ECI: Anatomy of a Cyber Investigation Who Are

ECI: Anatomy of a Cyber Investigation Who Are the Actors Title 1 Who is Doing it? 70% of breaches involved External agents 48% of breaches involved Internal agents 11% of breaches involved Partner agents

Any breach can involve multiple individuals E.g. An employee of a subcontractors steals Credit Card numbers and delivers the Credit Card Numbers to an external 3rd party Title 2 Who is Doing it? External Agents (70% breaches, 98% of lost data) 24% Organized Criminal Group

21% Unaffiliated Person(s) 3%External Systems or Sites 5%Others (Former Employee, Partner, Competitor, Customer) 45% Unknown Title 3 Who is Doing it? Internal Agents (48% of Breaches, 3% of records) Demographics (90% Deliberate )

51% 12% Regular Employees / end user Finance / Accounting 12% System Admin 7%Upper management 8%Other ( Help desk, Software Dev, Auditor) 9%

Unknown Title 4 Who is Doing it? Partner Agent (11% of Breaches, 1% of records) 3rd party hijack Partner, Deliberate act of Partner Organization that outsource their IT management and support also outsource a

great deal of trust to these partners. poor governance, lax security, and too much trust is often the rule Verizon Data Breach Investigation Report (p. 19) Title 5 How Are They Doing it? Title

6 How did insiders do it? Inter-connected factors and events 48% of breaches included Misuse of privilege 40% of breaches were by Hackers 38% of breaches used of Malware 28% of breaches used Social Engineering 15% of breaches were Physical attacks A single attack can may combine multiple vulnerabilities. Title

7 How did Outsiders do it? Hackers methods Web Applications 54% Remote Access 34% Backdoors 23% Network file sharing 4% Others (physical access, Wireless Network, unk) Title

8 Top 5 Methods of Attack Webpage Access Un / Improperly Secured Access Trusted network connections Trojans / Malware / Spyware Employee Malfeasance Title 9

Top 5 Methods of Attack Web Pages Unsecured web pages access SQL Injection Improperly designed website Oops - errors Title

10 Top 5 Methods of Attack Un / Improperly Secured Access Abandoned / Unguarded computers. Computers with too many connections Brute Force Backdoors Title 11

Top 5 Methods of Attack Trusted network connections Sub contractor / Sister company or agency Title 12 Top 5 Methods of Attack Trojans / Malware / Spyware E-mail of a Trojan Social Engineering

Telephone Contact Email Contact Internet contact (Chat, IM, etc) Customized Malware (Largest attacks) Back doors Title 13 Top 5 Methods of Attack Employee Malfeasance

Abuse of system access Use of un-approved hardware / device Rogue networks Improperly handled data Title 14 Timelines facts How long To Compromise Data Most took days to months

31% took only Minutes Time to Discovery Most took weeks or months 5% took minutes Time to Containment Most took days to weeks *some even months Title 15 Some thoughts 98% came from servers (duh) 85% an not very difficult

61% Discovered by a 3rd party 86% had evidence in log files about attack Title 16