Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM...
Transcript of Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM...
![Page 1: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/1.jpg)
Digital Forensics and Incident Response in
![Page 2: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/2.jpg)
Introduction
Megan Roddie◦ Cyber Threat Research at IBM◦ CFO of Mental Health Hackers◦ M.S. in Digital Forensics◦ M.S. in Information Security
Engineering (est. 2021)◦ GCFA, GCIH◦ @megan_roddie
![Page 3: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/3.jpg)
INTRODUCTION TO G SUITE1
![Page 4: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/4.jpg)
![Page 5: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/5.jpg)
DON’T GET COMPROMISED2
![Page 6: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/6.jpg)
Don’t Wait. Secure it.
◦ First Step: Don’t get compromised!◦ Many steps to be taken to prevent
a compromise◦ 2FA, 2FA, 2FA
https://blog.reconinfosec.com/securing-g-suite/
![Page 7: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/7.jpg)
G SUITE DFIR VS. TRADITIONAL DFIR3
![Page 8: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/8.jpg)
Map
ping
G S
uite
Att
acks
to th
e Cy
ber K
ill Ch
ain
https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite
![Page 9: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/9.jpg)
“Traditional” DFIR
◦ Malware◦ Phishing◦ Denial of Service◦ Web attacks
(XSS, SQL Inject)
◦ Phishing◦ Information Leak◦ Account Abuse
G Suite DFIR
Incident types
![Page 10: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/10.jpg)
“Traditional” DFIR
◦ Variety of access methods
◦ Vulnerability exploitation
◦ Publicly accessible network resources
◦ Human threat
◦ Smaller attack surface
◦ Social Engineering
◦ Phishing email◦ Brute force
G Suite DFIR
Attack vector
![Page 11: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/11.jpg)
“Traditional” DFIR
◦ Multiple devices / device types (computers vs. servers vs. network devices)
◦ Core configuration settings might be centralized; more system independent settings
◦ Contained to single platform
◦ Core configuration settings are centralized
G Suite DFIR
Environment
![Page 12: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/12.jpg)
“Traditional” DFIR
◦ Large attack surface
◦ Diversity of incident types
◦ Variety of sources of information
◦ Limited attack surface
◦ Specific incident types
◦ Data is centralized
G Suite DFIR
Overview
![Page 13: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/13.jpg)
CASE SCENARIO4
![Page 14: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/14.jpg)
The Scenario
A company’s client list seems to have leaked to an outside entity.
They suspect that the list of customers might have been found via G Suite (files, emails, contacts) but do not know of a compromise.
Cyber Experts, LLC. is contracted to find out if a compromise exists.
![Page 15: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/15.jpg)
What we know
◦ There might be a compromise
◦ Nothing
What we need to find out
Scenario Start
What’s been done
◦ All the things
![Page 16: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/16.jpg)
Identify suspicious activity
◦ Login Audit Logs
![Page 17: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/17.jpg)
Identify suspicious activity
◦ whois 43.241.236.23◦ whois 52.129.23.26◦ whois 64.18.221.42◦ ...
![Page 18: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/18.jpg)
https://blog.ecapuano.com/auditing-gsuite-login-activity/
![Page 19: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/19.jpg)
https://blog.reconinfosec.com/auditing-gsuite-login-activity/
![Page 20: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/20.jpg)
![Page 21: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/21.jpg)
Containment
◦ Disable account
◦ Reset password
◦ Reset all login sessions
![Page 22: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/22.jpg)
What we know
◦ We know whose account was compromised
◦ We know when the account was compromised
◦ No other accounts indicate same pattern of abnormal activity
◦ The known compromised account has been disabled and all active sessions have been reset
What we need to find out
How are we looking now?
What’s been done
◦ How did it happen?
◦ What was the account used for?
◦ Is there any persistence in place?
![Page 23: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/23.jpg)
How did it happen?
Brute force?
No
So… Phishing?
![Page 24: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/24.jpg)
![Page 25: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/25.jpg)
![Page 26: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/26.jpg)
What was the account used for?
ReviewAll
TheLogs
![Page 27: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/27.jpg)
![Page 28: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/28.jpg)
![Page 29: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/29.jpg)
Is there any persistence in place?
◦ App passwords
◦ Authorized API
◦ Add 2FA device
◦ Email forwarding
◦ Email filters
![Page 30: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/30.jpg)
Moral of the story...
![Page 31: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/31.jpg)
![Page 32: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/32.jpg)
FUTURE RESEARCH5
![Page 33: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/33.jpg)
Incident Response (IR)
◦ Automation via G Suite API◦ Started but not my area of
expertise▫ Reach out if you want to collaborate
![Page 34: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/34.jpg)
Digital Forensics (DF)
◦ File Metadata Analysis◦ Recreate SANS Windows Time
Rules for Google Drive
![Page 35: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/35.jpg)
Questions?
![Page 36: Incident Response in Digital Forensics and...Introduction Megan Roddie Cyber Threat Research at IBM CFO of Mental Health Hackers M.S. in Digital Forensics M.S. in Information SecurityDon’t](https://reader033.fdocuments.us/reader033/viewer/2022050508/5f98f880f737c528f61640b0/html5/thumbnails/36.jpg)
Thank you!