https://xkcd.com/838/ Data Breaches This years study analyzed 524 - PowerPoint PPT Presentation

https://xkcd.com/838/


 Data Breaches This year’s study analyzed 524 breaches that occurred between August 2019 and April 2020, in organizations of all sizes, across 17 geographies and 17 industries. 
 The 2020 Cost of a Data Breach Report shows some consistency with past research, including the global total cost of a data breach, which averaged $3.86 million in the 2020 study, down about 1.5% from the 2019 study, but in line with previous years. The average time to identify and contain a data breach was 280 days in the 2020 study, nearly identical to the average of 279 days in 2019. - Larry Ponemon 
 https://securityintelligence.com/posts/whats-new-2020-cost-of-a- data-breach-report/

COVID-19 Impact on Data Breach Management 76% of respondents whose organizations have shifted to remote work expect that working from home could increase the time it takes to identify and contain a data breach. Additionally, 70% of respondents expect remote working could increase the cost of a data breach. Larry Ponemon 
 https://securityintelligence.com/posts/whats-new-2020-cost-of-a-data-breach- report/

from https://csrc.nist.gov/publications/detail/sp/800-86/final

Heisenberg’s Uncertainty Principle 
 for Forensic Analyses* Examining or collecting one part of the system will disturb other components. It is impossible to completely capture the entire system at any point in time. * - Farmer and Venema, Forensic Discovery, 
 http://www.porcupine.org/forensics/forensic-discovery/chapter1.html

Life expectancy of data* Registers, caches, device memory nanoseconds Main memory nanoseconds Network state, caches, queues milliseconds Running processes seconds Disk data minutes Backup media, CD-ROM, DVD, paper years+ * - Farmer and Venema, Forensic Discovery, 
 http://www.porcupine.org/forensics/forensic-discovery/chapter1.html

strace of Ubuntu date command % time seconds usecs/call calls errors syscall 0.000057 9 6 mmap 17.22 0.000053 13 4 openat 16.01 0.000041 10 4 mprotect 12.39 0.000035 5 6 close 10.57 10.57 0.000035 5 6 fstat 0.000029 7 4 brk 8.76 0.000022 22 1 munmap 6.65 0.00002 6 3 read 6.04 0.000015 15 1 write 4.53 0.000012 12 1 1 access 3.63 0.000006 6 1 lseek 1.81 0.000006 6 1 arch_prctl 1.81 0 0 0 1 execve ------ ----------- ----------- --------- --------- ------------ ---- 100 0.000331 39 1 total

“Attribution — determining the identity or location of an attacker or an attacker’s intermediary. In the case of cybersecurity, attribution is a particularly difficult problem as adversaries can mask their identity or even originate attacks from deceptive and unwitting locations (e.g. using a hospital’s network as a staging ground)” – adopted by World Economic Forum, 
 http://reports.weforum.org/cyber-resilience/attribution/#hide/fn-23

Who cares who dunnit? Public sector political impact • national security • retaliation accuracy 
 • Private sector brand damage (theirs or the alleged attacker's) • as an aid to determine what was the attacker's • purpose/targets legal action (retaliation) •

Sometimes it’s personal…

swamp: [~] $ whois 43.229.53.39 % IANA WHOIS server % for more information on IANA, visit http:// www.iana.org % This query returned 1 object refer: whois.apnic.net inetnum: 43.0.0.0 - 43.255.255.255 organisation: Administered by APNIC status: LEGACY . . . person: xxxx xxxxxxx xxxx address: 21 floor,29 Sha Tsui Road, Hong Kong country: CN phone: +852-65971019 e-mail: abuse63857@gmail.com nic-hdl: ZLH33-AP mnt-by: MAINT-HOTNETLIMITED-HK last-modified: 2015-05-07T13:33:30Z source: APNIC . . .

Cyber "False Flags" Misleading information aimed at defeating attribution • origin • identity • vulnerability/exploit used • target • attack vector

Attribution Hints • IP address - mostly unreliable (private sector, at least) • Code (compile times, reused code, strings, language, …) • Common C2 infrastructure • Propagation/Attack patterns • Message (language, strings, etc., but spoofable)

from http://reports.weforum.org/cyber-resilience/attribution/#hide/fn-23

Sony Hack Timeline (USA Today) • Nov 24: Sony hacked • Dec 1: FBI investigates; some suspect NK • Dec 3: NK denial • Dec 7: NK News calls it a "rightous deed", but denies • Dec 11: The Interview premieres in LA • Dec 16: GOP threatens 9-11 like attacks on theaters • Dec 17: Sony halts release • Dec 17: US O ffi cial says NK responsible for the hack • Dec 19: FBI confirms • Dec 22: NK experiences Internet outage for 10 hours, issues go on for days • Dec 25: The Interview is released • Dec 27: NK denies any involvement in the Sony hack; accuses US of disrupting their Internet

Some references • Guide for Cybersecurity Event Recovery 
 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP .800-184.pdf • Guide to integrating forensic techniques into incident response 
 https://csrc.nist.gov/publications/detail/sp/800-86/final • 13th-annual Cost of Data Breach Study, Ponemon Institute https://www.ibm.com/security/data-breach? ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security &ccy=US&cm_mc_uid=40296825486315404837644&cm_mc _sid_50200000=68399651540483764501