ContentsA transcript of the seminar is reproduced below. Helen: Hello, everyone, I'm Helen Ramirez, and I'm here to conduct this session on why quarantining is useful

UMUC Cybercrime Investigation and Digital Forensics CSEC650

© UMUC 2011 Page 1 of 24

Contents Topic 1: Scenario ............................................................................................................................. 2

Scenario: Network Intrusion at Ninja Toys ................................................................................... 2 Topic 2: Module Introduction ........................................................................................................... 4 Topic 3: Analyzing a Computer Intrusion ........................................................................................ 5

Types of Intrusions ....................................................................................................................... 5 Topic 4: Tools to Accomplish Incident Tracing ................................................................................ 7

Intrusion Tracing Tools ................................................................................................................ 7 Traceback Procedures ................................................................................................................. 8

Topic 5: Quarantining Techniques................................................................................................... 9 Why Quarantining is Useful ......................................................................................................... 9 Activity: To Quarantine or Not to Quarantine? ........................................................................... 11 The Process of Reconstructing Computer Crimes .................................................................... 14

Topic 6: Reconstruction Techniques ............................................................................................. 15 Activity—Reconstructing a Crime .............................................................................................. 15

Topic 7: The Lessons-Learned Process ........................................................................................ 17 Lessons Learned........................................................................................................................ 17 Activity ........................................................................................................................................ 19

Topic 8: Summary.......................................................................................................................... 22 Glossary ......................................................................................................................................... 23



Topic 1: Scenario

Scenario: Network Intrusion at Ninja Toys

Recovery from Cyberattacks CSEC650—Module 10

Network Intrusion at Ninja Toys Cyberata Systems is working closely with its client, Ninja Toys, to solve a case of network intrusion. The Ninja Toys network has been invaded by an attacker whose apparent intention is to create a large-scale industrial espionage event. The case is being handled by Helen Ramirez, the project leader at Cyberata Systems. Helen is in charge of helping Ninja Toys recover from the loss. Scenario The Company Cyberata Systems is a medium-sized consulting firm that specializes in digital forensics and contingency planning. Three women who completed their graduate studies in cybersecurity formed Cyberata Systems. Elaine Payne is in charge of the business strategy, while Theresa Johnson and Helen Ramirez lead all client projects. The Intrusion Recently, a large-scale intrusion took place at Ninja Toys, one of Cyberata Systems' clients. This intrusion resulted in the theft of intellectual property, including research data on the toy market. John Robbins, the Chief Information Security Officer (CISO) at Ninja Toys, asks Cyberata Systems to look into the matter. Helen Ramirez, the project leader at Cyberata Systems, makes this case her top priority because Ninja Toys is one of her company's biggest clients. Helen arranges a meeting with John to share what she has found so far. A transcript of the conversation between Helen and John is reproduced below. Helen: Hi, John. John: Hi, Helen. I hope you have some good news! Helen: We're making progress with our investigation, John. Helen: We have some leads, and we've found the cause of the intrusion. John: Great! What was it? Helen: It's clear that it was a flaw in the company's e-mail filtering process. Helen: Our investigation shows that the El Jefe rootkit was installed on one of the company's main servers.

John: Who would want to infiltrate the company's systems and why?



Helen: Well, from our initial investigation, it appears the intruder is based in Mexico. Helen: Personally, I think the motive might be industrial espionage. John: Mexico, huh? Helen, do you know that one of our main competitors, El Rio Toys, has its headquarters in Mexico City? Helen: Yes, I'm aware of that, and we'll look for links with El Rio Toys. I'll let you know as soon as we make more progress. John: Great. Thanks, Helen. The Repercussions The intrusion at Ninja Toys affected all of its business activities for almost three weeks. Although the security team worked hard to recover from the security incident, the repercussions could be far-reaching, including bankruptcy for Ninja Toys. The Learning In light of this incident, the management of Ninja Toys now realizes the real danger of cybersecurity complacency. John Robbins approaches Cyberata Systems for advice on how to secure their IT infrastructure and information systems after recovering from the attack. In addition, John wants to make sure Ninja Toys has adequate recovery techniques. He asks Helen to develop a lessons-learned process so they will be better equipped to deal with cybersecurity incidents in the future.



