Analysis: The challenges and opportunities of investigating a breach.
For many, the word ‘forensics’ will probably conjure up images of crime dramas like CSI, yellow tape and chalk outlines.
Within cyber security, however, the practice of ‘network forensics’ is becoming increasingly important as organisations try to respond to and prevent breaches.
There are several reasons that an organisation can benefit from network forensics capabilities. Larry Zulch, the CEO of Savvius, says that the discipline is growing in importance and ubiquity of use.
"You’d be hard put to find a large organisation that doesn’t have some form of network forensics," he says.
The applications go beyond the ‘finding the criminal’ that is the goal of criminal forensics.
"Network forensics is a way of making false positive elimination more efficient, but it’s also useful in security breach investigations," he says.
Rich Barger, Chief Intelligence Officer, ThreatConnect says that network forensics means "analysing previously gathered network traffic to identify evidence or data points to aid in a broader investigation after an incident."
These investigations, which can take place considerably after the actual incident has taken place, aim to work out what vulnerability was exploited in the attack.
Simon Crosby, CTO and co-founder at Bromium says that without understanding how a breach took place, companies cannot work out to address the flaws in their defences.
So what does a successful network forensics approach look like? Chris Cassell, IA Consultant at Becrypt identifies five key steps that organisations need to take.
The first is gathering human intelligence, clarifying basic factors such as the time and date of the breach and which machines are affected.
The next step is planning, Cassell says, which includes prioritising the areas where the organisation can get the most evidence. It also means allocating resources and skillsets to conduct the investigation.
The next steps are to obtain and analyse the data, documenting and keeping clear records of what you do, and compiling the information into a workable timeline of the events.
"At the end of the investigation your report needs to be understandable and contain only defensible data," Cassell says, explaining the final step. "The report will need to explain findings that make sense to non-technical people."
He adds that this must be a factual and impartial report.
There are some major obstacles to network forensics, not least the difficulty in putting together enough data.
Unfortunately, hackers do their best to obstruct the forensics process. Attackers are skilled at removing the metadata around when they attack, leaving no trace of their attack.
This means keeping a keen eye on what is going in and out of the network. As Zulch says, "packets don’t lie". Organisations need to have an overview of the data travelling in and out of the network.
His company Savvius taps network traffic and creates forensic information around the alerts, building a detailed bank of information that can be deployed during a breach investigation.
Stuart Clarke, CTO, Cyber Solutions at Nuix says that a lack of knowledge of what and where an organisation’s critical data is can be another obstacle.
He cites a recent survey of security executives, sponsored by Nuix, which found that 31 percent of organisations could not say where critical value data was on the enterprise network, who had access to it or what people did with it after they accessed it.
"The key is for organisations to identify their critical data and finding out where it is stored," says Clarke.
This means reviewing an organisation’s business processes and network architecture, which may reveal that critical value data is being stored in unexpected places such as emails, file shares and staff members’ computers.
"The final important factor is to determine is who has — and who should have — access to the critical value data," says Clarke. "Companies can then secure their networks by adding targeted, cost-effective security controls, including encryption, access controls and retention rules (defence in depth)."
Other obstacles include the lack of the necessary expertise. Oliver Pinson-Roxburgh, SE director EMEA at Alert Logic, says that many organisations don’t have the time to be proactive and look for attacks.
He says that many "just don’t have the skills to keep their tools sharpened and expertise current on what to look for".
Another obstacle is fragmentation within an organisation.
"Often times Digital Forensics and Incident Response (DFIR) practitioners are required to work with other security teams or even other departments who might not be familiar with their processes," Barger of ThreatConnect says. "And as such, those teams aren’t always willing to give them accesses to information that they need to conduct an investigation or post-breach cleanup."
The important thing is that organisations don’t simply assume that everything will fall into place in an investigation: a coherent plan is needed to ensure that network forensics is as broad-ranging and accurate and hence as useful as possible.