TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Role of Forensic Triage In Cyber Security Trends 2021
1. National Faculty Development Program
Role Of Forensic Triage
In
Cyber Security Trends 2021
Amrit Chhetri,
DFIR Expert|AI & Cyber Security Researcher
Cyber Security Architect & CEI(RCS, Siliguri, West Bengal)
Certified Forensic Psychologist,
Associate Technical Editor(4N6)
Tech Speaker and Forensic Researcher( My Cyber Hubs & Merapps)
Member Of: DSCI( Individual) & Nasscom Community
2. About AMRIT CHHETRI
Me:
I’m Amrit Chhetri from Darjeeling, West Bengal, India. Currently, based in Siliguri with residence at 3A,
3Rd Floor, Medicare Building, Lower Bhanu Nagar, Siliguri-734004, WB, India. I’m CEI(Certified EC-Council
Instructor) with following Global Certifications:
CSCU, CEH, CHFI, CTIA, CSA, ECSA from EC-Council
Certified Smart City Expert from King’s University, UK and 100 Plus other Certifications
Since February 2020, I’m working as Associate Technical Editor, Digital Forensics Mentor and Research
Lead for Digital Forensics Journal(D4N6)
Also, I’m DFIR Analysts and Cyber Security and AI Researcher
Edge AI Certifications and Research Papers:
Udacity-Intel Edge AI IOT Developer Scholarship
I’ve presented 4 plus Research Papers in the fields of Forensics with AI, BigData, IOT Security and Cyber
Security Architecture
Experiences and Projects:
18 Plus Years of Experiences and 7 Years in Cyber Security, Incident Response, VAPT and Digital Forensics
I was J2EE Developer and BI System Architect/Designer of DSS for APL and Disney World
I have played the role of BI Evangelist and Pre-Sales Head for BI System* from OST
I have worked as Business Intelligence Consultant for national and multi-national companies including
HSBC, APL, Disney, Fidedality , LG(India) , Fidelity, BOR( currently ICICI), Reliance Power. * Top 5 Indian
BI System ( by NASSCOM
3. Mr. AMRIT CHHETRI is Cyber Security Analyst, Forensics Researcher and Digital Forensics Mentor.
He has presented Workshops to great organizations such as CII, AMITY University, Inofsec Foundation,
Chandigarh University and he also serving as Sr. Technical Editor of 4N6, India Leading Forensics
Journal. He Teaches EC-Council’s Certifications, Enterprise and End-User Cyber Security and
Machine Learning/Quantum Machine Learning Courses in RCS, Siliguri and he member of AMITY
Research Group. He served as “Jury Member” to various Online and Offline Events in Cyber Security,
Machine Learning and Digital Forensics – Cyber Security and Digital Forensics eConference from
IASR, “Technological Innovation” from Salesian College, Siliguri and Digital Forensics CTFs
Competition( proposed) and State/National Level Cyber Security Challenges/Hackathons. Amrit
Chhetri is also well established Forensics, QML and Cyber Security Technology Reviewer and some of
his great Reviews include DSCI Annual Information Security Summit 2020(AISS), Machine Learning in
Cyber Security Research Papers of ICRITO, 4N6 and 5 more.
Amrit Chhetri is an Active Member of different Cyber Security, Digital Forensics and Machine
Learning Forums, Organizations and Groups – including KeyCybr( Nasik), NASSCOM Community(India)
and OpenMined(UK). He is known for his expertise in Cyber Security and Digital Forensics CTFs and
NextGen SOC Technology Stacks.
Amrit Chhetri loves spending Quality Time with Intelligent GenX Youngs- Males and Female with
Coffee and Country/Jazz Songs - mainly discussing innovations, Trends, Business Scopes and Future
of “Machine Learning” in Healthcare, Fashion, Cyber Security, Digital Marketing …..! He love even
number and lucky to have same in his POI( Proof Of Identity) , which is XXXX-XXXX-0176
Mr. Amrit Chhetri
4. Certificate Collage
of
AMRIT CHHETRI, SILIGUR, WEST BENGAL(Cyber Security, AIML, SOC & DFIR)
Cyber Security Certifications( Of Amrit Chhetri)
AICTE- STTP Certifications: Community Engagements(AIML, Cyber Security & DFIR)
Instructor/Faculty Development Certifications( C-DAC, EC-Council) Free Certifications( DFIR & CyberSec
Companies)
Speaker Certificates( CII, 4N6, AMITY, THM, CU) COMMITTEE MEMBER SOC CERTIFICATIONS
[ Splunk]
AI/ML/DL Certifications: Mentor
Certificates
Cyber Security Researcher, Forensics Tech Editorial & Articles Digital Forensics PR
Engagement(Interviews)
5. 7 Highly Effective Best Practices Of Cyber Security:
Enterprise or Business Users:
Adopt SOC Maturity Model
Installation of SIEM for Event Correlation
& Analysis
Install XDR/EDR as Endpoint Solution
Securing Accounts with 2-Factor
Authentication
Apps Security with Biometric Security
Security Controls for Supply Chain
Attacks
Masked Number in Identity Badge or
Cards
Home Users/Public Services:
Strong Password Policy-Mobile/IOT,
WiFi, Bluetooth Network, Phone
2-L/2-Layers of Malware Security
Using Social Networking Privacy
Engagement with Cyber Security
Awareness Activities
Cyber Threat Hunting(CTH)/CTI to
find connected People
Purchase of Device & Cyber
Insurance
DevOps: Clone Resources:
(git clone https://github.com/amritchhetrib78/CyberSecurityTrends2021-FDP.git)
6. Cyber Attacks–generates Evidences in :
Systems Logs – Events and Logs
Networking Devices – Router, Switches
Application Logs , Endpoint Device logs ……..
