Follow Us

Industry Insight

2012: A forensic perspective

Over the past year there have been an increasing number of high profile incidents ranging from cyber espionage, data breaches, data theft and targeted malware attacks, where companies from across the globe have been forced to call in teams of digital forensic investigators, and increasingly, the reason is to investigate a cyber attack.

In my role, I have investigated some of the biggest cyber security incidents in 2012, and it is true that as more cases have come to light where a company has been breached, general awareness is on the rise. However, questions remain about whether organisations are gaining the forensic insight into attacks that allow them to be able to spot them, respond promptly and effectively, and learn from them.

One step forward, two steps back

In the years that I have been a forensic investigator, I have worked on cases ranging from corporate fraud, criminal investigations, data leakage and HR-related issues, but over the past year my team and I have been called upon to investigate more cyber attacks. Incidents arise whereby a company discovers that they have been breached, this could be because they’ve been infected by malware, a botnet, or suspect that they are the victim of data theft, and that’s when we are called in.

The first priority is to stop the intrusion; these organisations are haemorrhaging money every minute that goes by, so first and foremost we have to get them back up and running. Then the reconnaissance starts, we recover all information that will help us to solve the case, which tends to be hard drives, log files, anything that could have been connected to the network at the time of the incident, so even discarded machinery that’s sitting in a cupboard somewhere. We analyse the data, find patterns and work to resolve the case as quickly as possible. 

However, what has made these cases so complex is that, more often than not, cyber attacks are going unnoticed for days, weeks, months, and even years. Nearly as troubling, it’s rarely the breached organisation that discovers that it’s been compromised - rather it’s usually a customer, partner, supplier, or even law enforcement agency that eventually notices something is awry and brings it to the victims’ attention.

As a result, most digital forensic investigations are done weeks, months or even years after the event, and unfortunately this is something that didn’t really change in 2012. Incidents tend to arise whereby someone realises at a much later date that something has happened, an anomaly will be spotted as much as 3 years down the line and you have to go through evidence retrospectively.

There are some sectors that are getting better at spotting issues as they happen, such as the financial sector that is heavily regulated, but unfortunately, noticing irregularities years down the line is symptomatic of the industry as a whole. When you consider that criminals can extract data in a matter of hours, or days, and at worse, in a span of only minutes, this is a gap that must be closed.

Applying an inquisitive eye

What’s causing this latency between incident and response is that many organisations simply do not have enough visibility into their own environment; they may be using tools like SIEM, antivirus and firewalls, but with as many as 400 alerts coming in per day, it’s near on impossible to differentiate between threats that require immediate and urgent action and those that do not.

To compound the issue, there is a more sinister and troubling threat that has been emerging over the past year and that’s the threat from within. Recent cases such as the Swiss Intelligence Agency data breach have shown us that the most dangerous threats are internal and no amount of firewalls, SIEMs and antivirus can protect corporations from espionage caused by trusted members of staff.

In the case of the Swiss Intelligence Agency breach, the perpetrator wasn’t detected at any point by the agency’s own security systems, no anomalies were spotted despite the terabytes of downloads and millions of printed pages of classified material taken from inside the building. It was only discovered when the culprit attempted to open a bank account and a Swiss bank flagged his behaviour as suspicious. When you consider the potential ramifications of an incident like this, and the sensitivity of the information that was stolen, had this not been detected for 3 years, the consequences could have been huge. 

In order for organisations to take back control, and make sure they are identifying attempts on their data in a reasonable time frame, they need to take a forensic approach to their environment. Understand what ‘normal’ looks like, and recognise an anomaly when you see it. Do not rely solely on traditional security software, look for ways that you can analyse threats and automate responses, trust your instincts and if something looks suspicious do not ignore it. In 2013, we are only going to see an increase in cyber espionage and data thefts on organisations from internal members of staff, so hopefully organisations will learn from what we’ve seen in 2012 and be in a better place to protect themself this year.

Maqsood Ahmed, Principal Security Consultant (EMEA & APAC) at Guidance Software

Enhanced by Zemanta

Tags: business, computer security, cyberwarfare, forensic science, guidance software, maqsood ahmed, security, security information and event management

RSSSubscribe to this blog

More from Techworld

More relevant IT news

Contact Us

For editorial queries:
Mike Simons

For website issues:

For commercial queries
Russell Kearney

For more contact details click here.

Email this to a friend

* indicates mandatory field

Techworld White Papers

Optimising data protection for virtual environments

VM environments require the same level of data protection as does the physical server environment. Companies may use data protection tools built for the physical environment in the virtual world, but this has serious disadvantages.

Download Whitepaper

PCI Compliance: Are UK businesses ready?

Exploring the results of a recent survey, including: ? Levels of understanding of the standard ? Current perceptions of actual compliance status ? Attitudes toward addressing compliance

Download Whitepaper

Mobility Management for Dummies

Your complete guide to managing and securing mobile devices such as laptops and smartphones.

Download Whitepaper

Magic Quadrant for midrange and high-end NAS solutions

It is difficult to find one midrange or high-end NAS product that can cater to all needs. File systems embedded in NAS are often designed to solve one major pain point, with additional features being added later to broaden use cases and benefits.

Download Whitepaper

Techworld UK - Technology - Business

Oracle Video

Enabling agile and intelligent businesses

 Changing markets, competitive pressures and evolving customer needs are placing increasing pressure on IT to deliver greater flexibility and speed. Explore truly flexible SOA foundations with this Oracle video.

COLT White Paper

IT Misuse Survey

Complete this survey and you could win a Nexus One

Techworld are running a short survey to discover how UK businesses are managing Internet and email misuse in the Enterprise.

Complete Survey

Complete our survey and you could win a Sony E-book Reader.
Techworld have teamed up with HP to compile a survey relating to server virtualisation. Complete the short survey and you could be the lucky winner of a Sony E-book reader.

Complete the survey here

Site Map