Cybercrime Investigation Body Of Knowledge

Cybercrime Investigation Body Of Knowledge

The 1st CIBOK Workshop (Study Group)

Objective : For the members and non-members who will be invited by members to understand, learn each other by driving the subject matter topic referring to the content of CIBOK.

Title How to recognize the cyber risk as the top management issues ? How to organize the team to combat against those risks ?
Content Time past after cyber risk is recognized as the management level of risk, still a lot of enterprises are struggling on how to deal with those risks. In this session, learn about how to fulfil the gap between top management and practical cyber security operation.
Target Audience Board Members (CEO、CFO、CRO、CISO etc.), Coordinators of ISAC(s) or government bureau in charge of governance of security over the industries
Agenda
  1. Management Level of Risks
    • What are the “management level of risk” for private company?
    • History of surrounding risk which impact to the management
    • Global Risk Landscape 2018
    • Impact caused by Cyber Incident
    • Gaps between expectation from investors vs board member
  2. Cyber Risk Management
    • Scope of Risk Management
    • “Silo” across operations as well as gap from board members
    • Integrated Risk Management
    • Cyber Security Management Guideline 2.0 (by IPA*1)
    • Hybrid type of risk management organization
  3. Tips for the risk management
    • Differentiate threat, risk factor and risk (risk scenario)
    • Characteristic of cybercrime and its scope
    • Impact of Cybercrime
    • 5 layers over security risk
    • Cyber Defense Kill Chain Model
    • Reactive to proactive (Threat Hunting)
    • Strategic Management Life Cycle (PDCA+OODA)
    • Risk Management Model based on “TO-BE” approach
  4. Organize the team to face cyber risks
  5. Role for the board members