Automated Endpoint Security &
Forensic Triage–collects, correlates and
examines those evidences for :
Digital Forensics
Cyber Security |Cyber Resilience
Internal Researches- DFIR, VAPT & InfoSec Products
Presenting–
Roles of Forensics Triage in Cyber
Enhancing Cyber Threats/Attacks Mitigation with Forensic Triage
7. Agendas:
Cyber Security Trends 2021 Summary
Cyber Resilience-Digital Forensics Triage
Cyber Resilience-ML In Cyber Security
Cyber Resilience-TM, CTI & SOC
Cyber Security Trends 2021 Exploration
Next Gen Security Areas
Aligning with Cyber Security Trends 2021
8. Cyber Security Trends 2021 Summary: Home
Home Security Trends 2021:
Security Automation
IOT & Cloud Security
Apps Security & Passwordless
Authentication
Automated Endpoint Security & SASE
Apps Security & Passwordless
Authentication
SCADA & Hardware Security
Data Privacy Ethics
Home Security Trends 2021:
Cyber Crime As-A Service( C2A2S)
Security
Autonomous Systems & 5G Security
Malware & APT Security
Device and Cyber Insurance
Cyber Security Awareness
Digital Forensics Readiness &
Intelligent IR
Advantage Of Adopting Cyber Security Trends
1. Improves Cyber Metal Health Healthiness of Users)
2. Protects during Data Loss( Software or Hardware Theft)
3. Improves Cyber Economics
4. Saves Personal Brand Reputation
5. Protection from Financial and Data Loss
9. Cyber Security Trends 2021 Summary: Enterprise
Enterprise Security Trends 2021:
Security Automation
IOT & IIOT Security
Automated Endpoint Security & SASE
Cloud & OT SOC
Apps Security & Passwordless
Authentication
SCADA & Hardware Security
Data Privacy & Differential Privacy
Measures
Enterprise Security Trends 2021:
Cyber Crime As-A Service( C2A2S)
Security
Autonomous Systems & 5G Security
Next Generation SOC & NOC
Malware & APT Security
Purple Team & Security CTFS
ZTM and ZTNA
Digital Forensics Readiness &
Intelligent IR
Device & Cyber Insurance
Advantage Of Adopting Cyber Security Trends
1. Enhances Cyber Resilience (Application + Data+ Business Processes)
2. Improves Cyber Economics
3. Saving Brand Reputation
4. Protection from Financial and Data Loss
5. Improves Cyber Metal Health Healthiness
10. Reasons:
Increasing Attack Surface Areas and Vectors
Increasing Cost of Security Investment
Complying with Multiple & Complex Standards
Security Tools
NextGen SOC & EDR/XDR
SIEM : IBM Qradar, SOAR : Exabeam
UEBA and Security Analytics : Splunk
Forensics Triage Automation – Cyber Triage
Bring Up Cyber Resilience to:
Zero Day Attacks ,APT(Advanced Persistent Threats)-APT12, APT15
Ransomware Attacks- WannaCry, Petya | Data Leak, SQL/LDAP Injection, CSRF, XSS
Advantages/Benefits
Automated Cyber Threats Detection & Mitigations
Automated Forensics Triage and Threat Alerts
More details( Reference): Security Trend Analysis 2021
1. Security Automation:
11. Reasons:
Extra Large Quantity of IOT and IIOT Devices
Organization Specific Protocols & Standards
Security Tools
XDR
Security Analytics
Next Gen SOC
Retains Cyber Resilience from
Ransomware and Sniffing
Zero Day Attacks
APT(Advanced Persistent Threats)- APT12, IOT DDOS, Sniffing…
Session Hijacking..
Advantages/Benefits
Automated Cyber Threats Detection & Mitigations
Automated Forensics Triage and Threat Alerts
More details( Reference): Security Trends Analysis 2021
2. IOT & IIOT Security :
12. Reasons:
Hybrid Endpoint Devices
Comply with BYOD Standard
Retains Cyber Resilience from
Ransomware and Sniffing
Zero Day Attacks
APT(Advanced Persistent Threats)- APT12 , APT42
Malware
Advantages/Benefits
Centralized Security Monitors
Automated Forensics Triage and Threat Alerts
More details( Reference): Security Trend Analysis 2021
3. Automated Endpoint Security(XDR) :
13. Reasons:
Need of Cyber Resilience of Mid-Size Companies
Connected Sensors and Devices
Security Tools
SIEM with SOAR & Endpoint Security: LogRhtythm SIEM
UEBA
Security Analytics
Retains Cyber Resilience from
Ransomware and Sniffing
Zero Day Attacks
APT(Advanced Persistent Threats)
Malware
Advantages/Benefits
Centralized Security Monitoring
Automated Forensics Triage and Threat Alerts
More details( Reference): Cyber Security Trends Analysis 2021
4. Cloud & OT SOC :
14. Reasons:
Fast Growing Application-Level Attacks
Availability of API Frameworks- OWASP API Security Framework
Vulnerability in Password-Based Security
Security Tools & Frameworks
Apps Security: DevSecOps, OWASP SKF,
Authenticators: Google Authenticator, Biometrics
Hardware Tokens:
Retains Cyber Resilience from
Password Guessing and Injection
BOF, SOF and Fuzzing
Post-Header Attacks and Parametr Tampering
Advantages/Benefits
Secure By Design Security Models
Privacy By Design
ZTM(Zero Trust Model) in Apps
5. Apps Security & Passwordless Authentication:
16. Reasons:
Need of PII Information Security
Growing Instances of PII exchanges
Hybrid and Complex Information Flow
Security Tools & Frameworks
Indian Data Privacy Protection Act( 2021)
Australia Data Privacy Acts
Retains Cyber Resilience from
Hardware Theft and Physical Damage
Supply Chain Attack…..
