DIGITAL FORENSICS CONSORTIUM

D

IGITAL

F

ORENSICS

C

ONSORTIUM

CYBERHUNTING

COMPETITIONS

Focusing on the

Critical Skills

and

Innovative Approach

to

Effectively Characterize

the

Digital Environment

Nevin Taylor

DFC ‐ President/CEO

The President identified cybersecurity as

one of the most

serious economic

and

national security challenges

we face …

•

Executive Branch directed to work closely with all key players

• to ensure an organized and unified response to future cyber incidents

• strengthen public/private partnerships to ensure U.S. security and prosperity • invest in the cutting-edge research to meet the digital challenges of our time • awareness & digital literacy to build the digital workforce of the 21st century

but one that we as a government or as a

country are not adequately prepared to counter.

CITIZEN SOLVERS ‐ Presidential initiative to encouraging agencies 

to increase their ability to promote and harness innovation using  policy tools such as prizes and challenges to drive innovation

DoD

• Foreign cyber threat • Guidance to secure  national security systems • Furnishing DHS with  intelligence enhance  networks protection • Defending the Nation  from a cyber attack • Defense & secure military systems and networks • Offensive and defensive  cyber capabilities • Integrating into  Operational Plans

DHS

• Protect civilian governmental  network • Increase cyber  security capabilities • Protect critical infrastructure • Enhance national  resilience & response • Coordinates respond  to significant  incidents

FBI

• investigate, prevent,  and respond to cyber  events • criminal or  counterintelligence‐ related inside the US • Domestic counterintelligence

INDUSTRY

CHALLENGES

:  US Digital Forensics Challenge / Digital Forensics       Crime Scene Challenge / Cyber Patriot / Cyber Olympics  National  Collegiate Cyber Defense Competition / Cyber Security Challenge UK 

•

Component 1: National Cybersecurity Awareness Lead

:

• Department of Homeland Security

•

_{Component 2: Formal Cybersecurity Education Leads:}

• Department of Education • National Science Foundation

•

Component 3: Cybersecurity Workforce Leads:

• Department of Homeland Security • Office of Personnel Management • Department of Defense • Department of Labor

N

ATIONAL

I

NITIATIVE

for

C

YBERSECURITY

E

DUCATION

• Security Provision • Systems Requirements Planning • Info Assurance Compliance • Software Assurance/Security/Eng • Systems Security Architecture • Test and Evaluation  • Technology R&D • System Development • Analyze • Threat Analysis • Exploitation Analysis Targets • All Source Intelligence

• Collect and Operate

• Collection Operations

• Cyber Operations Planning

• Cyber Operations

• Operate & Maintain

• System Administration • Network Services • Systems Security Analysis • Cust Service & Tech Support • Data Administration • Knowledge Management

• Protect and Defend

• Vulnerability Assessment and Management • Incident Response • Computer Network Def Analysis • Computer Network Defense  Infrastructure  Support

• Oversight & Development

• Legal • Advice and Advocacy • Education and Training • Strategic Planning and  Policy Development • Info Systems Security Ops  • Security Program Mgt • Chief Info Security Officer

FRAMEWORK

And 32 Competencies

• Investigate • Investigation • Digital Forensics

DIGITAL FORENSICS is KEY

What is Digital Forensics?

Digital Forensics is the application of    

science for an investigative or 

legal purpose involving the processing, 

discovery and interpretation of electronic data

Traditionally, Digital Forensics was a law enforcement discipline  Today, nearly all major corporations and law firms deploy critical  Digital Forensics capabilities to safeguard their mobile phones,  laptops, desktops, tablets, GPS devices, networks and vehicles Digital Forensics is a Cyberhunter discipline that is in 

high demand and low supply

in today’s digital marketplace

‐ Person and property

‐ Bullying ‐ Surveillance

‐ Fraud

‐ Auctions Sites ‐ Online Stores ‐ Wire Fraud ‐ Credit Card ‐ Identity Theft ‐ Intellectual Property ‐ National Secrets

‐ Counter Intelligence

‐ Terrorism ‐ Espionage

Crimes are Categorized in Three Areas

Cyber is leveraged in all of them  

18,000  US Law Enforcement  agencies 

• 400< accredited forensics labs  • 50 have accredited digital forensics labs • Less than 1,000 Digital Forensics Examiners

‐ The Foreign Intelligence Community, Law Enforcement and Private  Sector use the same software, hardware, and use the Internet.   Foreign Intelligence Analysis Law Enforcement  Intelligence Analysis Cyber Intelligence Analysis TTP’s/MO’s is Digital Forensics Intelligence

CHARACTERIZING THE

INFORMATION ENVIRONMENT

•

_Who?