Topic 2: Module Introduction

This module covers a range of topics related to recovery from cyberattacks. It begins with the common practices for analyzing computer network intrusions. These practices are essential knowledge for a digital forensic examiner. Then, the module covers tools used to trace network intrusions and discusses quarantining techniques that forensic investigators use to minimize the impact of suspicious network activity. The module then explores recovery techniques, covering a range of steps that organizations should undertake to restore systems. The module concludes with a discussion of how to recover from a cyberattack. Recovery includes reviewing what happened before, during, and after a cyberattack and identifying the lessons that can be learned. Carrying out these steps can promote cyberdefense and improve the efficiency and effectiveness of the forensic investigation.



Topic 3: Analyzing a Computer Intrusion

Types of Intrusions

Analyzing an intrusion can be a difficult process. First, an investigator must know that an intrusion has occurred or is occurring. Computer intrusions can range from simple hacking attacks to highly complex botnet invasions. Good digital forensic investigators remain objective and ensure that their analyses are 100 percent accurate. This is challenging because although digital forensics is a science, it can also be considered an art. Investigators must realize that different people may have different interpretations of their work. Methods of Intrusion

Installation of Malware Attackers can invade a network by installing malware, such as botnets, on the network. Malware installation has become more complex over time, as demonstrated by the proliferation of rootkit attacks. Rootkits are a good example of this phenomenon, and they are becoming more popular and harder to detect. Rootkits are complex programs that are installed without the user's knowledge.

Insecure Intrusion Detection System An Intrusion Detection System (IDS) that is improperly configured—or missing altogether—allows an intruder to passively conduct probes and scans of a network to identify potential weak points, weak configurations, or other vulnerabilities.

Misconfigured Network Elements Misconfigured network elements such as firewalls, routers, and switches are also potential attack vectors.

Installation of Hacker Tools Attackers can install activity-monitoring elements, such as keystroke loggers and/or network sniffers, to monitor activity. These tools can be installed via spyware, rootkits, and other forms of malware, in addition to the more traditional ways of physically installing them on a computer or network connection.

Vulnerabilities in Software and Networks When software contains vulnerabilities, the news quickly spreads in the hacker community. Similarly, having inadequate network security is like leaving your front door unlocked at night.

Physical Access to the Network An attacker who has physical access to an organization's network becomes an insider threat. Any individual who has physical access to a network can establish numerous methods of intrusion.

Reconstructing Evidence To effectively analyze a computer intrusion, the digital forensic investigator must reconstruct the available evidence. Working closely with the organization's CISO, network engineers, and network administrators facilitates the process. The steps for



reconstructing evidence help the digital forensic investigator gather initial information requests. Reconstruction is a good start to investigating cyberattacks from intrusions.

Various people contribute to the process of reconstructing evidence as described below. IDS Administrator The IDS administrator provides intrusion detection logs to the cyberforensic investigator. Firewall Administrator The firewall administrator provides firewall logs to the cyberforensic investigator. Network Administrator The network administrator provides network event logs to the cyberforensic investigator. CISO The cyberforensic investigator asks the CISO for assistance. Network Engineer The cyberforensic investigator provides the network engineers with suggestions about installing network management tools and running queries.



Topic 4: Tools to Accomplish Incident Tracing

Intrusion Tracing Tools

In addition to reviewing internal logs from an organization's IDS, Intrusion Prevention Systems (IPS), firewalls, and routers, there are several useful intrusion tracing tools available to digital forensic investigators. Intrusion tracing tools are broadly divided into two categories—open-source tools and commercial tools. Open-Source Tools

Wireshark Wireshark is a network protocol analyzer that can run on various platforms.

Snort Snort is a freeware tool that is capable of supporting Linux and Windows environments. Snort is a very popular IDS.

Fport Fport is an open-source tool that allows the digital forensic investigator to search for open ports on the enterprise's network.

Attacker Attacker is a TCP/UDP port listener.

Commercial Tools

Universal SIEM®

The Universal "Security Information Event Management" (SIEM®) system by Prelude Technologies is a comprehensive solution that aggregates and collects data from multiple sources to identify and track intrusions.

GFI's Web Monitor®

GFI's Web Monitor® provides Web traffic monitoring, including scanning for encrypted inbound traffic such as potential malware and rootkits.

SilentRunner®

SilentRunner® by AccessData monitors all network traffic, operating in "promiscuous" mode so that it remains undetected by malware. In promiscuous mode, the network interface controller passes all traffic it receives to the computer's central processing unit, rather than passing only those frames it is intended to receive. This product has a wide range of capabilities and is a useful asset in intrusion investigations.

Security Manager®

Security Manager® by Cisco Systems is a comprehensive product that unites various aspects of cybersecurity, including network intrusions. It can be used by digital forensic investigators as well as other information security professionals.



Topic 4: Tools to Accomplish Incident Training

Traceback Procedures

Traceback is the process of tracing the origin of a malicious attack using only technical means. In the event of a malicious attack, tracebacking can determine the specific network location of the individual or group responsible for the attack using the Internet Protocol (IP). The Attack Step 1 An attack begins with an originating host, which is anonymous and can be anywhere in the world, passing information through various hosts to reach a command-and-control server (C&C). Step 2 The C&C might control a number of zombie hosts, called bots. Bots have malicious software implanted within them, most often without the user's knowledge or consent. Step 3 Upon receiving a signal, these bots may attack one or more target computers, either to perform a Denial of Service attack or to modify or steal data. Traveling between participating hosts, the packet stream may cross many network devices such as routers, switches, or Network Address Translation (NAT) devices. The Traceback Process Tracing the culprit is a difficult task. Tracebacking is actually illegal in many countries because tracing the perpetrator's activities often involves breaking or hacking into other users' systems. In the United States, only two organizations, both of them government agencies, have legal authority to perform a traceback.



Topic 5: Quarantining Techniques

Why Quarantining is Useful

John, the CISO of Ninja Toys, invites Helen to give a seminar on quarantining files to educate his employees. Helen has created a presentation that outlines the kind of files that should be quarantined. She also plans to distribute a handy guide for what a user should do when encountering a suspicious file.

A transcript of the seminar is reproduced below.

Helen: Hello, everyone, I'm Helen Ramirez, and I'm here to conduct this session on why quarantining is useful. Helen: If you have any questions while I'm speaking, please stop me and ask them right away! Helen: Let's start with the word "quarantine." When we quarantine sick people, we isolate them from others to stop the spread of disease. Helen: Similarly, quarantining computer files suspected of containing a virus means putting them away to prevent their opening or execution. Helen: If an attacker wants to infiltrate a computer network such as yours, he or she can do so by entering the inbound traffic in your network. Person 1 from Audience: Helen, how can an attacker enter network traffic without being caught? Helen: Well, they do that by sending malicious e-mails or attaching malicious files to an otherwise perfectly innocent e-mail message. Person 2 from Audience: Excuse me, Helen. Doesn't a network have a technique to quarantine such infiltrations? Helen: Yes, it does. In a network, inbound traffic, e-mail messages, and file attachments can be directed to a special quarantine server. In addition, users can be notified by e-mail that they have received a suspicious file. Helen: The quarantine approach is an excellent way to keep suspicious e-mail and file attachments from entering your company's network. Helen: Let's look at the types of files that should be quarantined for analysis. Files That Should Be Quarantined Files that should be quarantined include: 1. Suspicious File Attachments

Quarantine suspected files and virus-infected files that cannot be patched with current sets of virus-definition remedies.



2. Undesired File Attachments Quarantine files like spam, spyware, or other files that may have a malicious purpose.

3. Files That Failed Cleaning After a failed cleaning, the user may decide either to delete the quarantined file or to restore it to its original function. It is recommended that users delete worms, Trojans, adware, and any other harmful files but keep the files needed for an application's function.

4. Unverified Files When unverified files are rescanned, they may very well appear to be clean; but in reality, they may still be positive for malicious code. There are several possible explanations for this situation:

In most cases, the message contains a virus, but the signature-based antimalicious-code engine has not yet received the signature. It typically takes 6.5–12 hours for some vendors to provide a new signature.

In other cases, the message contains a virus that has corrupted MIME headers. Often, antimalicious-code engines will not detect such code properly.

In rare instances, the message is a false positive, meaning that it is a legitimate e-mail that exhibits many characteristics of a malicious code.

Handy Guide to Quarantining A quarantine option is available in antimalicious-code software that allows companies to keep a record of infected users, origin of the file, and analysis of its attributes. Users can deal with malicious files in the following ways: 1. Quarantine the object, thereby allowing the new threat to be scanned and processed

later, using updated databases. 2. Delete the object. 3. Skip the object if you are absolutely sure it is not malicious. 4. Forward the object to an administrator for analysis, especially when it is not

immediately evident what network traffic is legitimate and what may be malicious, as in the case of network intrusions, Denial of Service attacks, and Distributed Denial of Service attacks.



Topic 5: Quarantining Techniques

Activity: To Quarantine or Not to Quarantine?

Activity 1 For each type of attachment listed below that arrives in an e-mail at Ninja Toys, determine whether it is safe to enter the network or should be quarantined. Sort the files that are acceptable and safe into the E-Mail Server column. Sort the files that should be quarantined into the Quarantine Server column.

File Type Options

E-Mail Server

Quarantine Server

meeting notes.doc

FY12budget.xls

Carnival.exe

vendorcontract124.wpd

MissUniverse.rar

Feedback: The files meeting notes.doc, FY12budget.xls, and vendorcontract124.wpd are considered safe because their file extensions are commonly used and exchanged via e-mail. The files Carnival.exe and MissUniverse.rar should be quarantined because those extensions indicate a compressed file, and the file names are irregular enough to be questionable. Activity 2 For each e-mail shown below that arrives at Ninja Toys, determine whether it is acceptable or should be quarantined. Sort the e-mails that are acceptable and safe into the E-Mail Server column. Sort the e-mails that should be quarantined into the Quarantine Server column.

Sender's E-Mail Address

E-Mail Server

Quarantine Server

[email protected] [email protected] [email protected] [email protected] [email protected]

Feedback: The e-mails from [email protected] and [email protected] appear safe because there is nothing suspicious about the user ID or domain from which they were sent.



The e-mails from [email protected], [email protected], and [email protected] should be quarantined because they are suspicious, based on the domains from which they were sent. Activity 3 For each time sequence listed, determine which e-mails can pass through the e-mail server and which e-mails require quarantining. Choose all correct options. Time Sequence 1: Date: 11/12

Sender Time Recipient Quarantine/Pass [email protected] 08:02:05 [email protected] Quarantine [email protected] 08:02:24 [email protected] Quarantine [email protected] 08:02:46 [email protected] Quarantine [email protected] 10:31:32 [email protected] Quarantine [email protected] 10:35:42 [email protected] Quarantine

Correct Answer: Quarantine all e-mails. Feedback: All of these e-mails should be quarantined because they are suspicious, based on the domains from which they were sent. Time Sequence 2: Date: 11/14

Sender Time Recipient Quarantine/Pass [email protected] 12:15:11 [email protected] Quarantine [email protected] 12:25:57 [email protected] Quarantine [email protected] 12:36:01 [email protected] Quarantine

Correct Answer: Quarantine all e-mails. Feedback: All of these e-mails should be quarantined because they originate from a competitor organization. Time Sequence 3: Date: 11/15

Sender Time Recipient Quarantine/Pass [email protected] 09:11:43 [email protected] Pass [email protected] 13:54:04 [email protected] Pass [email protected] 14:32:09 [email protected] Pass

Correct Answer: Pass all e-mails.



Feedback: All of these e-mails should be allowed to pass through the e-mail server and be delivered to the recipient because the senders' e-mail addresses appear legitimate, most likely from current or potential customers.



