Using Security Intelligence in Corporations
Nikola Protrka* and GrgaJovanovski
University of Police College, UK
Submission: June 28, 2018;Published: July 13, 2018
*Corresponding author: Nikola Protrka, University of Police college, Senior Lecturer, Court Expert for IT, UK, Email: J Forensic email@example.com
How to cite this article: Nikola P, GrgaJovanovski. Using Security Intelligence in Corporations. J Forensic Sci & Criminal Inves 2018; 9(5): 555775. DOI:10.19080/JFSCI.2018.09.555775.
This paper explains security intelligence and how corporations use it to maintain the security of information systems by analysis of malicious content. Most famous threats to corporate information systems and departments that fight against these threats are explained, as well the tools for collecting data for analysis. Most common public available services for analysis are explained, and commercial brand-named tools. Dynamic and static analysis are divided and explained also, with awareness of security incident.
keywords: Security Intelligence; Malicious Content; Analysis; Threats; Cybercrime.
Collecting security intelligence is one of the most important parts of corporate information security. To protect against attackers, a corporation needs to collect information about the attackers and tools they use for attacks.
Without security intelligence, the corporation is literally blind to possible attacks or even the advanced persistent threats that are already on their network. Security intelligence gives the insight into what is happening in the information system and if some attack is underway. Once the information security team collects enough information about the tools and malware the attackers use it can carry out malware analysis to find out even more information about the attacker. “The purpose of malicious software analysis is to provide you with the information you need to respond to a network incursion. Your goals will be to find out what happened and make sure you found all the infected machines and files . To protect the corporation from malicious threats, it is necessary within the corporation to analyze malicious content coming from different communication channels, such as email and Internet.
Malicious content analysis can be divided into dynamic analysis and static analysis. The dynamic analysis implies launching malicious files and tracking their behavior on the system. Monitoring involves reviewing the connection of malicious files to the Internet and checking the processes that the malicious file is triggering and what the processes are doing. Static analysis does not imply launching malicious files, but its content is reviewed here. An advanced static analysis uses a disassembler, which allows you to view the instructions of a malicious program.For static and dynamic analysis corporations can use an internal lab for analysis, but ready-made tools that can be used free of charge or solutions from other information security companies.
Intelligence Gathering Tools
Corporations must continuously monitor the security of their information system. To be able to do that, they must collect data about the system and analyze it. The quality of security intelligence depends on the tools that the corporation uses. These types of tools can achieve prices up to a couple of hundred thousand dollars, but their price does not guarantee total security . It only guarantees that the information security team will get accurate and timely information about the security of the information system.
Splunk is one of the main tools for data collection. It can collect different types of information about different types of devices. Every device that generates logs can be tracked via Splunk. Apart from collecting logs, the main part of Splunk is the ability to analyze raw information. Splunk gives the ability to visualize information and insert information into graphs. It also gives the ability to send alerts when a certain change happens in a system. Because of all of these abilities, Splunk is used in information security. A typical implementation of Splunk corporate security is monitoring e-mails and network traffic. With Splunk, it is possible to track all e-mails that exit or enter the corporate information system. Once monitoring has been established, criteria that trigger an alert can be set. An example of such a criterion is if an email with a corporate domain that is not sent from the corporate e-mail server appears. That means someone is pretending to be part of the corporation to get some information or compromise the system. Once the information security team has received an alert on such an e-mail, it can alert the employee who has received this mail that this is not a legitimate e-mail but a malicious one.
In the financial industry, Splunk is most useful for tracking database access. Banks’ databases are a key part of their business, as they have information on bank customers, accounts, and cards. The database will send logs to Splunk every time someone logs in or tries to log in to the database. The log will contain information about the username, which database someone attempted to access, with which user rights and at what time. Every employee who wants to access the database must get approval. To get the approval, there must be a justified business reason for the database access. After obtaining approval, it is saved to the location Splunk has access to. Splunk will compare the information it receives from the database and the list of all who currently have the approval. If a user accesses the database and does not have the approval, the information security team will be alerted. The team can then investigate what has happened. As much as it is important to collect information, it is also important not to collect a lot of information. If the information security team receives a large amount of information, they will not be able to react promptly because processing this information will take too long. Splunk information must be summarized and timely, only after a possible incident is detected, a greater amount of information will be analyzed surrounding that incident.
