CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX

Cybersecurity – Prospects and challengesNuix - ITU Cyber DrillChisinau, Moldova - 21st November 2017

CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX

James BillingsleyPrincipal Solutions Consultant, Cybersecurity & investigations: Nuix• Decade of experience in the field of Computer Forensics• Worked as Senior Breach Investigation Consultant - Security

Investigation & Assessment team, leading PCI Forensic Investigations for clients including Visa and MasterCard.

• A Certified Administrator - worked as senior eDiscovery Consultant supporting data collections and legal reviews as part of enterprise scale global investigations.

• A Certified Examiner - worked for a number of years as a senior Computer Forensics Investigator serving UK Police Forces and Government Agencies and providing expert witness in UK Courts, completing over 100 cases.

• Co-authored software tools focusing on Internet Browser Forensics - used globally by a number of law enforcement agencies, international corporations and as part of SANS training courses.

• Speaker at Industry events on behalf of Nuix in Forensic Investigations, Cyber Security, eDiscovery and Information Governance over the last 5 years in over 20 countries.

james.billingsley@nuix.com

CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX

Prospects & Challenges• Time taken to identify and respond to attack

• Lack of comprehensive visibility• Lack of understanding of environment and data

sources• Lack of real time data sources

• Skills gap• Complex technologies involved• Experience, education and development takes time

• Expanding threat landscape through increased technology adoption• Internet of Things (IoT)• Continuing challenge to parse and centralise all

intelligence sources

CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX

Prospects & Challenges

Time taken to to identify and respond to attack

• Visibility is key• Data at rest• Data in motion

• Data at rest• Information Governance and risk assessment

• Data in motion• Real time data as events happen

CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX

Prospects & ChallengesVisibility of what is happening in real time is key

• Scanning for known threats is not enough• What about the threats we haven’t yet

classified?

CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX

Prospects & ChallengesVisibility of what is happening in real time is key

• We need to move to behavioral analysis and intervention

CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX

Prospects & ChallengesRegardless of motivation the end goal for attackers is often the same.• Observe and understand target(s)• Gain limited control of system• Raise to full control of system• Harvest sensitive data• Extract sensitive data• Maintain full control to system

The zero-day exploit, filenames, file locations and processes used to achieve these goals are not as important as the ACTIONS being carried out.

We don’t protect our banks by only by looking for known criminals… • We collect and secure valuables in a vault• Install security systems to monitor and audit behaviours of any/all people

interacting with the bank • Allows for prevention and intervention in real time.

CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX

Prospects & ChallengesSkills gap

• Better programs and policies to facilitate intelligence sharing

• Improved use of technology to simply complex analysis tasks• Methods for integrating knowledge of experienced analysts

to allow less skilled operators to target relevant findings more quickly

• Evolution of technology platforms to allow for easier access to project data and effective collaboration across investigation team on a global scale

CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX

Prospects & Challenges

Continuing challenge to parse and centralise all intelligence source

• Collate all available data/intelligence sources

• Effectively parse data sources enabling meaningful analysis

• Better leverage technology to more efficiently correlate patterns and trends

• Feed intelligence back into the loop to ensure a growing intelligence database

CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX

Analyst A …uses a CLI… …to GREP through logs

Analyst B …uses a sandbox……to examine malware

Analyst C …uses a Wireshark……to examine network traffic

All of this is

done in silos!

We miss the

bigger picture!

!

CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX

Microsoft:• EDB, STM, EWS (Microsoft Exchange) • PST, OST (Microsoft Outlook storage files) • MSG (Microsoft Outlook single mail files) Lotus:• NSF (Lotus Notes / Domino)Other:• MBOX, DBX, MBX (Microsoft Outlook

Express) • EML, EMLX, BOX, SML• Webmail – HTML Scraped from browser

cache• Browser history, cache, bookmarks, and

downloadsDocument Types:• HTML , Plain text, RTF, PDF • DOCX, DOC, DOT (Microsoft Word) • XLSX, XLS, XLT (Microsoft Excel) • PPTX, PPT, POT, PPS (Microsoft PowerPoint) • WKS, XLR (Microsoft Works spreadsheets)Image Types:• PNG, JPEG, JP2, TIFF, GIF, BMP, PBM, PPM,

PGM, RAW, WBMP, WMF, WMZ, EMF, EMZ

Forensic Image Files:• Nuix logical images• EnCase Images (E01, L01)• Access Data (AD1)• Linux DD Files• Mobile Images (Cellebrite / XRY / Oxygen)Log Files:• Windows Event Logs (EVT/EVTX)• Web Logs (IIS, Apache)• Firewall & FTP Logs• Logstash Output• CSV/TSV, syslog, setupAPI Network Captures:• PCAP packet parsing & TCP/UDP stream

buildingSystem Files:• EXE/DLLs• LNK, Prefetch & Jump List Files• Windows Registry Hives inc. decodingFile System Artefacts:• $LogFile, $UserJrml, Object ID• Apple property lists• Carving from unallocated & file slack• Recycle Bin & Volume Shadow CopyFuzzy Hashing - SSDeep

Structured Data:• MS SQL (Live & MDF/LDF are text

stripped)• SQLLiteBrowser & Cloud Artifacts:• IE, Safari, Chrome, Firefox• Dropbox, AWSContainer Files:• ZIP, RAR, LZH, LHA, ARC, TAR, GZ,

BZ2, ISOVirtual Machine Images:• VDK, VMDK (Virtual Disk Images)• ParallelsArchive Systems:• EMC EmailXtender (*.emx)/Source

One• Symantec 2007, 8, 9, 10• HP EASDMS Systems:• MS SharePointUnknown File Types:• Unknown file types are text stripped

EMAI

L & LO

OSE F

ILES

INCI

DENT

RES

PONS

E

Throw the net wide - File Support

MIS

CELL

ANEO

US

CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX

Summary

Technology is only part of the solution but can be better leveraged to allow for;

• Better understanding of data environment at rest

• More real time data sources to ensure comprehensive visibility

• Real time data should focus on behaviours not just hunting known threat profiles

• Increased integration of analyst knowledge/experience to help bridge skills gap

• Better platform for global collaborative response

CONFIDENTIAL – DO NOT REDISTRIBUTE – ©2017 NUIX

www nuix.com

nuix.com/blog

twitter.com/nuix

facebook.com/nuixsoftware

linkedin.com/company/nuix

youtube.com/nuixsoftware

FIND OUT MORE AT: