf

“Windows Forensic Analysis DVD Toolkit.” (Second Edition)  By Harlan A. Carvey. Syngress, June 11, 2009.
http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Second/dp/1597494224/ref=dp_ob_title_bk

“File System Forensic Analysis.  By Brian Carrier.  Addison-Wesley Professional, March 27, 2005.
http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/ref=pd_sim_b_1

“Real Digital Forensics: Computer Security and Incident Response.”  By Keith J. Jones, Richard Bejtlich, and Curtis W. Rose. Addison-Wesley Professional, October 3, 2005.
http://www.amazon.com/Real-Digital-Forensics-Computer-Security/dp/0321240693/ref=pd_rhf_shvl_4

And a 2008 list of web resources on forensics: http://geschonneck.com/security/forensics/

For many in the financial services industry, the global economic catastrophy has increased the frequency of employee theft and

sabotage (broadly-defined).  While some of these incidents are little more than inconvenient reminders that “people are our

weakest link…” others will require an immediate and comprehensive response, along with the creation of court-ready evidence

(identification, copying, preservation, and documentation of the incident-relevant digital evidence).  We all need to ensure that

we are effectively resisting these behaviors, but those efforts will necessarily be imperfect.

This is not a new obligation.  Career criminals continue to expand their use of technology in the course of their illegal

activities.  One component of reasonable processes required for dealing with this situation include “computer forensics.”  This

is also a key component of our tooling and processes dealing with new insider crime linked to need in the toxic economic

environment.  Increasingly, “computer” includes a broad range of mobile devices, but I will defer that discussion for another

post.

If you have not yet prepared for this situation, you (or your surrogate) might go to http://www.sleuthkit.org/, read up on The

Sleuth Kit (http://sourceforge.net/projects/sleuthkit/) and Autopsy (http://sourceforge.net/projects/autopsy/), download a

current copy of BackTrack (http://www.backtrack-linux.org/) (or one of the many other forensic toolkit bootable CDs) and start

training — the important issue is starting somewhere).  Or, alternatively, get in touch with your favorite risk management

consulting house and get their advice about becomming better prepared.  They might just point you to one or more of the specialty

forensic consulting practices — and you could do a lot worse than to get one of them on retainer.  The time to start getting

ready for a criminal incident at your business is not the moment you get the call from your boss, or one of your corporate

lawyers, compliance officers, or accountants — even worse, a reporter from the Wall Street Journal.

There are a number of good books on this topic (search google or amazon).

There are a broad spectrum of activities that are included under the label of “computer forensics.”  In order to give you a hint

at this range and complexity, a sampling of what they include (but are not limited to) appears below:

Respond to live incidents (The attack is ongoing).
Respond to recent incidents (hours or days old).
Respond to historical incidents (months old or longer).
Determine whether an attack/theft/sabotage/etc has actually occurred.
Assemble and maintain a toolkit you can employ at the scene of a computer-related crime.
Analyze volatile data and nonvolatile data.
Safely perform and document forensic duplications.
Create a bitstream image of the evidence.
Prepare for subsequent verification of the evidence using one-way hash functions.
Understand hash and signature analysis.
Collect and analyze network-based evidence.
Identify and analyze print spool data.
Identify and analyze files of unknown origin.
Identify and document all startup and shutdown activity.
Identify and document authentication and authorization activity.
Identify and document system and data access.
Reconstruct web browsing behaviors.
Including recovery and analysis of cookies.

Document all e-mail activity.
Identify & document domain name ownership and the “real” source/destination of e-mails.
Identify and analyze system and application changes – invest special effort to privilege changes.
This includes the Windows registry and event logs, as well as application residual files.
Identify and analyze data changes – with special attention to creation and destruction activities.
Includes analysis of slack and unallocated space, and recovery of deleted files.
Identify and analyze errors and faults.
Perform keyword and email searches.
Build timelines of user and application behaviors.

-Resources-

U.S. Secret Service’s “Best Practices For Seizing Electronic Evidence.” Version 3.

Click to access bestPractices.pdf

“Searching and Seizing Computers and Obtaining Electronic Evidence Manual — Chapter 5 — Evidence”
http://www.cybercrime.gov/ssmanual/05ssma.html, and more broadly http://www.cybercrime.gov/ssmanual/index.html and the Federal Rules of Evidence: http://www.law.cornell.edu/rules/fre/overview.html.
http://www.cybercrime.gov/cclaws.html

The Sleuth Kit and Autopsy Browser are open source digital investigation tools (a.k.a. digital forensic tools).  They run on

Windows and Unix/linux systems.  They can be used to analyze NTFS, FAT, HFS+, Ext2, Ext3, UFS1, and UFS2 file systems and several

volume system types.  The Sleuth Kit (TSK) is a C library and a collection of command line tools. Autopsy is a graphical

interface to TSK.
http://www.sleuthkit.org/,

The Sleuth Kit: http://sourceforge.net/projects/sleuthkit/
Autopsy: http://sourceforge.net/projects/autopsy/
BackTrack: http://www.backtrack-linux.org/

A list of bootable CDs with The Sleuth Kit & Autopsy, as well as large collections of additional utilities designed to assist you

in your forensic work.
http://wiki.sleuthkit.org/index.php?title=Tools_Using_TSK_or_Autopsy

“Computer Forensics Procedures and Methods.” By Dr, J. Philip Craiger, Assistant Director for Digital Evidence, National Center

for Forensic Science & Department of Engineering Technology University of Central Florida

Click to access craiger.forensics.methods.procedures.final.pdf

“Windows Forensic Analysis DVD Toolkit.” (Second Edition)  By Harlan A. Carvey. Syngress, June 11, 2009.

“File System Forensic Analysis.  By Brian Carrier.  Addison-Wesley Professional, March 27, 2005.

“Real Digital Forensics: Computer Security and Incident Response.”  By Keith J. Jones, Richard Bejtlich, and Curtis W. Rose.

Addison-Wesley Professional, October 3, 2005.

And a list of web resources on forensics: http://geschonneck.com/security/forensics/