Successful Strategies in Enterprise Intrusion Investigations

6
0000.PPT 08/28/2022 1 Successful Strategies in Enterprise Intrusion Investigations SANS WhatWorks in Forensics and Incident Response Summit 2008 Michael Cloppert Member Technical Staff Lockheed Martin Computer Incident Response Team

description

Successful Strategies in Enterprise Intrusion Investigations. SANS WhatWorks in Forensics and Incident Response Summit 2008. Michael Cloppert Member Technical Staff Lockheed Martin Computer Incident Response Team. Phase 2: Establish a presence. Establish a Presence. Compromise Systems. - PowerPoint PPT Presentation

Transcript of Successful Strategies in Enterprise Intrusion Investigations

Page 1: Successful Strategies in Enterprise Intrusion Investigations

0000.PPT 04/19/2023 1

Successful Strategies in Enterprise Intrusion Investigations

SANS WhatWorks in Forensics and Incident Response Summit 2008

Michael CloppertMember Technical StaffLockheed Martin Computer Incident Response Team

Page 2: Successful Strategies in Enterprise Intrusion Investigations

2

Phase 2: Establish a presence

CompromiseSystems

Establisha

Presence

Steal data

Page 3: Successful Strategies in Enterprise Intrusion Investigations

3

But how?

Page 4: Successful Strategies in Enterprise Intrusion Investigations

4

So what now?

Yeah, it’s broken.

We have a process!

Oh you mean this one?

NIST Special Publication 800-61:Computer Security Incident Handling Guide CMU-SEI-2004-TR-015Defining Incident Management Processes:

A Work In Progress

Page 5: Successful Strategies in Enterprise Intrusion Investigations

5

Get Intelligent

IncidentResponse

MalwareAnalysis

NetDefenders

DigitalForensics

Compromises

Behaviors,Activity

Sys

tem

Foot

prin

tS

uspi

ciou

sFi

les

Suspicious

DataFootprints,

BehaviorsPartnerships &

Collaboration

Integration of intelligence acquired through analysis and collaboration is key to successfully managing incidents

Page 6: Successful Strategies in Enterprise Intrusion Investigations

6

Contact

Michael Cloppert

[email protected]

mailto:[email protected]

Cover Page for 2009 Internal Investigations · 3 Practical Advice on Conducting a Successful Internal Investigation 4 Internal Investigations: Public Company Continuous Disclosure

Cover Page for 2009 Internal Investigations · 3 Practical Advice on Conducting a Successful Internal Investigation 4 Internal Investigations: Public Company Continuous Disclosure

Defending Against Network Intrusion (Firewalls, Intrusion Detection Systems) IS511.

Defending Against Network Intrusion (Firewalls, Intrusion Detection Systems) IS511.

Enhanced Solutions for Misuse Network Intrusion Detection ... · 2.3 Intrusion Detection (ID) 7 2.4 Intrusion Detection System (IDS) 8 2.5 Intrusion Detection Systems Classifications

Enhanced Solutions for Misuse Network Intrusion Detection ... · 2.3 Intrusion Detection (ID) 7 2.4 Intrusion Detection System (IDS) 8 2.5 Intrusion Detection Systems Classifications

8. Intrusion Detection Sensors - sandia.gov...8. Intrusion Detection Sensors The Twenty-Seventh International Training Course 8-1 8. Intrusion Detection Sensors Abstract. Intrusion

8. Intrusion Detection Sensors - sandia.gov...8. Intrusion Detection Sensors The Twenty-Seventh International Training Course 8-1 8. Intrusion Detection Sensors Abstract. Intrusion

Successful Fire Investigations From One Assistant Attorney General’s Perspective (Presented by: Mike Rollinger)

Successful Fire Investigations From One Assistant Attorney General’s Perspective (Presented by: Mike Rollinger)

Conducting Cyber Investigations - Hackers For Charity · Conducting Cyber Investigations ... the manner of delivery.The key to a successful investigation of a ... tems today are so

Conducting Cyber Investigations - Hackers For Charity · Conducting Cyber Investigations ... the manner of delivery.The key to a successful investigation of a ... tems today are so

Www.rti.org RTI International is a registered trademark and a trade name of Research Triangle Institute. A Real-Time VOC Sensor for Vapor Intrusion Investigations.

