Attacks/Breaches

12/24/2014
10:00 AM
Craig Carpenter
Craig Carpenter
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Why Digital Forensics In Incident Response Matters More Now

By understanding what happened, when, how, and why, security teams can prevent similar breaches from occurring in the future.

In the 1991 movie Backdraft, Robert De Niro plays the part of Donald ‘Shadow’ Rimgale, a fire department detective investigating a series of arsons in Chicago. As a former firefighter himself, De Niro’s character works closely with firefighters to piece together events based on the available evidence, both physical and circumstantial, and relies on his years of experience as both a firefighter and arson investigator.

Today’s practice of incident response (IR) is very similar to De Niro’s Backdraft character: equal parts firefighter (containing and remediating a breach as quickly as possible while minimizing damage) and investigator (figuring out what exactly happened, how, from where, and why). Security analysts must first and foremost get things under control, stopping harmful or unauthorized activity as soon as it is discovered. But while a fact-based understanding of exactly what happened is important, without a root cause analysis, similar breaches can and often do simply reoccur. And though threat vectors and tools (think keyboards, computer monitors, and sophisticated software instead of flames, hoses, and fire-retardant jackets) are very different -- the use cases for incident response and firefighting are actually quite similar.

Physical vs. digital forensics
Modern forensics is generally practiced in two places: law enforcement and corporate security/IT departments. While physical forensics (fingerprints, bullet trajectories, DNA testing, etc.) is often relevant with law enforcement, it is typically not a major factor in corporate security departments. However, its virtual sibling digital forensics is incredibly important to both constituencies.

With law enforcement, digital forensics has become more commonplace as more crime moves online, and increasingly relevant even with “offline crime” to help corroborate physical evidence and support key elements of a prosecution, like a criminal’s intent, location, or state of mind. Being able to definitively prove that someone did (or failed to do) something is the key goal, with process integrity (e.g. chain of custody) paramount.

In corporate security departments, digital forensics seeks to answer somewhat different questions than where did the malware come and how did it get here. What’s more relevant is determining where the bad guys went, what they did, and what they took after they hacked into the network in the first place. The goal is to understand details of what happened -- when, how, and why -- to prevent a similar intrusion in the future. (The “who” question is typically less important beyond identifying what type of actor/activity was likely involved, e.g. eastern European crime syndicate vs. state-sponsored espionage.)

Endpoint challenges
But whether talking about digital forensics conducted by law enforcement or a corporate security department, the simple fact is that forensics is difficult -- especially at the endpoint. Challenges in either case include accessibility of systems and data on them (e.g. cellphones), latency when pulling data from a system remotely, erroneously tipping off a user that their system is being accessed, myriad formats and devices, languages, and synthesizing data from multiple sources -- to name just a few. This is where corporate security departments enjoy the benefits of decades of laborious work by law enforcement and vendors that supply them with tools: no matter how challenging a scenario may be, law enforcement has seen and handled it before, often with a higher degree of difficulty.

The criticality of rock-solid forensic tool sets becomes even more important when looking at the velocity, volume, and variety of data corporate security departments must sift through on a daily basis. Most large security teams see thousands or tens of thousands of alerts every day. Whether proactively hunting for threats on endpoints, validating alerts from a next-gen firewall, integrating threat intelligence, or correlating log data, network traffic, and endpoint artifacts in a SIEM, forensics is everywhere in today’s IR.

You don’t have to be a fan of Robert De Niro movies to understand how important forensics is to arson investigations... and IR. Just like De Niro’s character in Backdraft, today’s IR practitioner must rely on proven forensics tools in order to nab the bad guy.

Craig joined AccessData as Chief Marketing Officer in 2013. With the company split in November 2014, he was promoted to President and COO of the newly formed cybersecurity company, Resolution1 Security. Prior to joining AccessData, Craig was VP of Marketing and Business ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JasonSachowski
100%
0%
JasonSachowski,
User Rank: Author
12/29/2014 | 9:02:03 AM
Re: Why Digital Forensics In Incident Response Matter More Now
While I agree that proven forensic tools are essential, we cannot rely on technology to catch the bad guy.  Let's not forget that in order to make these forensic tools work, knowledgeable people and established processes are equally important.
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
12/28/2014 | 11:54:46 PM
Re: Knowledge base for attacks
DrT, that is a great point about building a "knowledge base" of past attacks. It's a lesson perhaps transferable from other catastrophe types, like say hurricanes. Experts there study past hurricanes, not that one is replicable --- but more to learn how wind speeds and wave heights affect businesses, communities, etc. in the hopes of applying relatable lessons when the next hurricane comes. Agree it's similar?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2014 | 9:35:32 AM
Re: Being Pro-active with Forensics
I agree on the IP address also. IP address can easily be spoofed, neither source nor destination IPs are reliable. Not even MAC address can really be used to identify the source of a message.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2014 | 9:33:53 AM
Re: Being Pro-active with Forensics
Agree, being proactive and doing the require work and analyzing the treats. It needs to be taken to next level and removing vulnerabilities in the environment
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2014 | 9:21:52 AM
Knowledge base for attacks
 

I agree there has to be a knowledge base built for the attacks in the enterprise. This would not only help to understand and prevent from similar types of attacks but also it would give us an idea of the trend around where are being exploited and what our vulnerabilities are. The enterprise can not really continue to fight with attacks that would be very expensive in the long run, we need to understand our vulnerabilities and close them before they are being exploited.
PZav
0%
100%
PZav,
User Rank: Author
12/24/2014 | 1:11:55 PM
Being Pro-active with Forensics
The more I learn about the forensics work we do at RiskIQ, the more I see the value. In our case, our forensics team uses data collected from our detection technology, which scans large sections of the publich web. Our forensics teams analyze threats as they appear online. The benefit being that a potentially innocous looking infection may be tied to a more expansive and sophisticated attack infrastructure.

The reality is that many prominent threat actors share resources and just because one attack may appear to have originated from IPs tied to prior attacks, does not mean that infrastructure is owned by the same group. It could be infrastructure rented out for multiple uses. It helps us understand what our customers might be up against. 
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.