Topic 6: Reconstruction Techniques

The Process of Reconstructing Computer Crimes

Reconstructing computer crimes is an extremely challenging task because the amount of evidence may be overwhelming. The process involves three categories of digital evidence: temporal, relational, and functional. Temporal In temporal analysis, the investigator uses timeline analysis to develop a logical chronology of what happened during the intrusion. An investigator can spot anomalies of user or system behavior, and certain patterns may also be identified. For visual purposes, statistical and graphical software tools may prove useful. Relational In relational analysis, the digital forensic investigator attempts to put all the pieces of evidence in a digital crime together to solve the case. The process usually involves an assessment of how various digital objects (for example, computers or malware) are connected to various parts of the investigation in an attempt to determine, for example, the physical location of computers involved in the attack. Reference: King, G. L. Forensics plan guide. Computer forensics and incident response. Bethesda, MD: The SANS Institute. Retrieved from http://computer-forensics.sans.org/community/papers/gcfa/forensic-investigation-plan-cookbook_283.

Functional Functional reconstruction involves considering the possibilities and impossibilities in a network to carry out a crime. In this process, the digital forensic investigator attempts to put as many pieces of the evidence pile into order as possible, according to the various events that occurred during the intrusion. The digital forensic investigator should use all available evidence and other information to complete this task. The digital forensic investigator also will likely try to re-perform the intruder's actions in a safe environment to see if the intrusion steps can be reconstructed. This activity may involve the use of company computers and software applications and can be quite useful because it will shed light on the attacker's modus operandi.



Topic 6: Reconstruction Techniques

Activity—Reconstructing a Crime

Here is a set of events that might have occurred during the intrusion at Ninja Toys. Of the nine events listed, only five actually happened. Analyze the events and reconstruct the correct sequence on the timeline. Identify the correct sequence of events. Event No. 1 Time: 7:02 An e-mail is received from a sender in Mexico, but it is quarantined. Event No. 2 Time: 8:08 An e-mail with a .rar file attachment, sent from [email protected], is received. Event No. 3 Time: 11:32 A second e-mail is received from a sender in Mexico, but it is quarantined. Event No. 4 Time: 11:35 A second e-mail with a .rar file attachment, sent from [email protected], is received. Event No. 5 Time: 12:15 An e-mail with a Carnival.exe attachment is sent to the sales department at Ninja Toys from [email protected]. The e-mail is delivered to the recipient. Event No. 6 Time: 12:36 The information security officer at Ninja Toys is reviewing today's e-mail logs and notices some suspicious activity. Event No. 7 Time: 13:25 An e-mail is sent to the Web master at Ninja Toys from [email protected]. The e-mail contains no attachments and is delivered to the recipient. Event No. 8 Time: 14:37 An e-mail is sent to the sales department at [email protected] from [email protected]. The e-mail is delivered to the recipient. Event No. 9 Time: 14:50 An e-mail with a Carnival.exe attachment is sent to the finance department from [email protected]. The e-mail is delivered to the recipient.



Correct Event Sequence: 2, 4, 5, 7, and 9 Feedback: E-mails containing attachments such as .rar files or .exe files may be malicious in nature. Also, Ninja Toys has a Mexico-based competitor called Rio Toys, so the e-mail originating from that company may be malicious.



Topic 7: The Lessons-Learned Process

Lessons Learned

E-mail text: From: Helen Ramirez, Project Lead; Cyberata Systems To: John Robbins, CISO; Ninja Toys Attachment: Lessons Learned—Ninja Toys.pptx Hi, John. Having concluded my investigation, I have developed a lessons-learned report for you to review. We at Cyberata Systems realize that information is power; in fact, it is normally an organization's most valuable asset. Therefore, the learning derived from any type of cybersecurity incident or a digital forensics case such as yours is very important. I have attached a lessons-learned presentation, which I have divided into three main lessons. The team at Cyberata Systems hopes you find this information useful as we continue to strengthen the security process at Ninja Toys. Regards, Helen Ramirez Cyberata Systems Report Title: Lessons Learned—Ninja Toys Report Sub-title: Information Is Power Lesson 1 Carry out a thorough review of the incident. Asking specific questions is generally a good approach. Who? Who were the individual(s) and/or group/organization that carried out the attack? What? What was their target and why were they successful? What did Ninja Toys do to properly mitigate and investigate the attack? Where? What parts of your network were used as the entry point, as the attack destination, and as the egress? When? When did the attack begin, what time(s) did critical activities take place, and when did the attack end? Also, has a clear timeline analysis been prepared? Why? What were the attacker's primary and secondary motive(s)?