Www.rti.org RTI International is a registered trademark and a trade name of Research Triangle Institute. A Real-Time VOC Sensor for Vapor Intrusion Investigations.

2 Groundwater Investigations - WURcontent.alterra.wur.nl/Internet/webdocs/ilri-publicaties/publicaties/... · 2 Groundwater Investigations N.A. de Ridder'? 2.1 Introduction Successful

2 Groundwater Investigations - WURcontent.alterra.wur.nl/Internet/webdocs/ilri-publicaties/publicaties/... · 2 Groundwater Investigations N.A. de Ridder'? 2.1 Introduction Successful

Computer Intrusion Forensics Research Paper - …nathanbalon.com/projects/cis544/ForensicsResearchPaper.pdfComputer Intrusion Forensics Research Paper ... Intrusion detection systems

Computer Intrusion Forensics Research Paper - …nathanbalon.com/projects/cis544/ForensicsResearchPaper.pdfComputer Intrusion Forensics Research Paper ... Intrusion detection systems

The key factors of successful sustainable …unpan1.un.org/intradoc/groups/public/documents/unpan/...Key Factors of Successful Sustainable Development Several investigations were made

The key factors of successful sustainable …unpan1.un.org/intradoc/groups/public/documents/unpan/...Key Factors of Successful Sustainable Development Several investigations were made

Intrusion Detection - karanatsios.comkaranatsios.com/uploads/FH/Intrusion_Detection_Report_Zaefferer...Intrusion Detection Case Study Authors: ... detection tools is, ... “An intrusion

Intrusion Detection - karanatsios.comkaranatsios.com/uploads/FH/Intrusion_Detection_Report_Zaefferer...Intrusion Detection Case Study Authors: ... detection tools is, ... “An intrusion

Intrusion Investigation and Post-Intrusion Computer ... · PDF fileINTRUSION INVESTIGATION AND POST-INTRUSION ... detection, and response and ... Intrusion Investigation and Post-Intrusion

Intrusion Investigation and Post-Intrusion Computer ... · PDF fileINTRUSION INVESTIGATION AND POST-INTRUSION ... detection, and response and ... Intrusion Investigation and Post-Intrusion

DE F AKA ENCRYPTION EXPERT · Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations,

DE F AKA ENCRYPTION EXPERT · Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations,

Intrusion Detection • Principles • Models of Intrusion ...muratk/courses/dbsec12f_files/Intrusion... · • Models of Intrusion Detection • Architecture of an IDS ... insert

Intrusion Detection • Principles • Models of Intrusion ...muratk/courses/dbsec12f_files/Intrusion... · • Models of Intrusion Detection • Architecture of an IDS ... insert

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Detection Systems and Intrusion Prevention Systems

Intrusion Detection Systems and Intrusion Prevention Systems

Sampling and Analysis in Vapor Intrusion Investigationss3.amazonaws.com/ebcne-web-content/fileadmin/pres/5-22-07_Reze… · Sampling and Analysis in Vapor Intrusion Investigations

Sampling and Analysis in Vapor Intrusion Investigationss3.amazonaws.com/ebcne-web-content/fileadmin/pres/5-22-07_Reze… · Sampling and Analysis in Vapor Intrusion Investigations

Waiwhetu Artesian Aquifer Saltwater Intrusion Risk ... · Waiwhetu Artesian Aquifer Saltwater Intrusion Risk Management Wellington Regional Council Investigations Department Technical

Waiwhetu Artesian Aquifer Saltwater Intrusion Risk ... · Waiwhetu Artesian Aquifer Saltwater Intrusion Risk Management Wellington Regional Council Investigations Department Technical

Office of Special Investigations - Justice of Special Investigations ... expertise necessary for successful investigation of these complex cases, its efforts met mostly with failure.

Office of Special Investigations - Justice of Special Investigations ... expertise necessary for successful investigation of these complex cases, its efforts met mostly with failure.

Beyond ‘Check The Box’ - Black Hat Briefings€¦ · PRESENTED BY: © Mandiant Corporation. All rights reserved. Beyond ‘Check The Box’ Powering Intrusion Investigations Jim

Beyond ‘Check The Box’ - Black Hat Briefings€¦ · PRESENTED BY: © Mandiant Corporation. All rights reserved. Beyond ‘Check The Box’ Powering Intrusion Investigations Jim