X

Have a TopPatch Agent Contact You

Fill in the form below, and we'll contact you shortly to build a tailored price quote.

Are You Human? 7 × eight =

Forensics

TopPatch » Solutions & Services » Forensics

TopPatch Forensics

It is widely known that large tech companies often save their top talent for their biggest clients, training new hires on small clients for practice.

However, we think differently.

TopPatch offers a former Counterintelligence Special Agent with the United States Army, assigned to the Army’s elite cyber counterintelligence unit at Fort Meade. There, he conducted several investigations involving a wide range of cyber-terrorism and cyber-espionage investigations for different federal agencies. He will lead the engagement.

What will TopPatch deliver?

Every incident is different. With little information, we can still provide a simple overview of some possible tactics, techniques, and procedures to assist in resolving issues and better positioning your network to defend against future occurrences.

Like any investigation, there are specific questions we must answer as affectively as possible– who, what, how, when, and why?

If you are a victim to a target attack, we will also answer:

    • How the people responsible got into your network
    • How they got into the computer
    • Where the malware went on the computer and what it did.

How do you get a virus?

The internet has numerous threats. It is possible to get a virus simply by visiting a compromised website– even if no file is downloaded intentionally by the user.

However, in the case of an agency, business, or institution, it is best to at least consider the possibility that this is not just a random happening, but a targeted attack. Behind such attacks, there are generally three categories of suspects:

  1. State-Sponsored: These are individuals in the service of a foreign government.
  2. Cyber Criminals: These range from sophisticated, powerful organized crime syndicates to individuals just looking for a quick payoff.
  3. Hacker Groups or “Hacktivists”: Usually motivated by political or philosophical ideals and are looking to make a point.

What is a ‘Phishing Scam’ and how can it affect you?

Phishing scams are targeted attacks, which gather data. For example, email distribution lists containing private email addresses are common bait for a phishing scam. The scams are common and widely used by cyber criminals.

The Process:

  1. If a criminal gains access to your network and finds the email list, they can craft what is known as a ‘phishing email’—a fake email resembling a legitimate one from your organization.
  2. Using a process called “spoofing,” it is very simple to duplicate an official email to appear legitimate to the victim regardless of its true origin.
  3. This email typically contains:
    • A request for credit card information
    • A link which installs a key-logger on the victim’s computer enabling the criminal to record all activity occurring on the computer
    • Other methods to acquire personal information from the victim

“How do you know we have been hacked,” and “How do we fix it?”

These questions are difficult to answer without specific knowledge regarding certain aspects of your network and your current security software. That said, we will run through an ideal procedure for remediating the issue.

This process should take between two to four weeks and answers the question, “What?”

Remediation Procedure:

  1. Study logs of your intrusion detection software. From these, we would be able to assess critical information:
    • When the incident occurred
    • How many infected systems are present on the networ
    • What those systems are.
  2. Determine which computer or computers first showed signs of compromise
  3. Obtain a “Memory Snapshot” of the infected computers. A memory snapshot is a record that shows every process running on a specific computer at a specific time.
  4. Analyze the memory snapshot to see each individual binary in stark detail, including all “hashes.” A hash is like a file’s fingerprint that can often be used to determine if that file has been altered in any way by showing:
    • Suspicious activity running on the computer at the time of the snapshot
    • How the binary was installed
    • Where the binary is located in the computer’s hard drive
    • If there is any strange coding present and if it is attempting to contact another website or computer outside of your network.

If it is discovered that a suspicious process that appears to be attempting contact to an outside source then the IP addresses can be tracked to its source.

How do we track down IP addresses?

There are several methods available to check the validity of an IP address and many will give detailed information, including who registered the IP. Simultaneously, with your permission, we would send the binary to contacts of ours at various intelligence agencies.

Our contacts would check various private systems and databases unavailable to the public to determine:

  • Information about the particular process or IP addresses involved including if the files are associated with any known entity.

If it is determined that the malware is just a common strain and no malicious intent against your particular organization is suspected, it is a simple matter to contact your anti-virus providers and request that they send you the latest update available. Once the update has been sent, simply push it out over the network and it should clean any and all infected computers.

If it is a new version of a known malware or a previously unknown variant, we would need to send the binary to the anti-virus provider and they should be able to provide a solution in a day or two.

How does malware get into a network?

  1. Malware can originate on a computer inside your network and spread internally.
    • This can happen in many ways. For example, a “friend” gives an employee a flash drive or a CD of a particular band or a movie. Perhaps unbeknownst to the employee, it also contains malware. The employee decides to listen or watch it at work and the damage is done. Forensic analysis will tell us if this was the case. From there, you could discuss the event with the employee from whom the breach originated.
  2. Malware programs available for purchase
  3. There are thousands of people willing to purchase them and attempt to use them for illegal purposes. Most cost less than $100. However, with the proper people, equipment, and procedures, we can make great strides toward not only significantly reducing vulnerability, but also toward minimizing any damage that can be caused should they break through defenses.
  4. You are victim to a targeted attack. What is next?

Further action would need to be taken.

To refer to the above scenario, let’s say that one of the infected computers is your email server. We would acquire a forensic image of the server’s hard drive. An image is basically a copy of the hard drive. This process will not damage the original drive in any way and precautions are taken to ensure that nothing is altered on the original drive.

Once the image has been acquired, the forensic analysis can begin.

Unfortunately, computer forensics is a very involved process. It would not be feasible to summarize it here, nor could we give an approximation of the length of time needed to complete the investigation. It could take anywhere from a few days to a few weeks to, in some extreme cases, months.

In the meantime, it may be advisable to post a message on your website informing people that a security breach has occurred and to be vigilant against any potential phishing emails.

Upon completion of the analysis, TopPatch will tell you:

  • How the people responsible got into your network
  • How they got into the computer
  • Where the malware went on the computer and what it did.
Print Friendly
Copyrights © 2013 TopPatch.com. - All Rights Reserved.