Lesson 2 The team researching the incident should complete a self-analysis of their roles and of the tasks and activities that occurred during the attack. During the self-analysis, they should answer the following questions. 1. Was the organization's response timely? 2. Did key personnel communicate effectively during the attack? 3. Did all digital forensic investigators and other IT personnel clearly understand their

roles? 4. Was a clear and effective command-and-control structure in place during the

incident? Lesson 3 The team should identify what they learned from the incident that will help them improve the digital forensic process in the future. Learning should be discussed and debated in a professional manner and documented by a facilitator, and relevant policies and procedures should be updated.



Topic 7: The Lessons-Learned Process

Activity

Based on the network intrusion at Ninja Toys, answer the following questions. Question 1: In retrospect, how successful was the attack on Ninja Toys? a. The attack was unsuccessful because it did not damage the enterprise. b. The attack was somewhat successful because the company suffered only minor

damage. c. The attack was moderately successful because the rootkit was installed on the

company's system. d. The attack was very successful because it almost brought the company to

bankruptcy. Correct Answer: Option d Feedback: The attack was very successful, based on the impact the installation of the rootkit had on the company. It almost brought the company to bankruptcy. Question 2: Which of the following systems could have been an entry point for the attack? a. Enterprise Resource Planning (ERP) b. Firewall c. Switch d. E-mail server Correct Answer: Option d Feedback: This incident occurred because there were vulnerabilities in the company's e-mail server and specifically in the e-mail server's filtering processes. Question 3: Is it likely that the attacker did some initial work specific to his target before launching his rootkit attack? a. Yes b. No Correct Answer: Option a Feedback: Most hackers perform some preliminary analysis, such as probing and scanning the network and searching for open ports, before they launch the attack. The preliminary analysis reveals information that serves as good intelligence for the hacker and increases the likelihood and impact of the attack. Question 4: The actual physical identity of the attacker was not identified during the digital forensic investigation, but the investigator believes the attacker's modus operandi



resembles industrial espionage. If the investigator were correct, what would be the attacker's most likely motive? a. Bragging rights in the hacker community b. Financial gain c. Technical challenge Correct Answer: Option b Feedback: In the vast majority of industrial espionage cases, the major motive is financial gain. Question 5: Ninja Toys hired a consulting firm, Cyberata Systems, which specializes in digital forensic investigations. Why were the investigators unable to specifically identify the group responsible for the attack, despite knowing that it originated in Mexico? a. Traceback is illegal in the United States. b. The hacker likely used a proxy server to carry out the attack. c. Local law enforcement in Mexico was not involved in the case. d. The hacker used his name as part of the rootkit's file name. Correct Answers: Options a, b, and c Feedback: Several factors contributed to the investigators' failure to identify the attacker:

Traceback is illegal in the United States.

The hacker likely used a proxy server to carry out the attack.

Local law enforcement in Mexico, where the attack originated, was not involved in the investigation.

Question 6: The El Jefe rootkit installation was a major accomplishment for the hacker. From a technical perspective, how would you rate this type of malware when compared with a computer virus? a. Less complex b. Equally complex c. More complex d. Unable to determine Correct Answer: Option c Feedback: As a general rule, rootkits are more complex than a computer virus. Question 7: How would you rate the timeliness of Ninja Toys' response to the intrusion? a. Very slow b. Slow c. Fast d. Very fast Correct Answer: Option c Feedback: The company appears to have responded quickly to the intrusion.



Question 8: Did the digital forensic investigators have clearly defined roles in this investigation? a. Yes b. No Correct Answer: Option a Feedback: The roles of the digital forensic investigators appear to have been clearly defined, based on the results of the investigation and Ninja Toys' desire to continue working with the company. Question 9: Did the company notify law enforcement? a. Yes b. No Correct Answer: Option b Feedback: In transnational digital investigations, it is often difficult to identify the proper law enforcement authorities. However, all companies that face these types of intrusions should consider contacting local law enforcement or the FBI if the damage from the attack is considered significant. Question 10: Should a lessons-learned process result in updates to corporate policies and procedures? a. Always b. Sometimes c. Never Correct Answer: Option b Feedback: It depends. If the participants feel the lessons learned were useful, it may be necessary to update existing policies or procedures. Question 11: Is the lessons-learned exercise mandatory for every digital forensic investigation that an investigator conducts? a. Yes b. No Correct Answer: Option b Feedback: The lessons-learned exercise has many benefits and should at least be considered by the digital forensic investigator in consultation with the client or executive management team. However, the exercise is not mandatory.



