January 10, 2013 4:25 PM
2012: A forensic perspective
In my role, I have investigated some of the biggest cyber security incidents in 2012, and it is true that as more cases have come to light where a company has been breached, general awareness is on the rise. However, questions remain about whether organisations are gaining the forensic insight into attacks that allow them to be able to spot them, respond promptly and effectively, and learn from them.
One step forward, two steps back
In the years that I have been a forensic investigator, I have worked on cases ranging from corporate fraud, criminal investigations, data leakage and HR-related issues, but over the past year my team and I have been called upon to investigate more cyber attacks. Incidents arise whereby a company discovers that they have been breached, this could be because they’ve been infected by malware, a botnet, or suspect that they are the victim of data theft, and that’s when we are called in.
The first priority is to stop the intrusion; these organisations are haemorrhaging money every minute that goes by, so first and foremost we have to get them back up and running. Then the reconnaissance starts, we recover all information that will help us to solve the case, which tends to be hard drives, log files, anything that could have been connected to the network at the time of the incident, so even discarded machinery that’s sitting in a cupboard somewhere. We analyse the data, find patterns and work to resolve the case as quickly as possible.
However, what has made these cases so complex is that, more often than not, cyber attacks are going unnoticed for days, weeks, months, and even years. Nearly as troubling, it’s rarely the breached organisation that discovers that it’s been compromised - rather it’s usually a customer, partner, supplier, or even law enforcement agency that eventually notices something is awry and brings it to the victims’ attention.
As a result, most digital forensic investigations are done weeks, months or even years after the event, and unfortunately this is something that didn’t really change in 2012. Incidents tend to arise whereby someone realises at a much later date that something has happened, an anomaly will be spotted as much as 3 years down the line and you have to go through evidence retrospectively.
There are some sectors that are getting better at spotting issues as they happen, such as the financial sector that is heavily regulated, but unfortunately, noticing irregularities years down the line is symptomatic of the industry as a whole. When you consider that criminals can extract data in a matter of hours, or days, and at worse, in a span of only minutes, this is a gap that must be closed.
Applying an inquisitive eye
What’s causing this latency between incident and response is that many organisations simply do not have enough visibility into their own environment; they may be using tools like SIEM, antivirus and firewalls, but with as many as 400 alerts coming in per day, it’s near on impossible to differentiate between threats that require immediate and urgent action and those that do not.
To compound the issue, there is a more sinister and troubling threat that has been emerging over the past year and that’s the threat from within. Recent cases such as the Swiss Intelligence Agency data breach have shown us that the most dangerous threats are internal and no amount of firewalls, SIEMs and antivirus can protect corporations from espionage caused by trusted members of staff.
In the case of the Swiss Intelligence Agency breach, the perpetrator wasn’t detected at any point by the agency’s own security systems, no anomalies were spotted despite the terabytes of downloads and millions of printed pages of classified material taken from inside the building. It was only discovered when the culprit attempted to open a bank account and a Swiss bank flagged his behaviour as suspicious. When you consider the potential ramifications of an incident like this, and the sensitivity of the information that was stolen, had this not been detected for 3 years, the consequences could have been huge.
In order for organisations to take back control, and make sure they are identifying attempts on their data in a reasonable time frame, they need to take a forensic approach to their environment. Understand what ‘normal’ looks like, and recognise an anomaly when you see it. Do not rely solely on traditional security software, look for ways that you can analyse threats and automate responses, trust your instincts and if something looks suspicious do not ignore it. In 2013, we are only going to see an increase in cyber espionage and data thefts on organisations from internal members of staff, so hopefully organisations will learn from what we’ve seen in 2012 and be in a better place to protect themself this year.
Maqsood Ahmed, Principal Security Consultant (EMEA & APAC) at Guidance Software