Advantages/Benefits
Plan Hardwar Security Project
Reduces Down-Time
More details( Reference): <Cyber Security Trends>, <URL>
7. Data Privacy & Differential Privacy:
17. Reasons:
Need of PII Information Security
Growing Instances of PII exchanges
Hybrid and Complex Information Flow
Security Tools & Frameworks
Indian Data Privacy Protection Act( 2021)
Australia Data Privacy Acts
Retains Cyber Resilience from
Hardware Theft and Physical Damage
Supply Chain Attack…..
Advantages/Benefits
Plan Hardwar Security Project
Reduces Down-Time
7. Data Privacy & Differential Privacy:
8. Cyber Crime As-A Service Security:
18. Reasons:
Growing Number Industry 4.0/5.0 Devices
Adoption of Drones in Businesses and Private Uses
Authorized Access could lead to Physical Damages
Security Tools & Frameworks
Indian Data Privacy Protection Act( 2021)
Australia Data Privacy Acts
Retains Cyber Resilience from
Hardware Theft and Physical Damage
Supply Chain Attack…..
Advantages/Benefits
Plan Hardwar Security Project
Reduces Down-Time
9. Autonomous Systems & 5G Security:
19. Reasons:
Advanced and Complex Attack Vectors
Fast Growing Incident Logs
Need of Integration of TM(Threat Modeling), CTIA and
Security Tools & Frameworks
Automated Threat Intelligence
Threat Modeling
Threat Mitigation
ZTA and OT Security
Retains Cyber Resilience from
Hardware Theft and Physical Damage
Supply Chain Attack…..
Advantages/Benefits
Plan Hardwar Security Project
Reduces Down-Time
More details( Reference): Security Trends Analysis 2021
10. Next Generation SOC & NOC:
20. Reasons:
Large Number Malware Attacks
Fast Growing Incident Logs
Need of Integration of TM(Threat Modeling), CTIA and
Security Tools & Frameworks
Advanced Threat Protection
Intelligent SOC
APT Penetration Testing
Retains Cyber Resilience from
Hardware Theft and Physical Damage
Supply Chain Attack…..
Advantages/Benefits
Initiate APT Security Project
Reduces Down-Time
More details( Reference): Security Trends Analysis
11. Malware & APT Security:
21. Reasons:
Needs of Testing Security Controls designed by PenTesters
Enhance Security Posture by Drills/Practice
CTFS
CTFd
Belkasoft and Managnet Forensic CTFs
Retains Cyber Resilience from
Hardware Theft and Physical Damage
Supply Chain Attack…..
Advantages/Benefits
Plan Hardwar Security Project
Reduces Down-Time
More details( Reference): Cyber Security Trends Analysis 2021
12. Purple Team & Security CTFs
22. 13. ZTM And ZTNA:
14. Digital Forensics Readiness & Intelligent IR:
15. Device & Cyber Insurance:
23. Cyber Resilience Tech-Camp
Real Cyber Incident – Malware Attack
• Real Cyber Incident – Malware Attack
• Security Operation Center
• Threat Modeling
• Threat Intelligence
• Threat Hunting
• Forensics Triage
• OT Security
24. SOC Team –suspects Cridex Malware in
Memory Image collected for Forensics
Triage
How Mitigate– Incident Response, Analysis:
( Binary detected as Malicious by Virus Total)
…..screenshot and live!
Quick Upskilling-Cyber Resilience for
Automated Mitigation–
SOC – Architectures, Tools and ZTA/ZTNA
Forensics Triage – OS Forensics, Cyber Triage
25. Cyber Resilience Tech-Camp
Security Operation Center
• Security Operation Center
• Threat Modeling
• Threat Intelligence
• Threat Hunting
• Forensics Triage
• OT Security
26. Cyber Resilience:SOC:
What is SOC?
- "Security Operation Center is integrated Unit of People, Processes and Technology that handles detection,
mitigation and monitoring systems to bring Cyber Resilience in organization " - Amrit Chhetri
- “A security operations center (SOC) is a centralized unit that deals with security issues on an organizational and
technical level. A SOC within a building or facility is a central location from where staff supervises the site, using data
processing technology” - Wikipedia
How SOC Works?