Topic 8: Summary

We have come to the end of Module 10. The key concepts covered in this module are listed below.

A digital forensic investigator should begin by analyzing the type of intrusion. Intrusions range from installing malware to physically intruding into a company.

Intrusion tracing tools can analyze network protocols, determine open ports on a network, and monitor network traffic.

A malicious attack can be traced to its origin using tracebacking. Tracebacking is illegal in some countries including the United States because it often requires intruding into other networks to catch an attacker.

Quarantining a malicious file is a crucial step in impeding a network intrusion. Suspicious and unverified files should be quarantined to avoid the entry of malicious e-mails into the network.

Reconstructing a crime is an effective way to solve network intrusion cases. The three steps in reconstructing a crime are functional, relational, and temporal.

After an attack, conduct a review of the incident. A self-analysis of roles and tasks carried out during an attack is also helpful. Lessons learned during the incident should be documented for future use.



Glossary

Term Definition

Attacker Attacker is a TCP/UDP port listener.

Botnet A botnet is a group of robots or compromised computers running automatically. Often, the victims whose computers are part of the botnet are unaware of the invasion.

Command-and-Control Server

A command-and-control server provides for command and control of other system components, such as other computers.

Fport Fport is an open-source tool that allows the digital forensic investigator to search for open ports on the enterprise's network.

Functional Reconstruction

Functional reconstruction involves creating a timeline of an intrusion.

GFI's Web Monitor GFI's Web Monitor provides Web traffic monitoring, including scanning for encrypted inbound traffic such as potential malware and rootkits.

Intellectual Property Intellectual Property (IP) includes literary works, music, symbols, paintings, and commercial designs. Owners of intellectual property are given certain exclusive rights or intellectual property rights (IPR) under intellectual property law.

Keystroke Logger Keystroke loggers are intrusion tools that record keystrokes without the user's knowledge while the user is typing in chat and instant messaging windows, on Web sites, and in e-mail messages.

Malware Malware is a category of malicious software or code that is intended to be harmful to a computer or a network.

Network Sniffer A network sniffer allows a malicious user to capture network traffic and use the information for nefarious purposes.

Promiscuous Mode Promiscuous Mode is when a software program is running in a hidden manner such that the user is highly unlikely to realize that this program is actively functioning on their computer.

Quarantine Quarantining files suspected of containing a virus means isolating them to prevent their opening or execution.

Relational Analysis In relational analysis, the digital forensic investigator attempts to put the pieces of a digital crime together to solve the case.

Rootkit A rootkit is software or a set of tools that allows intruders to get administrative-level access to a targeted system and, at the same time, hides its presence to avoid detection by the targeted system's security controls.

Security Manager Security Manager by Cisco Systems links various aspects of cybersecurity, including network intrusions.

SilentRunner SilentRunner® by AccessData monitors all network traffic in "promiscuous" mode so that it remains undetected by malware.

Snort Snort is a freeware tool capable of supporting Linux and Windows.



Term Definition

Temporal Analysis In temporal analysis, the investigator uses the timeline analysis to develop a logical chronology of what happened during an intrusion.

Traceback Traceback is the term given to the process of tracing the origin of a malicious attack, using only technical means.

Wireshark Wireshark is a network-protocol analyzer that can run on various platforms.

Universal SIEM The Universal "Security Information Event Management" (SIEM) system by Prelude Technologies is a comprehensive solution that aggregates and collects data from multiple sources to identify and track intrusions.

Documents

ContentsA transcript of the seminar is reproduced below. Helen: Hello, everyone, I'm Helen Ramirez, and I'm here to conduct this session on why quarantining is useful