•

What?

•

When?

•

How?

•

_Where?

•

_Why?

WHO

IS effected 

vulnerable

in the Digital World?

•

Who?

•

What?

•

When?

•

_How?

•

_Where?

•

Why?

‐ Victim

‐ Aware

‐ Unaware 

‐ Witness

‐ Direct 

‐ Indirect

‐ Subject

‐ Attribution

‐ Collaborate

‐ Motive

‐ Intent

‐ Characterization

Digital Forensics Identifies the  Digital Artifacts Wherever they go

Who are the victims…DF allows to capture the  Subject through collecting info from Witnesses

WHAT 

happened

?

•

Who?

•

What?

•

When?

•

_How?

•

_Where?

•

Why?

INCIDENT MANAGEMENT

ƒ

Digital Forensics Examiners determine

ƒ

_{How they got in?}

ƒ What intruder effected?

ƒ

Customers ƒ Partners ƒ Employee personal info ƒ Financials ƒ Research

ƒ Did they change anything?

ƒ Are they still in the network?

ƒ

_{Determine your loss}

ƒ Correct problems

ƒ Damage Assessment

ƒ Lessons learned

ƒ Improve Process

Action Probe Scan Flood Authenticate Bypass Spoof Read Copy Steal Modify Delete Target Account Process Data Component Computer Network Internetwork Event Unauthorized Result Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Objectives Challenge, Status, Thrills Political Gain Financial Gain Damage Attack Vulnerability Design Implementation Configuration Tool Physical Attack Information Exchange User Command Script or Program Autonomous Agent Toolkit Distributed Tool Data Tap Attackers Hackers Spies Terrorists Corporate Raiders Professional Criminals Vandals Voyeurs

TTP to 

characterize

Incident

WHEN

did

compromise occur ‐ identify impact

•

Who?

•

What?

•

When?

•

_How?

•

_Where?

•

Why?

•

Scope and Impact 

•

Extent of victims and losses

•

How long they’ve been in there

•

Risk Management

•

Cost Benefit Analysis

•

Mitigate Impact

•

Accept Risk

•

Eliminate Source

•

Isolate / Enclaves

WHEN DID THE BREACH OCCUR

Mechanics of  

HOW

the victim was exploited

•

Who?

•

What?

•

When?

•

_How?

•

_Where?

•

Why?

TACTICS / TOOLS / PROCEDURES

WHERE

are the

subjects/witnesses/victims located?

•

Who?

•

What?

•

When?

•

_How?

•

_Where?

•

Why?

From where attack originated dictates:

•

_{Location of Evidence}

•

_{Devices that have been impacted}

•

Jurisdiction

•

Law in effect and recourse

•

Available courses of legal action

•

Agencies Involved

ATTRIBUTION

WHY

identifies

motive

•

Who?

•

What?

•

When?

•

_How?

•

_Where?

•

Why?

DFI

NTELLIGENCE CHARACTERIZE

•

WHO

: They are‐ Attribution

•

WHAT

: are their Objective

•

WHEN

: Long Term Consequences

•

HOW

: Mechanics and TTPs 

•

WHERE

: Jurisdiction

•

WHY

: Identifies Course of Action

•

Heightened Awareness

•

Enhanced Security

•

Diplomatic Action

•

Economic Sanctions

•

Law Enforcement Investigation

•

Counter Intel Ops

•

Military Action

‐ The same Tactics Tools & Procedures (TTP’s) used by either the trusted insider  or the outsider are the same because the platforms attacked are the same ‐ By characteriing the information environment we begin to understand the  dynamics, reliance, and expections that we can reasonably place upon it: National Security DoD/IC Public Safety LE _{Private Sector}Economic Security Digital Forensics Intelligence Digital Forensics is key To National, Economic  Security as well as  Public Safety

CHARACTERIZING THE 

INFORMATION ENVIRONMENT

•

_Who?

•

_What?

•

When?

•

How?

•

Where?

•

_Why?