- Design and Implementation
- Logs and events – Collection, Normalization and Actions
Image Courtesy: Cloud4c
Additional Resources:
1. OT SOC : https://www.tenable.com/solutions/it-ot
2. CVSS : https://www.first.org/cvss/specification-document
27. Cyber Resilience :SOC:
SOC Components and Architecture:
- Threat Intelligence Platform
- SIEM Platforms – SEM and SIM with logs Aggregators
- Network Monitoring Platforms
- Security Analytics
IT & OT SOC Concepts:
- OT Security is newer concept to apply standard SOC into Operational Technology Systems
Image Courtesy: Google Image
Designing SOC :
- Planning of SOC - DevOps, SecOps, RPA, Zero Day Architecture
- Requirement Analysis of SOC - IT and SOC ,Designing of SOC
- Operating SOC ,Applying Best Practices of SOC
Additional Resources:
1. Designing of SOC-1 : https://www.ciscopress.com/articles/article.asp?p=2460771
2. Designing of SOC-2 : https://www.splunk.com/en_us/form/how-to-design-your-soc-to-work-smarter-not-harder.html
28. Cyber Resilience:SOC:
SOC Tools:
- SIEM is the Technology of SOC’s Process, Technology and People Triangle, SIEM collects logs and events from various
sources and perform analysis
- Cyber Threat Intelligence Tools:
CTI Tools is used to collect and publish Cyber Threat Pulses and they can be used to secure systems from Advanced
Malware Attacks- APT, Zero Day Attacks. Best 5 CTI Tools
- Cyber Threat Modeling Tools :
CTM Tools is used to map Cyber Threat and they can be used in Forensics Triage, enhancing CTI and to understand
Threat much better- APT, Zero Day Attacks. Best 5 CTM Tools
- IRT Tools :
IRT Tools for Incident Response to mitigate impacts during Cyber Attacks. Best 5 IRT Tools
- Digital Forensics :
Digital Forensics in SOC Operations are used by Forensics Experts working with IRT Team to analyze and examine
artifacts/evidences further during Incident Response. Best 5 Forensics Tools
Additional Resources:
1. SOAR Tools: https://www.trustradius.com/security-orchestration-automation-and-response-soar
:
29. Cyber Resilience:SOC:
Best Practices of Security Operation Center:
Best Practices of SOC – Implementation :
- Adopt 100 Visibility into Data and Infrastructure, Business Processes
- Focus on Cyber Resilience - Business Alignment with Cyber Security
- Apply DevOps - DevSecOps and SecDevOps
- Create Capability of Advanced Threats - Ransomware, APT,
- Integrate CTIand CTM into SIEM and SOAR of SOC
- Adopt best SOC type of SOC – MSP or
- Keep consideration for Industry 5.0 Systems
- Build Upskilling and Internal Research Center for IOT SOC
Additional Resources:
1. Best Practices of SOC-1: https://www.devo.com/blog/best-practices-for-security-operations-center-success/
2. Best Practices of SOC-2(SANS): https://www.sans.org/media/analyst-program/common-practices-security-
operations-centers-results-2019-soc-survey-39060.pdf
31. Cyber Threat Modeling:
Cyber Threat Modeling:
Cyber Threat Model is structured process that identifies potential Security THREATS & Vulnerabilities,
quantify the impacts of those Threats and prioritize Techniques to mitigate attacks and to protect IT systems.
"Threat Modeling works to identify, communicate and understand threats and mitigations with the context..”
–OWASP . To map the Scope of Edge AI in Security Testing and Control Designing, Threat Modeling allows to
cover all possible Cyber Threats in Pre-Engagement Phase.
Adopting Cyber Threat Modeling:
Perform Cyber Risk Assessment
Evaluate Threat Modeling Frameworks and Tools such as Microsoft Threat Modeling Tool
Start with Basic Modeling
MITRE ATT&CK - Threat Modeling for Threat Intelligence and Cyber Security:
MITRE ATT&CK is global repository of adversary Tactics and Techniques based on real-world observations. It
is used as Foundation TT on Cyber Threat Modeling in private, public and government sectors, by Cyber
Threat Analysts and Researcher, to acquire Cyber Resilience
Common Use Cases(Categories):
Detections and Analytics
Threat Intelligence
Adversary Emulation and Red Teaming
Assessment and Security Engineering
Cyber Threat Modeling Tools: ATT&CK Navigator
Description:
A tool to help navigate, annotate, and visualize ATT&CK for Cyber Security exercises.
Website: https://mitre-attack.github.io/attack-navigator/enterprise/
33. Cyber Resilience:CTI:
Cyber Threat Intelligence:
Cyber Threat Intelligence( CTI) is Information about Threats and Threat Actors that helps in mitigating Cyber
Incidents and Malicious events in IT Ecosystem. It is performed under ICO( Intent, Capability and Opportunity)
Triad to know IOC( Indicator Of Compromises). Some of common Techniques of Cyber Threat Intelligence are:
OSINT HUMINT SOCIAL ENGINEERING
Cyber Threat Intelligence Tools :
AlientVault USM , IBM X-Force Exchange
Threat Connect, ELK( Kinana Dashboard)
Splunk Enterprise
Objective of CTI :
Cyber Security Analysts can adopt CTI in IT Security exercises powered/support Machine Learning for
1. Improved Cyber Incident Detection
2. Enhanced and Automated Incident Prevention
3. Automation of Security Operations and Remediation Activities
4. Improved Risk Management
5. To understand Attacks Equations
Attacks = Motives+ Methods+ Vulnerability
Risk = Probability * Potential ( Risk directional proportionate with Probability)
CTI Use Cases/Functions:
1. Alarm, Events and Alerts
2. Incident Response and Malware Analysis
3. Investigation and Mitigation
4. Fusion Analysis and Cyber Threats Collaborations
37. Cyber Resilience: Digital Forensics Triage(I):
• Digital Forensics:
The discipline of general Forensics that deals in investigating electronic device related crimes and
incidents. It also covers Investigation of Cyber Crimes on smart and intelligent platforms such as
IOT/IIOT,ChatBots, Robotic Process Automation(RPA), Edge Computing, Machine Learning and Edge AI.
• Sub-Fields of Digital Forensics:
• OS Forensics , Network Forensics ,IOT Forensics, AI Forensics, Wireless Forensics, Database
Forensics,
• Mobile Forensics, E-mail Forensics, Memory Forensics, Drone Forensics, SCADA Forensics etc.
