September 2020Conducting Efficient Insider Threat Investigations using KAPENotesSession is being recorded Youll receive access to the recording in a couple daysAsk questions via x0000chat Well try to ID: 862638
Download Pdf The PPT/PDF document "Private and Confidential" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1 Private and Confidential September 2020
Private and Confidential September 2020 Conducting Efficient Insider Threat Investigations using KAPE Notes: ⪠Session is being recorded, Youâll receive access to the recording in a couple days ⪠Ask questions via �chat ⪠Weâll try to answer as many questions as possible Kroll, a d
2 ivision of Duff & Phelps - @krollwire
ivision of Duff & Phelps - @krollwire 2 Upcoming KAPE Intensive Training and Certification Kroll, a division of Duff & Phelps - @krollwire 3 SCHEDULE INSTRUCTORS September 30, 2020 10:00 a.m. â 7:00 p.m. (EST) Eric Zimmerman Mari DeGrazia Sean Straw Scott Zuberbuehler October 8, 2020 8:00 am
3 â 5:00 pm (BST) Paul Wells James Thobu
â 5:00 pm (BST) Paul Wells James Thoburn ⪠Virtual live sessions ⪠Max 25 students bit.ly/kape2020 About Tony & Aaron ⢠Senior Vice Presidents at Kroll ⢠Former in - house experience leading insider threat investigations Kroll, a division of Duff & Phelps - @krollwire 4 Overview 5 Kroll, a
4 division of Duff & Phelps - @krollwire
division of Duff & Phelps - @krollwire Insider Threat Investigations Collection Efficiency Analysis Efficiency KAPE Case Studies WHICH INCIDENTS HAVE SIGNIFICANTLY AFFECTED YOUR ORGANIZATION IN THE LAST YEAR? * * Kroll Global Fraud and Risk Report, 2019 - 20 * Kroll internal data as of August 2
5 020 17% KROLL IR CASES RELATED TO UNAUT
020 17% KROLL IR CASES RELATED TO UNAUTHORIZED ACCESS Insider Threat Investigations | Why Does This Matter? ⢠What is insider threat â intentional/unintentional ⢠Based on management, policies, etc. ⢠Plethora of scenarios â this affects everyone, etc. ⢠Time is of the essence ⢠Exige
6 nt circumstances â departing employee
nt circumstances â departing employees (NDAs, non competes, etc.), leaving the country, etc. ⢠ROI = Time = more investigations 7 Kroll, a division of Duff & Phelps - @krollwire Collection Efficiency KAPE 8 Kroll, a division of Duff & Phelps - @krollwire Collection Efficiency | Overview â¢
7 KAPE targets key forensic artifacts requ
KAPE targets key forensic artifacts required for analysis and runs in a matter of minutes ⢠Can be used for remote and/or automated collections ⢠Can be shared on a USB for single - click collections for non - technical users ⢠Can send to various destinations, including SFTP, S3, etc. 9 Kroll,
8 a division of Duff & Phelps - @krollwi
a division of Duff & Phelps - @krollwire Collection Efficiency | ! BasicTargets 10 Kroll, a division of Duff & Phelps - @krollwire Category Target File Contents Event Logs Windows Event Logs Evidence of Execution Prefetch RecentFileCache Amcache Syscache File System $MFT $ LogFile $ UsnJrnl :$J $
9 Secure:$SDS $Boot $Tops:$T LnkFilesAndJu
Secure:$SDS $Boot $Tops:$T LnkFilesAndJumpLists User Jumplist directories User Office Recent .LNK files User Recent and Desktop .LNK files Restore Point (XP) .LNK files Collection Efficiency | ! BasicTargets 11 Kroll, a division of Duff & Phelps - @krollwire Category Target File Contents PowerShell
10 Console ConsoleHost_history.txt RecycleB
Console ConsoleHost_history.txt RecycleBinMetadata Contents (including deleted files) of User Recycle Bin folders RegistryHives User (including UsrClass.dat) and system Registry hives and transaction logs ScheduledTasks SchedLgU.txt and scheduled task files SRUM Contents of Windows \ System32 \ sru
11 folder ThumbCache User thumbcache _*. d
folder ThumbCache User thumbcache _*. db files USBDevicesLogs Setupapi.log and Setupapi.dev.log WindowsIndexSearch Windows.edb Collection Efficiency | Build a KAPE Package 12 Kroll, a division of Duff & Phelps - @krollwire Default KAPE Files & Folders (~150 MB) Files & Folders Needed for Triage C
12 ollection (10mb) Collection Efficiency |
ollection (10mb) Collection Efficiency | _ kape.cli 13 Kroll, a division of Duff & Phelps - @krollwire -- tsource C: -- tdest . \ %m -- target ! BasicCollection -- vhdx %m Argument Value Description -- tsource C: Use C: \ as the collection source -- tdest . \ %m Write output to subfolder named by
13 hostname in directory where KAPE is ru
hostname in directory where KAPE is run -- target ! BasicCollection Use the ! BasicCollection set of Targets -- vhdx %m Write output into a VHDX file named by the hostname Collection Efficiency | Running KAPE 14 Kroll, a division of Duff & Phelps - @krollwire Collection Efficiency | Storage/Tran
14 sfer Options ⢠Local drive (USB) ⢠N
sfer Options ⢠Local drive (USB) ⢠Network share ⢠Transfer to SFTP, S3, Azure, etc. 15 Kroll, a division of Duff & Phelps - @krollwire Analysis Efficiency KAPE 16 Kroll, a division of Duff & Phelps - @krollwire Analysis Efficiency Kroll, a division of Duff & Phelps - @krollwire 17 ⢠The
15 actual âprocessingâ of the artifac
actual âprocessingâ of the artifacts you collected ⢠Grouped in Categories What are Modules? ⢠What works for someone may not work for you ⢠Special Programs/Scripts can be utilized Can be Tailored Creating a Module ⢠Benefits of KAPE: â Open Sourced â Well Documented â Modu
16 les written in YAML â Frequently Upda
les written in YAML â Frequently Updated by Community â Internally Created do not need to be shared â Select the Result format for your needs â Automation and Speed â Small Storage Footprint ⢠Creating the Internal Toolkit: â Proprietary based Investigations â Create Case Specifi
17 c Modules » Run certain processes for
c Modules » Run certain processes for certain investigations â If its Command Line, you can run it Kroll, a division of Duff & Phelps - @krollwire 18 Case Studies ⢠Intellectual Property Theft ⢠Exceeding Authorized Authority ⢠Custom Targets KAPE 19 Kroll, a division of Duff & Phelps -
18 @krollwire Case Study â Intellectual
@krollwire Case Study â Intellectual Property Theft ⢠A senior engineer recently left the company and created his own business with a competing product offering. ⢠You are requested to determine if evidence exists that the engineer took data leading up to their departure. ⢠Artifacts of In
19 terest: â USB Devices â File/Folder
terest: â USB Devices â File/Folder Access â Program Execution Case Study â Intellectual Property Theft â USB Devices Module: Registry \ RECmd Module: Event Logs Case Study â Intellectual Property Theft â File/Folder Access 22 Kroll, a division of Duff & Phelps - @krollwire Module
20 : File - Folder Access \ Shellbags Case![: File
-
Folder Access
\
Shellbags
Case](862638/file-folder-access-shellbags-case-study-.jpg ": File
-
Folder Access
\
Shellbags
Case")
: File - Folder Access \ Shellbags Case Study â Intellectual Property Theft â Program Execution 23 Kroll, a division of Duff & Phelps - @krollwire Module: Registry \ UserAssist Case Study â Exceeding Authorized Access ⢠Alert received for IT employee emailing sensitive data outside of the
21 company. ⢠You are requested to deter
company. ⢠You are requested to determine what the materials are and where they came from. ⢠Artifacts of Interest: â LNK Files â $MFT 24 Kroll, a division of Duff & Phelps - @krollwire Case Study â Exceeding Authorized Access â File/Folder Access Module: FileFolderAccess \ LECmd 2
