Sit down with a forensic investigator for an hour and you're sure to hear some interesting stories.
Like the time a digital investigation was initiated after a university student in Western Canada, who was using his school's internet connection to distribute child pornography, left a thumb drive containing illicit material in a public computer. The perpetrator was, incidentally, nabbed by police after stopping by the school's IT department asking if anyone had turned in the missing device.
Or, there was the time a forensicator – what digital investigators often call themselves – had to dig into a deceased employee's computer to determine if anything work related caused the person to take their own life.
The field of computer forensics is still a relatively new discipline, and is constantly evolving. A combination of law and computer science, the field is defined as the practice of gathering and examining data from computer systems, networks and wireless devices in a way that, if necessary, will hold up as evidence in a court, according to the U.S. Computer Emergency Readiness Team (US-CERT), the operational arm of the National Cybersecurity Division at the U.S. Department of Homeland Security.
Historically driven by human relations and legal issues, in cases like the examples above, digital investigations are now increasingly being launched following data breaches and suspected computer intrusions, experts say. With the frequency and sophistication of today's cyberattacks, computer forensics has become an integral aspect of information security incident response plans, especially for those in government and the technology and defense industries.
A new reality
“Digital forensics in IT security is necessary to provide a new component called threat intelligence,” says Rob Lee (right), faculty lead for digital forensics at the SANS Institute, a leading source for information security training.
“Digital forensics in IT security is necessary to provide a new component called threat intelligence.”
– Rob Lee, faculty lead for digital forensics at the SANS Institute
Lee, a forensicator for more than 15 years who has worked for the special investigations branch of the U.S. Air Force Office and as a contractor for the National Security Agency and CIA, says digital investigations can provide critical information about the tools, techniques and procedures leveraged by adversaries. Given today's flourishing threat landscape, where advanced persistent threats (APTs), financially-motivated cybercrime and hacktivism are rampant, the necessity of integrating forensics into incident response plans is becoming “a new reality,” he says.
Most organizations have already deployed a host of layered security defenses that are helping to keep intrusions at bay, experts say. Still, recent compromises of government agencies, security firms and international corporations show that no defense is foolproof, and determined adversaries can usually make their way in, says Dave Merkel, CTO of Mandiant, a firm that specializes in cyber incident response and computer forensics.
“Even with a great security staff and a high budget, the likelihood that you can be compromised is high,” says Merkel (left), who has been a digital investigator for a decade and a half. “Every organization we see can be breached.”
And that's precisely the reason why many forward-thinking organizations, which are looking for better ways to fight back, have bolstered their forensic capabilities.
Forensic investigations are a central part of the federal cybersecurity strategy, according to an analyst at US-CERT, the agency tasked with responding to and defending against cyberattacks targeted at the executive branch of government. US-CERT currently has seven full-time staffers to analyze federal government hard drives in response to evidence of intrusions, and the team is growing rapidly, having doubled in the past 18 months.
Cybersecurity investigations are a different breed of forensics than traditional human relations and legal cases, experts say. While any digital investigation necessitates forensic best practices, such as maintaining a so-called chain of custody (see sidebar), the goal of a cyber incident response-driven inquiry is not necessarily to catch a criminal and get a successful prosecution, says SANS' Lee. The main purpose is, rather, to determine the extent of a compromise and fully eradicate adversaries from all their hiding places within the network. In addition, such investigations are meant to determine how an intruder gained access to enterprise systems, where they went, what they were after and whether any data was taken.
The US-CERT analyst, who asked not to be named, says forensic examinations begin as a reactive information security activity, but often turn into a proactive investment. Within the agency, such examinations often yield information about how a piece of malware operates and how an attack was carried out. This information is fed back to the network analysis team, which can come up with ways to better detect similar threats in the future. This information is also shared, when appropriate, with the public.