• AI Forensics, Drone Forensics, IOT/OT Forensics - latest requirements
• Forensics Triage:
“Forensic Triage also known Digital Forensic Triage is the process by which Forensics and Incident
Response Team/Tool collect, assemble, analyze, and prioritize digital evidences from a crime or during
investigation" , Digital Forensics Researcher
• Forensics Triage Automation:
The process of automating Forensics Triage using
• Forensics Triage Automation Tools ,Robotics Process Automation(RPA) Scripts
• Security Orchestration and Automation Response
38. Cyber Resilience: Digital Forensics Triage(II):
• Levels of Forensics Triage:
• Live Forensics Triage , Postmortem Forensics Triage
• Levels of Forensics Triage:
• Live Forensics Triage
• Survey/Triage Forensic Inspection
• Preliminary forensic Examination,
• In-Depth Forensic Examination
• Incident Response Remediation
• Forensics Triage Steps
• Live Data Collection: Collection for Security related information from systems(Business,
Security Controls...)
• Collected Data Analysis: Analysis of evidences using Tools and Scripts
• Incident Response Report: In Automated Forensics Triage is its generated and saved
automatically
• Remediation Actions: Actions to remediate/remove incidents
• Forensics Methodology – Recap:
• Procedures and Methods of investigating Cyber Incidents or Cyber Crimes
• Phases:
• Seizure- Marking to get artifacts and evidences , Acquisition-Imaging Evidences, 65B Form
• Analysis - Examinations of acquire evidences, Reporting - Forensics Report, Expert
Witness, Eye Witness
39. Cyber Resilience: Digital Forensics Triage(III):
• Forensics Triage-In Enterprise:
• Digital Forensics- Core component of IRT(Incident Response Team) of SOC
• Forensics Triage -
• Main Practice in regular Incident Remediation exercises
• Needed in Digital Forensics Readiness or Forensics Preparedness
• Further Reference: https://www.isaca.org/resources/isaca-journal/past-
issues/2014/importance-of-forensic-readiness
• Forensics Triage- In Public:
• Enhancing Efficiency and Accuracy of Investigations
• Easy Timeline Analysis
• Increasing efficiency and reducing cost ,Real-Time Evidence Collection
• Easy and Effective Analysis ,Maximizing Evidence Collection
• Forensics Triage- Stakeholders:
• CIO/CTO-Forensics Practice Head in Cyber Resilience Management
• SOC Manager- Manages IRT Team ,Incident Response Handlers- Handles Incidents
• Forensic Investigators & Forensic Examiners
• Best Practices of Forensics Readiness:
• Adoption of Modern
• Security Strategies and Architectures- Zero Trust Security
• Security Automation-SOAR with Automated Forensics - Forensic Reediness Checklist
• Internal Capacity Building Initiatives
• Initiative for SCADA and OT Forensics and Incident Response
40. Cyber Resilience Tech-Camp
OT Forensics
• Security Operation Center
• Threat Modeling
• Threat Intelligence
• Threat Hunting
• Forensics Triage
• OT Security
41. OT Forensics And Forensics Triage
• OT Definition:
• "Operational technology (OT) is hardware and software that detects or causes a change,
through the direct monitoring and/or control of industrial equipment, assets, processes and
events." – Wikipedia
• More precisely, OT is Hardware and Software System designed to monitor or/and control
Industrial equipment( IIOT, SCADA, IACS) for smooth Operations
• Use Case Of Operation Technology :
• Monitoring and Control
• Airplane, Drones and IIOT Maintenance
• Engergy Supply Networks
• Remote Job Execution
• Oil Drilling
• Forensics Triage Of OT:
• OT Forensics include OT Technology, Devices and GUI/Remote Terminal Unit
devices such as
• Supervisory Control and Data Acquisition (SCADA)
• DCS
• Computer Numerical Controls(CNC)
• Building Automation Systems(BAS)
• IACS( Industrial Automation and Controls Systems)
• Phases Of OT Forensics Triage: ( Slightly different than traditional Forensics Triage)
• Forensics Triage , Collection ,
• Analysis , Actions
Cyber Resilience: OT Security
42. Cyber Resilience: TM, CTI & SOC :
Security Operation Center:
• "Operational technology (OT) is hardware and software that detects or causes a change,
through the direct monitoring and/or control of industrial equipment, assets, processes and
events." – Wikipedia
Security Operation Center
Threat Modeling
Threat Intelligence
Threat Hunting
Forensics Triage
OT Security ( Intelligent SOC Architecture)
43. Cyber Security Trends 2021 Exploration:
Forensics Triage and Security Tools and Labs ……….
………………………………..
