Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Blogs

Industry Insight

Industry Insight

2012: A forensic perspective

Article comments

Organisations to take back control, and make sure they are identifying attempts on their data in a reasonable time frame

Over the past year there have been an increasing number of high profile incidents ranging from cyber espionage, data breaches, data theft and targeted malware attacks, where companies from across the globe have been forced to call in teams of digital forensic investigators, and increasingly, the reason is to investigate a cyber attack.

In my role, I have investigated some of the biggest cyber security incidents in 2012, and it is true that as more cases have come to light where a company has been breached, general awareness is on the rise. However, questions remain about whether organisations are gaining the forensic insight into attacks that allow them to be able to spot them, respond promptly and effectively, and learn from them.

One step forward, two steps back

In the years that I have been a forensic investigator, I have worked on cases ranging from corporate fraud, criminal investigations, data leakage and HR-related issues, but over the past year my team and I have been called upon to investigate more cyber attacks. Incidents arise whereby a company discovers that they have been breached, this could be because they’ve been infected by malware, a botnet, or suspect that they are the victim of data theft, and that’s when we are called in.

The first priority is to stop the intrusion; these organisations are haemorrhaging money every minute that goes by, so first and foremost we have to get them back up and running. Then the reconnaissance starts, we recover all information that will help us to solve the case, which tends to be hard drives, log files, anything that could have been connected to the network at the time of the incident, so even discarded machinery that’s sitting in a cupboard somewhere. We analyse the data, find patterns and work to resolve the case as quickly as possible. 

However, what has made these cases so complex is that, more often than not, cyber attacks are going unnoticed for days, weeks, months, and even years. Nearly as troubling, it’s rarely the breached organisation that discovers that it’s been compromised - rather it’s usually a customer, partner, supplier, or even law enforcement agency that eventually notices something is awry and brings it to the victims’ attention.

As a result, most digital forensic investigations are done weeks, months or even years after the event, and unfortunately this is something that didn’t really change in 2012. Incidents tend to arise whereby someone realises at a much later date that something has happened, an anomaly will be spotted as much as 3 years down the line and you have to go through evidence retrospectively.

There are some sectors that are getting better at spotting issues as they happen, such as the financial sector that is heavily regulated, but unfortunately, noticing irregularities years down the line is symptomatic of the industry as a whole. When you consider that criminals can extract data in a matter of hours, or days, and at worse, in a span of only minutes, this is a gap that must be closed.

Applying an inquisitive eye

What’s causing this latency between incident and response is that many organisations simply do not have enough visibility into their own environment; they may be using tools like SIEM, antivirus and firewalls, but with as many as 400 alerts coming in per day, it’s near on impossible to differentiate between threats that require immediate and urgent action and those that do not.

To compound the issue, there is a more sinister and troubling threat that has been emerging over the past year and that’s the threat from within. Recent cases such as the Swiss Intelligence Agency data breach have shown us that the most dangerous threats are internal and no amount of firewalls, SIEMs and antivirus can protect corporations from espionage caused by trusted members of staff.

In the case of the Swiss Intelligence Agency breach, the perpetrator wasn’t detected at any point by the agency’s own security systems, no anomalies were spotted despite the terabytes of downloads and millions of printed pages of classified material taken from inside the building. It was only discovered when the culprit attempted to open a bank account and a Swiss bank flagged his behaviour as suspicious. When you consider the potential ramifications of an incident like this, and the sensitivity of the information that was stolen, had this not been detected for 3 years, the consequences could have been huge. 

In order for organisations to take back control, and make sure they are identifying attempts on their data in a reasonable time frame, they need to take a forensic approach to their environment. Understand what ‘normal’ looks like, and recognise an anomaly when you see it. Do not rely solely on traditional security software, look for ways that you can analyse threats and automate responses, trust your instincts and if something looks suspicious do not ignore it. In 2013, we are only going to see an increase in cyber espionage and data thefts on organisations from internal members of staff, so hopefully organisations will learn from what we’ve seen in 2012 and be in a better place to protect themself this year.

Maqsood Ahmed, Principal Security Consultant (EMEA & APAC) at Guidance Software

Enhanced by Zemanta

Share:

More from Techworld

More relevant IT news

Comments

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *