3. New Zealand vs. Russian Cases Characteristics NZ Hacker Case Russian Hacker Case Type of attack Typical script kiddie intrusion scenario Online criminal automated auction scam Damages $400,000 $25 million Investigator time 417 hours 9 months Consequences Community service 3 & 4 years in Federal prison
Today's computing security environment demonstrates a pattern of escalation between hackers and targets. As information system defenses improve, hackers must improve their skills in order to continue to wage successful attacks. As hackers' skills improve, information system defenses improve in order to repulse these more effective attacks. This in turn challenges hackers to acquire even better skills and abilities in order to wage even more effective attacks, which then motivates organizations to improve their information system security further in order to survive these more devastating attacks, and so on, in a never-ending pattern of escalation.
Before I begin I have some acknowledgements. I’m convinced some habits never die, especially those disciplines you develop early in your working career—I began mine as a systems analyst and developed an abiding respect for the software engineering approach—so I began my research gathering requirements, spending quite a bit of time with the legal and forensic community of practitioners, the eventual user community, who patiently explained their challenges. This is my opportunity to say thank you publicly: Attfield Dittrich Fluckiger Huang Nelson Orton Phillips Pollitt Schroeder Simon Review from yesterday: Digital forensic expert challenge: Collecting and storing data in a manner bounded by legal constraints is only half the battle, it also must present that data credibly in court. Nothing I ever said in the classroom was as effective at emphasizing the differences between these two functions as setting up a mock courtroom experience for students. Example: mock courtroom at SU—taught skills but then had them testify.
How is this done? Attorneys establish foundation for the believability of the expert
Knowing that the tools we use as forensic analysts are subject to challenge for the soundness of their performance, NIST began the Computer Forensic Tool Testing Project (CFTT To….mission Scope….. The Gap….network devices—no bandwidth at the agency to go beyond the current mission. Disk/computer forensics is relatively new, while disk forensics is a more settled science.
Sommers, 2002 conference at U of Idaho where I had the pleasure to meet most of you, stated that he feared that the expectation would be that the same reliability we’ve placed on disk forensics, we will expect of network forensics.
Given that experts must speak competently about forensic data reliability—skill, process, devices Important to establish soundness of network data gathering devices But Manufacturers rarely provide conclusion information No demand Expense—what’s the payback? Proprietary design Further what manufacturers do provide is unreliable—RFC2544, Fluke Expect to change—harbingers--legal interest in network intrusions—count the belly buttons x hours x $100’s ---anecdote Ted Vosk
Nevertheless—no standard methodologies for testing these devices, no labs, evidence admitted anyway, first responders still responsible
Ultimate solution is to develop calibration standards, labs, etc. We start with verification testing—defined as verification of manufacturer’s specifications.
Knowing that the tools we use as forensic analysts are subject to challenge for the soundness of their performance, NIST began the Computer Forensic Tool Testing Project (CFTT To….mission Scope….. The Gap….network devices—no bandwidth at the agency to go beyond the current mission. Disk/computer forensics is relatively new, while disk forensics is a more settled science.
Given that experts must speak competently about forensic data reliability—skill, process, devices Important to establish soundness of network data gathering devices But Manufacturers rarely provide conclusion information No demand Expense—what’s the payback? Proprietary design Further what manufacturers do provide is unreliable—RFC2544, Fluke Expect to change—harbingers--legal interest in network intrusions—count the belly buttons x hours x $100’s ---anecdote Ted Vosk
Ultimate solution is to develop calibration standards, labs, etc. We start with verification testing—defined as verification of manufacturer’s specifications.
![Typical Network Incident Response ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)