22 5 Kroll, a division of Duff & Phelps -
5 Kroll, a division of Duff & Phelps - @krollwire Case Study â Exceeding Authorized Access â File/Folder Access Module: FileSystem \ MFTECmd _$MFT 26 Kroll, a division of Duff & Phelps - @krollwire Case Study â Custom Target/Modules ⢠Corporate Proprietary Investigation â Not an IR
23 Event ⢠Geographically separated â
Event ⢠Geographically separated â No Travel permitted ⢠User may have stored IP in folders throughout the OS Structure â Files had a unique file extension ⢠Needed to be as forensically sound as possible â Kape created .zip file + password protection 27 Kroll, a division of Duff &
24 Phelps - @krollwire Case Study â C
Phelps - @krollwire Case Study â Custom Target/Modules â What We Did ⢠Created a unique Target that would look for specific file extension ⢠Created a unique Module for fast processing of specific artifacts ⢠Remoted into the machine when the user had the machine on network ⢠Initi
25 ated KAPE Target to pull the artifacts
ated KAPE Target to pull the artifacts ⢠Ran KAPE Module to process the artifacts needed, which included a nice file listing ⢠On the machine for less than 10 minutes ⢠Processing of the Targeted artifacts took even less than that ⢠Customer was provided preliminary reports within 8 hours
26 of our involvement 28 Kroll, a divisi
of our involvement 28 Kroll, a division of Duff & Phelps - @krollwire Case Study â Custom Target/Modules â Quick Wins ⢠Insider Threat allegation was substantiated very quickly ⢠Amount of dwell time was minimal â customer was not even prepared for returned results ⢠No Expenses
27 â Saved thousands of dollars alone on
â Saved thousands of dollars alone on no expenses needed ⢠Internally proved the tool could be leveraged for more than just IR â Tailoring to specific files relevant to the matter ⢠Tailoring the tool saved countless hours on the target system â User never knew we were there 29 Kroll, a d
28 ivision of Duff & Phelps - @krollwire
ivision of Duff & Phelps - @krollwire Questions 30 Kroll, a division of Duff & Phelps - @krollwire For More KAPE : Intensive Training and Certification Kroll, a division of Duff & Phelps - @krollwire 31 SCHEDULE INSTRUCTORS September 30, 2020 10:00 a.m. â 7:00 p.m. (EST) Eric Zimmerman Mari
29 DeGrazia Sean Straw Scott Zuberbuehler
DeGrazia Sean Straw Scott Zuberbuehler October 8, 2020 8:00 am â 5:00 pm (BST) Paul Wells James Thoburn ⪠Virtual live sessions ⪠Max 25 students bit.ly/kape2020 For more information about our global locations and services, please visit: www.kroll.com About Kroll Kroll is the leading global p
30 rovider of risk solutions. For more than
rovider of risk solutions. For more than 45 years, Kroll has helped clients make confident risk man agement decisions about people, assets, operations and security through a wide range of investigations, cyber security, due diligence and compliance, physical and operational security, and data and in
31 formation management services. For more
formation management services. For more information, visit www.kroll.com . About Duff & Phelps Duff & Phelps is the global advisor that protects, restores and maximizes value for clients in the areas of valuation, corpor ate finance, investigations, disputes, cyber security, compliance and regulato
32 ry matters, and other governance - relat
ry matters, and other governance - related issues. We work with clients across diverse sectors, mitigating risk to assets, operations and people. With Kroll, a division of Duff & Phelps since 2018, our firm has nearly 3,500 professionals in 28 countries around the world. For more information, visit