44. Aligning with Cyber Security Trends 2021:
Next Generation Up-Skilling:
Knowing Cyber Hygiene Responsibility-Users
ISEA/MEITY Cyber Hygiene Pledge
Read & Apply Cyber Security Advisories
Know Data Privacy Ethics
Cyber Technology Upskilling
Next Generation Cyber Security Awareness for Users
Participation in Cyber Security and DFIR CFTs
Cyber Mental Health Wellness & Cyber Psychology
CQ and TQ of Assessment & Skills Tuning
Cyber Security QUIZ
Playing Cyber Security and DFIR CTFs
UpSkills In Latest Techs-AI,IOT & OT
Cyber Security Engagements - Rules and Encouragements
CI( Critical Infrastructure) Vulnerability Disclosures and Boosting Digital Economy
Cyber Security Events and Conferences
Next Generation Security Controls:
Intelligent Cyber Security Controls
46. Next Gen Security Areas and Research Scopes:
Next Generation Security Areas:
BCI Systems Security,
Robotic System Security,
Cryptograhy Trust Management
Blockchain SWARM Security
Security Challenges:
Lack of Cryptography Algorithm to withstand Quantum Computing
Ocean of Hidden Information in Dark-Web
Lack of OT Security Standards, Frameworks and Tools
Lack of Adequate Security for AIML Systems
47. AI for Security: Research Labs:
Intel OpenVINO (Preparing Edge AI for Cyber Security
Labs. - On Linux):
1. Install Ubuntu 20.04 LTS
2. Install Pre-requisites
3. Install OpenVINO Tools for Linux
4. Installation Steps
GitHub Project URL:
5. Model Conversion
Intel OpenVINO (Preparing Edge AI for Cyber Security
Labs. - On Windows)
1. Install Windows 10 ( 64-Bits)
2. Install Pre-requisites
3. Get and install IntelOpenVINO Tools 2020
4. Model Conversion ( Short Video with Audio)
Labs Testing Demos:
1. Number Plate Detection – Physical
Security
Malware Analysis using Edge AI: Steps and Research Scope
1. Prepare Datasets 2. Make Edge AI Environment Ready – OpenVINO , NVIDIA SDK
3. Run Model Optimizer and Model Converter 4. Deploy on Edge Device on Lab Env. – FPGA, Intel Neural
Computer Stick
5. Install on selected Computer – to analyze and protect from Malware
AI for Security- Offensive Vs. Defensive :
Offensive Site of AI/Attacks by AI: * AI Voice Attack * Information Gathering * Social Engineering …
Defensive Site of AI/Attacks by AI: * PenTesting * Malware Analysis * Automation * Threat Monitoring(
DarkTrace)
Edge AI Model Leaning Techniques:
1. Supervised 2. Unsupervised 3. Semi-Supervised 4. Reinforcement 5. Deep Reinforcement Learning
Machine Learning Frameworks for Cyber Security:
1. On-Premise :
1. TensorFlow 2. Keras 3. PyTorch 4. CoreML
2. Machine learning as a service (MLaaS) :
Amazon AWS Machine Learning
Google Machine Learning
Azure Machine Learning
Kaggle Machine Learning
Components of Edge AI for Cyber Security:
1. Models
2. Edge AI Platforms
1. TensorFlow, TensorFlow Lite
2. OpenVINO Toolkit
3. Intel VTune Amplifi
3. Datasets/Pipes/Video Streams –Data Lake
48. Penetration Testing using AIML:
AI for AI: Securing AI Systems:
1. Standard Practice -Information Gathering
2. Vulnerability Assessment- Nessus
3. System Exploitation-Maintaining Access
* Static Analysis of IR(OpenVINO .xml and bin)
* Dynamic Code Analysis of AI Model-Eclipse
Debugger, Code Review Platforms
4. Encrypted AI Models
5. DevOps for Cyber Security Practices
Designing AI-Powered Security Controls :
1. Know the Security Goals well
2. Include Solutions in Trends
1. SOC/NOC 2. Sanboxing 3. NGFW( with AI)
3. Adopt Standard Practices:
1. Secure By Design 2. Multi-Layer Secure Design
4. Initiate Internal Researches – Edge AI for Cyber Security
AI-Penetration Testing Tools:
1. MIT AI 2: Cyber Attack Prediction, useful in Cyber Threat Modeling, CTI
2. Deep Exploit : Information Gathering, Explorations, Pos-Exploitations, etc.
(Website: https://github.com/13o-bbr-bbq/machine_learning_security/wiki#deep-exploit)
2. Deep Code: Symantec Code Analysis
(https://www.deepcode.ai/)
Purchase Vs. Build- Penetration Testing Tools:
* Purchase : Expensive but ready-to-used
* In-House Development: Lengthener but effective for Modern Cyber Attacks
Edge AI Model Leaning Techniques:
1. Supervised 2. Unsupervised 3. Semi-Supervised 4. Reinforcement 5. Deep Reinforcement Learning
Key Considerations:
1. All Systems Considerations -Data, UI, Network
2. Security by Design or Security Automation Practice
3. Appropriate Security Frameworks AIML Solutions
* DSCI CAF for Security Assessment
* NIST 800-160( System Security Engineering ) for Machine
Learning Models
* Security Guidelines/Frameworks -from SEBI, TRAI, CERT-IN
* Cyber Threat Modeling and Cyber Threat Intelligence
4. Standards of Penetration Testing Report
5. Pre-PenTesting Security Assessment( or Audit)
6. Security Assessment Tools:
1. Nessus 2. OpenAudit 3. NS Auditor and more
7. Evaluation of :
1. Cloud Vs. On-Premises Solutions – Edge AI
2. Machine Learning As-A Service with Edge AI
49. Impacts Of QML(Q Machine Learning):
Security Analytics and Genx System Synchronization :
1. AI-Based Solution/Product:
* Cloud-Based Machine Learning
* Microservice-compatible Security System Design
* Open-ended Architecture for AI
2. Standard Frameworks- NIST System Security
Impact Of Quantum Machine Learning:
* Enhanced Classical AI-Based Cyber Security Assessment, Testing and Security Controls
* Adding Quantum Computation in Cyber Security Analytics
* Enhancement on TensorFlow Extended (TFX) large Scale Solution
* Projected TensorFlow Embedded with QML in Sanboxing
QML In AI-Based Security
* API & GUI Testing, Sandboxing, CTIA
* Malware Detection
QML API/Platforms:
* TensorFlow Quantum
* PennyLane
*
Model, Edge & Algorithm Evaluation:
* Q CNN – Anomaly Detection
* Blockchain SWARM Intelligence – for own Security
* Edge Computing and Edge in Security Design
50. Use Case of Edge AI in Cyber Security:13
Upskilling for Edge AI In Cyber Security:
* Engage with AIML Community – GitHub, Facebook, etc.