*1 : IPA : Information-technology Promotion Agency, Japan

Reference CIBOK Chapter 8-10
Title Basic understanding of “risk management”
Content As a fundamental knowledge area for the cyber risk management, it gives the opportunity to start with understanding risk management framework from existing international standardized model
Target Audience Member of risk management team, CSIRT of private company.
Agenda
  1. Understanding the basic risk management framework
    • Basic Process of Risk Management
      • Risk Identification
      • Risk Analysis
      • Risk Evaluation
      • Risk Response (Plan)
      • Risk Monitoring
  2. Understanding the existing risk management frameworks
    • ISO 31000, ISO 22301
    • Cobit 5, Risk IT
    • COSO ERM (Enterprise Risk Management) 2017 edition
Reference CIBOK Chapter 10, ISO31000, COSO ERM, Cobit5, RiskIT
Title Basic Understanding of Cyber Security Management
Content For those who just started security management, the course gives the structured approach to grasp those existing security management frameworks very shortly and effectively.
Target Audience Beginner level of member of risk management, CSIRT of private company
Agenda
  1. Basic Framework for Security Management
    • ISO27000
      • ISO27001
      • ISO27002
      • ISO27005
    • NIST SP 800 Series
      • NIST SP 800 - 53
      • NIST SP 800 - 30
      • NIST SP 800 - 37
      • NIST SP 800 - 61
      • NIST SP 800 - 161
      • NIST SP 800 - 171
    • GDPR
  2. Important view-point for effective security management
    1. What is the resolution of Cybercrime Case?
    2. Threat, Risk factor and Risk (Scenario)
    3. Risk view point over Cyber Space
    4. 5-layerd model of cyber security
    5. Defense kill chain and best practices
    6. PDCA+OODA model
    7. Risk Appetite, ALARP
    8. How to manage the KPI for the Risk Management / CSIRT team?
Reference CIBOK Chapter 4, 8 and 10, ISO27000、NIST SP 800 Series
Title Practical cyber risk management for the next generation
Content For those who already studied the basic risk management, security management, bringing in the best practice experiences so that the audience can take away the leaning and adopt to the on-going security management.
Target Audience Manager or the member of Risk Management / CSIRT team in private company
Agenda
  1. How to build up the organization?
    • What is the success of the team (risk management / CSIRT)?
    • Business Strategy and risk management
    • Risk Structure (brings in the multiple subject matter domain area)
    • Governance Type vs Category Type
    • Organization Chart of Hybrid Model
    • Understand the existing framework and make a choice
    • Customize the framework
    • Identification of the Risks
    • Analysis and Evaluation of the Risks
    • Risk Communication
  2. 4 steps to enhance the cyber resilience
    1. Base Line enhancement
      • Security Solution (fulfil the surface)
      • Digital Asset Management
      • Vulnerability Management
      • Training and Education
    2. Enhance the capability against Cybercrime
      • Understand the proper “resolution” of cybercrime
      • How to collaborate with law enforcement?
      • Improve the core capability of “CSIRT”
    3. Dynamic Risk Analytics
      • Triggers for dynamic risk analysis
      • OODA (Observe, Orient, Decide and Act)
    4. Information Sharing and Collaboration
      • What does it mean by “info-sharing”?
      • Info-sharing models (US/Japan)
      • Importance of threat “intelligence”
Reference CIBOK Chapter 8-10, ISO27000, NIST SP 800 Series
Title Resolution Model of Cybercrime
Content Only very few cybercrime has been properly resolved, the session brings the common sense over the resolution (how can you say, the case is solved?) and the common approaches, process, procedures for supporting public – private collaborative resolution of cybercrime.
Target Audience Those who is responsible for Cybercrime Investigation (both in Public/Private), Risk Management, as well as the government bureau coordinator who is in charge of the security.
Agenda
  1. Understanding what is “Cybercrime”
    • Impact caused by cybercrime
    • Characteristics of cybercrime which makes investigation more complicated
    • Category of cybercrime
      • Technology as a tool of crime
      • Technology as a target of crime
      • Technology as a destruction of crime
    • Who are the cyber criminals?
      • Labor division / CaaS (Crime as a Service)
      • Virtual Currency, Dark Web to support criminals
    • What is the cybercrime investigation?
      • What is the impact to the victim?
      • Understand the “stage” of the crime
      • Scope of cybercrime
  2. Understand the resolution model
    • Gap between Law Enforcement vs Victimized Private Company
    • Collaborative investigation is mandatory
      • Trigger of the cybercrime
      • Repot to the law enforcement
      • Scoping of the investigation
      • Grasp the whole picture
      • Preserve the “evidence”
      • Support by “intelligence” and its development
    • Procedures by victimized company
      • Technical remediation
      • Communication
      • Residual risk Analysis
      • Learning and Improvement
Reference CIBOK Chapter 1 - 10
Title Usage of “threat intelligence” and how to develop it?
Content Most of the people says “threat intelligence” is important, however, still its definition is unclear and not effectively developed and used. In the session. In this session, the attendee can grasp the high level domain knowledge required for dealing with threat intelligence
Target Audience Those who both in public and private sectors who needs the intelligence (e.g. risk analysis and evaluation, or in-depth crime investigation or even for the cyber defense)
Agenda
  1. Basic Common Sense
  2. Cyber Security Framework as the basic domain knowledge
  3. Crime Scene Indicators
  4. Source and its collection
  5. Data Analytic framework
  6. Data Quality
  7. Case Studies
  8. Build up the infrastructure for data aggregation and analytics
  9. Data Aggregation
  10. Data Analysis
  11. Practice for insight
  12. Future Direction
  13. Review
Reference CIBOK Chapter 3 - 7
Title Practical collection and investigation of evidence triggered at / by Open Source (OSINT)
Content The practical hands-on training to understand how to research over the Open Source Intelligence (OSINT).
Target Audience Those who both in public and private sectors who needs the intelligence (e.g. risk analysis and evaluation, or in-depth crime investigation or even for the cyber defense)
Agenda
  1. Basic Common Sense
  2. Borrow the power of “community”
  3. Theme and Activities for Cyber Patrol
  4. External Source of Evidence
  5. Query to figure out the hidden information
  6. Search Engine for private information
  7. How to investigate the account in Social Network?
  8. Case Study
  9. Patrol for Phishing Scam
  10. OSINT Tools Platform
  11. Review
Reference CIBOK Chapter 3 - 7
Title What is the “Cybercrime” and “Cybercrime Investigation”?
Content For the beginner or the entry level of people in charge of the cybercrime investigation both in public and private sectors, the session to identify the required domain knowledge in structured approach and basic knowledge which will be needed in-depth training in the near future.
Target Audience Beginner, Student who will try to become a “cybercrime investigator” both in public and private sectors.
Agenda
  1. What is the “cybercrime”?
    • Definition of Crime and Cybercrime
    • Category of Cybercrime
  2. What is the “Cybercrime Investigation”?
    • How it began?
    • Who is the victim?
    • Who did it?
    • Flow of investigation
    • Arrest and Prosecution
Reference CIBOK Chapter 1 - 8
Title What is the required domain knowledge for build-up and manage the organization against cybercrime?
Content If you are just try to build up the organization to combat against cybercrime (or just need to enhance it), the session can provide you to grasp holistic pictures you need to learn and having the experiences for the better organization management.
Target Audience Board Member of private enterprise (CEO, CFO, CRO and CISO), head of risk management or CSIRT, Top level management of public sectors etc.
Agenda
  1. Strategy and Governance
    • Vision, Mission and Strategy
    • Strategic Objective and Balanced Score Card (BSC)
    • How to cascade down the top level objective to organization, individuals
    • Risk Communication
  2. Required Domain knowledge of Management
    • Organization Planning
    • Budget Management
    • Human Resource
    • Performance Management
    • People Management
    • Tool Management
  3. (Cybercrime Investigation) Execution Framework
    • Structure of Cyber Security Solution
    • “Silo” and “Overwrap” - RACI
    • OODA loop for incident handling
  4. Workshop
    • Develop the vision, mission and strategy
    • Develop the Critical Success Factor
    • Cascade down to security requirement and develop the security KPI (or KRI)
Reference CIBOK Chapter 10
Title Understanding the next generation security management, PDCA+OODA model
Content Cyber Risk became more dynamic, no more static. To face the dynamic risk, you can learn how to adopt the PDCA + OODA model into your organization by understanding the essence.
Target Audience Board Member of private company (CRO, CISO), head of Risk Management or CSIRT, as well as top management of public sectors
Agenda
The 4 steps to enhance your cyber resilience
  1. Base Line enhancement
    • Security Solution (fulfil the surface)
    • Digital Asset Management
    • Vulnerability Management
    • Training and Education
  2. Enhance the capability against Cybercrime
    • Understand the proper “resolution” of cybercrime
    • How to collaborate with law enforcement?
    • Improve the core capability of “CSIRT”
  3. Dynamic Risk Analytics
    • Triggers for dynamic risk analysis
    • OODA (Observe, Orient, Decide and Act)
  4. Information Sharing and Collaboration
    • What does it mean by “info-sharing” ?
    • Info-sharing models (US/Japan)
    • Importance of threat “intelligence”
Reference CIBOK Chapter 1-10
TOP