Skip to main content

Home/ ComputerForensicsTV/ Group items tagged attacks

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
cftvgroup

Taylor & Francis Online :: Attributing Cyber Attacks - Journal of Strategic Studies - V... - 0 views

www.tandfonline.com/...01402390.2014.977382

attribution cyber attacks journal

shared by cftvgroup on 27 Jan 15 - Cached
  • Three common assumptions
  • The second assumption is a binary view on attribution: for any given case, the problem can either be solved,77 Former Secretary of Defense Leon Panetta famously said on the USS Intrepid, ‘the [DoD] has made significant advances in solving a problem that makes deterring cyber adversaries more complex: the difficulty of identifying the origins of an attack.’ Leon Panetta, Remarks on Cybersecurity to the Business Executives for National Security, New York City’, Washington DC: Department of Defense, 12 Oct. 2012.View all notes or not be solved.8
  • The third common assumption is that the attributive evidence is readily comprehensible, that the main challenge is finding the evidence itself, not analysing, enriching, and presenting it.1010 The most influential articles on intrusion analysis seem to assume that the evidence speaks for itself, as they do not focus on the problem of communicating results to a non-technical audience. The two most influential and useful contributions are the ‘Diamond Model’, see Sergio Caltagirone, Andrew Pendergast and Christopher Betz, The Diamond Model of Intrusion Analysis, ADA586960 (Hanover, MD: Center for Cyber Threat Intelligence and Threat Research 5 July 2013), as well as the ‘Kill Chain’ analysis, see, Eric M. Hutchins, Michael J. Cloppert and Rohan M. Amin, Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (Bethesda, MD: Lockheed Martin Corporation 2010).View all notes
  • ...10 more annotations...
  • if evidence is inconspicuous and equivocal, how should it be marshalled and analysed? How should attribution as a whole be managed and communicated to third parties?
  • if attribution is not a binary affair but a matter of degree, what, then, is normal attribution and how is high-quality attribution different from low-quality attribution?
  • if attribution is not first and foremost a technical problem, what is it instead?
  • On an operational level, attribution is a nuanced process, not a simple problem.
  • The tactical goal is understanding the incident primarily in its technical aspects, the how. The operational goal is understanding the attack’s high-level architecture and the attacker’s profile — the what. The strategic goal is understanding who is responsible for the attack, assessing the attack’s rationale, significance, appropriate response — the who and why. Finally communication is also a goal on its own: communicating the outcome of a labour-intensive forensic investigation is part and parcel of the attribution process, and should not be treated as low priority. Indeed public attribution itself can have significant effects: offenders may abort an operation, change tactics, or react publicly to allegations, thus shaping the victim’s wider response
  • Detail is critical. But detail can also overwhelm.
  • In complex scenarios, only a small fraction of the attribution process will be visible to senior officials and politicians, and an even smaller fraction to the public.
  • First, releasing more details will bolster the credibility of both the messenger and the message.
  • A second reason favours release: publishing more details will improve attribution itself. When a case and its details are made public, the quality of attribution is likely to increase.
  • The third benefit of openness may be the most significant one. Making more details public enables better collective defences.
cftvgroup

Windows 10 Forensics - AFENTIS FORENSICS - 0 views

afentis.com/...windows-10-forensics

shared by cftvgroup on 27 Jan 15 - Cached
  • The start screen from Windows 8 is no longer there
  • The difference is rather than protecting the drive as a whole each file is now protected by BitLocker, so if a file is removed from the drive it will still carry the protection that was added to it during the BitLocker process.
  • Trusted platform module (TPM) is still not needed to use BitLocker
  • ...10 more annotations...
  • Signed driver enforcement
  • The new multi desktop
  • New sharing and security options for folders now include permissions, auditing and effective access as well as giving the user more control of how the folder is shared and who can view it.
  • Phone authentication could be through a number, NFC or built in alert/application.
  • When file’s properties are opened it now shows a ‘Previous Versions’ tab which shows any older versions of this file along with the date it was last modified. This will help determine if the file has been edited and when it happened.
  • Microsoft is also including “next generation user credentials” which will allows single sign in everywhere.
  • Per application VPN is being added to W10,
  • There is now a folder called Home on the file explorer that allows the user to view favorites, frequent folders and recent files. This could help determine what the user has been opening from their files.
  • W10 will still use NTLM and LSAAS meaning the various password cracking tools that forensic investigators use such as rainbow tables will still work in the same way on W10.
  • TPM or software KSP attestation based authentication means there won’t be any secrets on the disk. This will allow the users to have hardware based authentication which will be more secure and quicker to use. This will only feature on machines that house a TPM chip which will store the keys. This type of authentication is secure as it has good resistance against attacks since it is based on hardware within the machine and harder to access
1 - 2 of 2
Showing 20 items per page