* Acquire Global Security Certifications –
* Register for Online Courses from Universities –Cyber
Security …
* Engage with Vendor Specific Inittives- Webinars,
Courses, Challenges
* Refer Great Books in Cyber Security
* Prepare towards to extremes
* NIST 800-160
* Embedded AI for Cyber Security
* Organize Challenges in “Edge AI for Cyber
Resilience” Theme
Malware Analysis using Edge AI - Resources
1. Books: Mastering Machine Learning for Penetration Testing , Chiheb Chebbi * GrayHat Python
2. Vendor Courses: * Intel Data Center To Edge AI – from Intel Academy
* AI Foundation from Nasscom - https://skillup.online/courses/course-
v1:NASSCOM+FOUNDAI100+2019/about ,
3. Research Papers:
Deep Reinforcement Learning: https://arxiv.org/pdf/1602.01783.pdf
AI-Based Anti-Virus: BlackBerry Cylance:
* Next Gen Anti-Virus with built-in EDR powered by Edge AI-Based
* Core Functions by Edge at Edge
* Website: Website: https://www.cylance.com/en-us/index.html
AI-Based Anti-Virus: Virus Total
* Online Anti-Virus solution with Built-In AI
* Detects by File, Hashes and URL
AI-Based Enterprise DNA Security : DarkTrace
* Self-Learning AI for Cyber AI that protects
Enterprise DNA through AUTONOMOUS RESPONSE
* AXA IT’s Network Security by DarkTrace
Intelligent UBEA(UEBA (User And Entity Behavior
Analytics): Exabeam Analytics
* Intelligent Security System with Video Analytics
Phsycal Security: Artificial Intelligence Based
Human Efface Detection (ABHED):
* The criminal Registration & Identification Systems
* Developed for LEA and Police Offices in India
51. Top Trends Security Labs: 4 Minutes each
1. Security Automation : Forensics Triage With Cyber Triage
2. IOT & Cloud Security :
3. Automated Endpoint Security & SASE
4. Apps Security & Passwordless Authentication
5. Ransomware Security
6. Data Privacy in Darknet
7. Logs and Vulnerability Assessment: Using Splunk and Nessus
7 Labs , 4 Minutes Each = 28 Minutes
Cyber Security Trends 2021 - Labs:
52. 1. Security Automation: 3 Minutes
Threat Detection: Automated TTP Gathering:
Senario: Security Researchers notified Zero Day Attack from infected domain/s
SOC Analyst have collect TTP details automatically to brief up all Stakeholder
Security Solution: Threat Connect , creating Threat Pulse for the domain or domain
Security Script Security: Version Management of Security Tools:
Senario: SOC Team has been asked to follow Secure Management for CodeBase
SOC Security Analysts decided use DevSecOps – Version Controls Systems
Security Solution : DevSecOps, managing Code Base using GItGub
( Amrit Chhetri’s Repository for FDP: https://github.com/amritchhetrib78/CyberSecurityTrends2021-FDP.git)
53. 2. IOT & Cloud Security :
Penetration Testing of Directory Listing: OWASP DirBuster:
Senario: Files and Folder related of Business Plans are often leaked or published in media
from Cloud Systems( PAAS)
Blue Team decided to secure all Server to protect from Directory listing
Security Solution: Directory Listing Penetration Testing , using OWASP DirBuster
http://192.168.171.1/DVWA
Directory Listing Security Controls:
Secure Domain from Footprinting and Fingerpriting
Protect using Web Application Firewall(WAF)
Deploy HIPS/HIDS- Host Based Intrusion Detection Systems
Snort :
Suricata :
Recommend or enhance SOC towards Next Generation Intelligent SOC
Threat Detection
54. 3. Automated Endpoint Security & SASE:
Securing Endpoint Devices from Ransomware and APT: XDR/EDR Evaluation
Senario: The Endpoint Systems(Servers) running Windows 2016 Servers Professional often
attacked by Ransomware
CISO decided to secure them using Integrated Endpoint Security Solution
Automated Detection and Prevention ( NGAV, UBA)
Incident Response Response Automation ( Automated Investigation and Mitigation)
Security Solution: Deploying Extended Detection & Response(XDR) Extended Detection &
Response(XDR) by evaluation them through Security Software Evaluation Methods. Name
Considered:
Taegis XDR: https://www.secureworks.com/products/taegis/xdr
Cynet XDR: https://signup.cynet.com/signup/index.html#signup
55. 4. Apps Security & Passwordless Authentication:
2-Factor Authentication: Gmail Security with Google Authenticator
Senario: Forensics Triage of Browser indicates Access to Gmail in your absence
Manual Forensic Triage of Firefox History and Analysis using OS Forensics Triage
Security : 2-Factor Authentication | : Gmail Setting Enable 2-Factor Authentication
2-Factor Code: Install Google Authenticator Scan QR Code Get OTP on Authenticator
(URL: https://www.netacad.com/)
2-Factor Authentication: Netacad with Google Authenticator
Senario: Forensics Triage of Browser indicates Access to Netacad Portal in odd hours
Manual Forensic Triage of Firefox History and Analysis using OS Forensics Triage
Security : 2-Factor Authentication | Account Setting Enable 2-Factor Authentication
56. 5. Ransomware Security:
Automated Ransomware Security: Next Generation SOC:
Senario: CIO of Security Firm managing Power Grids asked Security Architect and SOC Team to
prepare “Ransomware and APT Security Controls” implementation details with top
requirements summary- ZTA, Threat Hunting, CTIA and XDR
Security Solution : Advanced Threat Protection(ATP) and Ransomware/APT Incident Response
Ransomware Incident Response( Mid-Size Organization):
Automated Threat Detection and Mitigation.