Staying ahead of threats
Besides the government, every company within the defense indusial base is currently using forensics to better its security posture, Lee says. Such organizations, along with commercial technology firms, have historically faced some of the most frequent and advanced attacks. They consequently began using forensic threat intelligence to their benefit several years ago.
“...digital forensics is becoming extremely useful in commercial and government organizations.”
– Rob Lee, faculty lead for digital forensics at the SANS Institute
“The only way to stay ahead of [today's threats] is to have a team that will help you generate additional threat intelligence,” Lee says. “That's where digital forensics is becoming extremely useful in commercial and government organizations.”
Many other companies are behind the curve, however, according to a report released in March by McAfee and Science Applications International Corp., a scientific, engineering and technology applications company. The “Underground Economies” report, based on a survey of more than 1,000 senior IT decision-makers, reveals that just a quarter of organizations conduct a forensic analysis after sustaining a data breach.
Further, just half of organizations take any steps at all to remediate and protect systems following breaches or attempted intrusions, according to the report. More than half of organizations have, at some point, decided to forego the investigation of a security incident due to the cost.
“This lack of investigation means that potential vectors of attack are not shored up and future penetration is possible or the threat persists,” the report states. “Insiders are not identified, and incongruities are not investigated to identify a larger threat.”
Even so, some firms that were less aggressively targeted in years past, such as those in the energy sector, are now starting to consider the benefits of integrating forensics into their plans, Mandiant's Merkel says.
A common pattern
While each digital probe is different, they generally follow a common pattern, according to investigators. For public- and private-sector organizations with advanced capabilities, the investigation is usually prompted after the security team discovers a compromise on some part of the network. At this point, the organization will have some knowledge about the incident, including an idea of where an intruder is on the network and, possibly, an offending IP address.
Through the examination of an infected machine, a forensic team can start to build an intelligence profile of the adversaries. As part of the investigation, malware is often passed to specialists in reverse engineering who can take it apart and determine how it is loaded, where it exists and the mechanism keeping it active. This threat intelligence is then fed back to security operation centers and used to scan for additional compromised machines.
Investigations play out a little differently at less-resourced firms. Often, these victim organizations don't even know they have been breached and only find out through an external party, such as a technology firm, law enforcement body or government entity, says Mandiant's Merkel.
Most large and midsize businesses have some incident response capabilities, he adds. Few, though, have experience dealing with aggressive, targeted attackers. If not, the organization may choose to bring in a third-party computer forensic company to aid incident response activities. In such cases, the contracted investigators will likely deploy technologies that increase the ability to observe what's going on.
Hunting for adversaries
Regardless of whether the company has the capabilities in-house or has contracted a third-party, the next step is to go “hunting” for adversaries, Lee says. This involves examining the network for anomalies and using the information gathered to know what to look for.
“We have had situations where the company knows they were dealing with one kind of threat – an APT problem – and we do an investigation and find out that, indeed, they do,” Merkel says. “But, they also have a credit card breach we find by virtue of doing the investigation.”
For this reason, it makes sense to scope out the extent of a compromise before reacting to it, experts say. If just one infected system is cleaned at a time, hackers can react by moving laterally through the network to retain their foothold. Instead, all infected systems should be taken down simultaneously, at which time the security team can improve its organization's level of protection by deploying additional network defenses, creating blocks for the offending IP addresses, forcing users to change all their passwords and providing user education.
“It's a continual process,” Lee says. “It's like weeding a garden. You never win. You try to get the weeds out before they become an issue.”
A chain of custody refers to the process for ensuring evidence has not been mishandled or tampered with, and will hold up in a court of law. Most digital investigations do not go to trial, but each one should be treated as if it were, says Joseph Shaw (right), incident response analyst for a large health insurance company and senior threat investigator for MetaNet, a managed security event monitoring and incident response handling firm.
The best way to ensure evidence will hold up in court is to:
“In my opinion, every organization should have at least one trained individual to handle an incident to the point where they can competently handle evidence without fear of compromising the data,” Shaw says. – Angela Moscaritolo