IBM Quadra is a SIEM system. SIEM systems are solutions that collect security intelligence from different devices and analyze anomalies. If they detect an anomaly in the system operation, they inform the security team and provide all available information about the event. IBM Quadra is a solution for large corporations that have a large number of logs. It collects logs of various devices such as network devices, computers, servers, security cameras, and applications. Quadra compares logs with a baseline. By comparing, it can detect security anomalies, device behavior changes, and events that can endanger the system. These events are analyzed and presented to the information security team in simple form with essential aggregated information.
Radar is also used to analyze the security level of a device. It analyses the current security patch status on devices and provides insight into what a particular device or application is vulnerable to.
Maltego is a platform that allows the use of OSINT. OSINT refers to all unclassified information and includes everything that is freely available on the web. OSINT is different from a closed type of intelligence or confidential information. Common OSINT resources include social networks, forums, business websites, blogs, videos, and news. Connecting data with a person on Maltego is shown in the picture below (Figure 1). Maltego allows visualization of the relationship between different information. It can display relationships between people, social networks, corporations, organizations, websites, DNS names, documents, and files. Malte go can be used for corporate purposes after malware analysis. All information such as domains and IP addresses can be linked via the Malte go platform to the location and people who have some connection with this domain. It gives the possibility of rapid progression of the investigation into the purpose and cause of the attack. Since Malte go is used in defense against malware, the corporation can analyze itself and see which information is available about them and if there is something sensitive that is part of the publicly available information. It may ask the person who disclosed that information to remove them or by legal means request the removal of this information.
Malware analysis laboratory
The malware Analysis Laboratory enables the security team to launch malicious software in a secure environment to understand what it does and what it takes to protect from the threat posed by a malicious program. If done well, the lab can be a powerful tool for quick understanding and protection from new threats or unknown actors. .If a corporation decides to analyze in its own laboratory, such a laboratory needs to be prepared for conducting the analysis. It is important that the laboratory is separated from corporate computers and networks, and that access is allowed only to information security personnel.There are several elements of such a lab.
The core of the lab itself is virtual computers. It is necessary to prepare and install several virtual computers with different operating systems, such as Windows XP, Windows 7, Windows 8, Windows 10. If a corporation uses Apple computers, it is necessary to obtain a few computers running the Mac OS operating system, so samples that attack Apple computers can analyze. The same goes for the Linux operating system.Some malicious programs behave differently on different operating systems, so several versions need to be installed. In addition, it is necessary to prepare another virtual computer that will serve for the static analysis.To be able to return to the original state without infection, snapshots should be applied. Therefore, the snapshot is set up after the installation of the tools, so it is possible to return to the previous state when the analysis is finished.In order not to infect other corporate computers, it is necessary to separate the network segment that contains the computers for analysis from the corporate network. It is most desirable to get a separate connection to the Internet just for the analysis computers.
Tools for Dynamic Analysis
After installing virtual computers for dynamic analysis, several tools need to be installed.
After installing virtual computers for dynamic analysis, several tools need to be installed.
a. Process Monitor
Along these tools, some basic tools need to be installed, such as Internet browsers, document management tools, and unzipping tools. This is because the malicious file does not have to be in the .exe format, it can be inside a document or as a .jre file so it is necessary to install the tools that will be able to run such a file.
Tools for Static Analysis
On a computer that is configured for static analysis, it is useful to have several programs listed below. All these tools must be able to analyze the code without starting the sample, but for security, it is best to run these tools on a virtual machine.
b. PE studio
d. PE view
f. Resource Hacker Like on dynamic analysis computers, it is useful to install basic programs.
Publicly Available Tools for Malware Analysis
There are several malware analysis tools available through the Internet. Some of them are available free of charge, while most of them are paid solutions. The best-known tools are VxStream Hybrid Analysis from Payload Security, Virus Total from Google and Malwr based on the Cuckoo Sandbox platform. In most cases, the analysis with publicly available tools is sufficient as they provide enough information to determine what kind of malicious code it is and what protection measures are to be taken. The only case in which it is not recommended to upload to publicly available tools is when there is a suspicion that malicious content is intended for a corporation and may contain information sensitive to its business.Each of these free tools has its paid version and provides additional features. Virus Total in its paid version offers download of samples analyzed on the platform, while Hybrid Analysis has this in its free version. For this paper, Virus Total and Vx Stream Hybrid Analysis will be used. Malwr will not be used because it is unreliable lately and does not reveal enough sample information.