IR Team and Ransomware Descriptor
Decryptor from Kasperky: https://noransom.kaspersky.com/
Online Decrptor: https://www.emsisoft.com/ransomware-decryption-tools/
Ransomware Assessment :
https://www.fireeye.com/mandiant/ransomware-defense-assessment.html
https://github.com/cisagov/cset/releases/tag/v10.3.0.0
Ransomware Security:
System Patch Management ,Intelligent Backup Mechanisms
Recommend or enhance SOC towards Next Generation Intelligent SOC
LogRhythm SIEM with CloudAI (Mist Net) – detected IOT/OT Malware and stopped Lateral Movement
Next Generation Business or End User Security Awareness
57. 9. Malware & APT Security:
Malware Security: Malware Protection with Windows Defender & Glassware Firewall
Senario: Integrity of File was modified by Malware
Manual Forensic Triage of Memory Forensics and Analysis using OS Forensics Triage
Analyzing Memory Image( of Windows 10 ) using Volatility:
Image Info: volatility -f Memory-Image.mem imageinfo
Running Process : volatility -f Memory-Image.mem --profile=Win2016x64_14393 pslist
Parent and Child Process: volatility -f Memory-Image.mem --profile=Win2016x64_14393 pstree
Connections: volatility -f Memory-Image.mem --profile=Win2016x64_14393 psscan
Command Lines: volatility -f Memory-Image.mem --profile=Win2016x64_14393 cmdline
Dumping Process: volatility -f Memory-Image.mem --profile=Win2016x64_14393 procdump -p 1640 --dump-dir
Generating Hash and Checking(Virus Total):
Security : Next Generation Anti-Virus and Firewall
Mini SOC with Open Source Tools – Home or Mid-Size Organization
Intelligent SOC with Automated Threat Hunting, CTI and Threat Modeling for Enterprises
58. RDP Cache Forensics:
Scenario(On Online):
Examination of RDP Cache File(BIN), C:Users<username>AppDataLocalMicrosoftTerminal
Server ClientCache , generated by RDP Connections-
Acquisition Analysis Detection Malware Check
Analysis of RDP Cache
Extracting Caches from BIN File: python bmc-tools.py -s Cache0001.bin -d ./BitMapsChache
Analyze Text Contents to know Access of Microsoft Store and further Malpractices…
Attacker Access Pattern Analysis:
Last Access Time: Behavioral Pattern Analysis– Which Apps and Intentions
Examples: Logins and Logouts, Browsers used …
59. Forensic Triage-Memory Memory Data:
Collecting Evidences:
Checking working of Forensics Triage Tools – OS Forensics, Cyber Triage,
Collect Incident Details from Memory through Forensics Triage
Forensics Triage with Volatility:
Get Volatility from https://www.volatilityfoundation.org/ and
Evidence for Analysis:
Live Image : https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
Live Image
Memory Image Analysis- Using Volatility
Image Info: volatility -f cridex.vmem imageinfo
Running Process: volatility -f cridex.vmem --profile=WinXPSP2x86 pslist
Parent and Child Process: volatility -f cridex.vmem --profile=WinXPSP2x86 pstree
Hiding Process Analysis: volatility -f cridex.vmem --profile=WinXPSP2x86 psxview
Connections: volatility -f cridex.vmem --profile=WinXPSP2x86 connscan
Command Lines: volatility -f cridex.vmem --profile=WinXPSP2x86 cmdline
Dumping Process: volatility -f cridex.vmem --profile=WinXPSP2x86 procdump -p 1640 --dump-dir .
Generating Hash of extracted Malicious File: Create Hash of exported Malware/suspected file and verify its
malicious nature using Virus Total
Virus Total Scan
60. Windows Application Cache Analysis:
Browser Cache Analysis(Chrome):
Location : C:Users<username>AppDataLocalGoogleChromeUser DataDefaultCache
Purpose : Created for improvement of Performances, sources of file access details
Cache Analysis Tools :
Nirsoft Video Cache View:
https://www.nirsoft.net/utils/video_cache_view.html#DownloadLinks
Analyzing RDC Caches:
Get https://github.com/ANSSI-FR/bmc-tools/ and extract
Acquire or get Cache0001.bin and run
python bmc-tools.py -s Cache0001.bin -d ./BitMapsChache
61. What You Bag-In::
Labs on Forensics Triage
Malware Analysis – Memory Forensics & Reverse Engineering
List of Cyber Security Tools
Forensics Case Management Tools:
Autopsy Forensics Tool: https://www.autopsy.com/download/
OS Forensics : https://downloads.passmark.com/osforensics/downloads/osf.exe
Forensics Imagers(Memory Imagers) :
Belkasoft RAM Capture: https://belkasoft.com/ram-capturer
Mangnet RAM Capture : https://www.magnetforensics.com/resources/magnet-ram-capture/
Mandiant RedLine : https://www.fireeye.com/services/freeware/redline.html
FTK Imager : https://accessdata.com/product-download/ftk-imager-version-4-5
Dumpit : https://github.com/chrisjd20/compiled_windows_memory_acquisition
System Cache Analysis Tools:
Belkasoft R : https://belkasoft.com/get?product=bra
Biscout : https://securelist.com/bitscout-the-free-remote-digital-forensics-tool-
63. THANK YOU ALL
I’m thank to Computer Science Department of Sharda University for
inviting me to present this session.
My special thanks to Pro. Avinash for arranging this opportunity!