STRATEGIC  ADVISOR BOARD DIGITAL CRIME  SCENE CHALLENGE DIGITAL FORENSICS  INTELLIGENCE US DIGITAL  FORENSICS CHALLENGE

D

IGITAL

F

ORENSICS

C

ONSORTIUM

VISION

Develop a Digital Forensics workforce to

mitigate the threat to public safety,

national and economic security

MISSION

Create Digital Forensics Cyberhunters one exercise at a time

CHALLENGE SPACE

• AFA Cyber Patriot – National Youth Cyber Defense Competition • National Collegiate Cyber Defense Competition • Cyber Olympics – International online ethical hacking, computer  network defense competition • Polytechnic Institute of New York University (NYU‐Poly) Cyber  Security Awareness Week (CSAW) High School Forensics Contest • Cyber Security Challenge UK – a series of national competitions,  learning programs and networking initiatives to identify and inspire  EU citizens residing in UK

JIM CHRISTY Special Agent (Ret) DFC– Vice President, SAB Chair, COO  and Co‐Founder MARK POLLITT, PhD FBI (Ret) Principal Investigator, Advanced Cybersecurity  (ACE) RICH MARSHALL CEO, Secure Exchange Technology Innovation MICHAEL ZUCKERMAN Professor of Journalism, George Washington  University BERNIE SKOCH Cyber Patriot  Commissioner, Air Force association PHIL SMITH  Vice President,  Government Solutions Trustware HAL ARATA Director Cyber  Center of Excellence, Riverside Research MICHAEL DUDZIK Brig Gen (Ret) CEO/President, IQM Research Institute NEVIN TAYLOR Technologist, Strat Ldr,  DFC – President, SAB Mbr, CEO and Co‐Founder MARK RASCH, ESQ Principal, RASCH Technologies and Cyberlaw GREG WHITE, PhD Director, Center for Infrastructure Assurance  and Security,  Assoc Prof Computer Science,  University of Texas, San Antonio ERNEST McDUFFIE, PhD Former: Lead for the National  Initiative for Cybersecurity Ed, National Institute of Standards and Technology

US Digital Forensics Challenge

- Develop hands-on and critical thinking skills - Apply teamwork and time management skills - Demonstrate knowledge & skillset in DF

- Confirm a participant’s skills and competencies

Prepares participants to meet the DHS’s National Initiative for Cybersecurity Careers & Studies (NICCS) - Knowledge, Skills, and Abilities (KSA’s)

• National Recognition

• Scholarships, Internships

• Hardware/Software

• Plaques/coins

• Connect Teams to Sponsors& Partners

Why Participate in the

US Digital Forensics

Individual or teams up to 5 from the US or International

An international Cyberhunting competition focusing on digital forensics US Digital Forensics Challenge is based on 25 plus scenario-based, progressive level digital forensic exercises

Distributed 1 April 2015

Submissions due 1 March 2016

Work on the Challenge Exercises at Home, School, or Office

Visibility to Digital Forensics Cyberhunting discipline

- Address Digital Forensics professionals shortage - Build relationships in the Digital Forensics Community - Develop new tools, techniques, and methodologies - Connect best and brightest talent with industry partners

Online registration - only $50/Team. Download Challenges and submit your solutions online as you complete them

DIGITAL FORENSICS

CHALLENGE

WHO: WHAT: WHEN: WHERE: WHY: HOW:

To Raise Awareness and 

Create Excitement  

about 

STEM

ƒ Created a non-profit 501 3C Corporation to run STEM competitions world-wide to encourage kids to consider

an education and career in digital forensics or cybersecurity

ƒ US Digital Forensics Challenge

ƒ 25 online exercises

ƒ Digital Crime Scene Challenge

ƒ Hands-on Crime Scene Processing

ƒ Taken to conferences or events

Collaborative relationship with other well‐established 

Cyber Defense Competitions; great synergistic partnerships

DIGITAL CRIME

SCENE CHALLENGE

for Conferences & Schools

• Hands on experience for teams of 1-5 participants

• 15 min to process & complete with points awarded for

• digital evidence found • Identifying key device • Finding vital information

• Excite Teams on Digital Forensics & Cyber Security • Educational for Students, Teachers, Parents, Law

Enforcement, Legislators, Business and Government Leaders (no experience or equipment necessary) • Immediate Feedback through Experiential Learning

2015 US Digital Forensics Challenge

Answer to the US Digital Forensics Challenge

SUMMARY

•

Digital Forensics (DF)

• AWARENESS:  assesses the information environment • RISK: provides opportunity to manage risk • MITIGATE: Incident Response to overcome threat • ATTRIBUTE: investigate to determine responsibility • EMPOWER: Characterization of the Digital Environment

•

DF 

CHARACTERIZES

the information environment

•

DF is a growing and underutilized capability

•

Demands for a DF workforce is growing exponentially

•

Elevate understanding of the digital environment

• Digital Forensics Crime Scene Challenge • US Digital Forensics Challenge • Cyber Patriot • National Collegiate Cyber Defense Competition • _{Cyber Olympics} • Polytechnic Institute of New York University – Cyber Security Awareness Week High School Forensics Contest • Cyber Security Challenge UK