Virus Total is a platform launched in 2004, and Google has bought it in 2012. Virus Total gives the ability to analyze computer files and Android applications. The file is scanned with a series of antivirus solutions and provides feedback for each antivirus, whether the file is malicious and under what name it is categorized. In addition, it provides detailed information on the file type and its contents. Locky will be analyzed on this platform. Locky is a ransomware that encrypts files on both internal and external drives and requires a certain amount of money to decrypt. After the payment, it sends a key to decrypt the files. After uploading the file, the first display contains: file type in the form of an icon, number of antiviruses detecting that the file is malicious, SHA-256 file hash, file name and file size, date and time of the last file analysis, and number of users who rated the file malicious (Figure 2). Using the SHA-256 hash, it is possible to find out whether the sample was uploaded to another platform for analysis. Label 55/65 states that the sample is known to most antiviruses, so in the case of sample launch there is a great chance that antivirus will stop the sample from running on the computer.
The following image Figure 3 shows several antiviruses that have or have not detected that the sample is malicious. It is visible that TrendMicro and Vi Robot successfully detected the sample as Locky, while Kingsoft and Total Defense antiviruses indicated that the sample was clean. This knowledge is very useful to ascertain whether the current corporate antivirus system is able to defend the corporation from this threat.Under the card details, there is information about the file. The most interesting part of the basic analysis are the names under which this sample appeared (Figure 4). All file names have something in common, they have the same SHA-256 hash.Interestingly, this sample has different extensions such as. safe and.dr, but they are still .exe type files. It can be concluded that in the case of the. safe extension, the attacker tried to hide the actual file extension and replaced it with an extension that does not look malicious.Virus Total also displays the compile time in the details, but in most cases, it is incorrect because it is possible to change compile time when writing code.
The compile time of this sample is 02.03.2013, but it is certainly incorrect because this sample first appeared in 2010. The last tab shows user comments. Most of the comments consist of the malicious code name and help with the basic analysis if it is not possible to conclude what the type is. If the sample was uploaded on Hybrid Analysis, a Payload Security comment will appear that will have the type of malicious code and additional information as well as the link on the Hybrid Analysis platform where that same sample was analyzed. The picture shows such a comment (Figure 5).In conclusion, Virus Total is a very reliable and fast tool for basic file analysis and quickly determining whether the file is malicious. It is useful in determining the effectiveness of the corporate antivirus, and for quick analysis where the only information needed is whether the sample is malicious or not. If a deeper analysis of files is needed, Hybrid Analysis and manual dynamic and static analysis is used
From the present study, it can be concluded that Indian cheque has a maximal number of security features. The solitary feature that Indian cheques have is a pantograph image which is present underneath the account number column. Due to this feature “VOID” or “COPIED” will appear in the pantograph box, if the Indian cheque is photocopied using any regular photocopy machine. But the result would not be same if laser printers or scanners are used. So, there is a chance of incorporation more securely advance features which need to be emphasized by the government of India for better and safe transactions in future. Also, there is fugitive ink printing which will give bleeding effect on the paper if the cheque comes in contact with any chemical (acid or alkaline). While considering Dubai cheque it also has an enormous amount of diverse security features, which mainly includes the S positive and negative watermarks, security feature guidelines, the word cheque printed using thermochromic ink which changes colour with an increase in temperature and the whole making of the cheque is highly appealingly. In Canadian cheque, the most exceptional security feature is the printed micro lettering and design on the backside of the cheque, which cannot be duplicated by any means, but still, there is a need to add more as Canadian cheque consists of the minimal amount of security features while comparing with Indian and Dubai cheque. Also, there should be more awareness among the layman to find the difference between the genuine and fraud cheque. It will help in the reduction of counterfeiting in cheque.
- Ellinger EP (1969) Travellers’ cheques and the law. The University of Toronto Law Journal 19(2): 132-156.
- Sople VV (2007) Legal Aspects of Marketing in India, New Age International.
- Sharma V (2011) Information Technology Law and Practice, Universal Law Publishing.
- (2017) Cheque printing standards In RBC royal bank site.
- Jose (2009) CL New security features for cheques from January 1, 18 September 2017. In Emirates 24 site.
- Ketan Patil, Navjot Kaur, Manish Malhotra (2017) Study of Genuine and Forged Indian Bank Cheques by Using Video Spectral Comparator-40, International Journal of Innovative Science Engineering & Technology 4(1): 139.
- Kalarani DBP, Narendhira kumar R (2015) Cheque Truncation System (Cts): An Overview”. Journal of Exclusive Management Science 4: 1-5.
- Moinuddin Mondal, Prajakta Harne (2014) Indian Bank Cheques Security Features PFSI.
- Jayadevan R, Kolhe SR, Patil PM, Pal U (2012) “Automatic processing of handwritten bank cheque images: a survey. Springer Verlag 15(4) : 267-296.