[BreachExchange] Post-breach forensics: Building the trail of evidence

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 17 20:39:14 EDT 2016


http://www.scmagazineuk.com/post-breach-forensics-building-the-trail-of-evidence/article/493072/

It's said that, at the scene of a crime, every contact leaves a trace.
However in the world of cyber-crime, tracing the equivalent of the ‘smoking
gun' can be a big challenge and, in the event of a security incident,
answering the question “who accessed our IT systems and what did they do?”
is tough.   Moreover, what happens when an incident stems from those with
the highest privilege rights or the very person who is supposed to be
watching the network for attacks? Many companies still face considerable
challenges during a forensic investigation simply because they don't have a
structured audit trail of evidence that can be accessed quickly and which
would be watertight in a legal proceeding.

In either case – whether the incident is the result of insider activity,
human error or an external breach - if you don't have all the information
you need, you might miss a crucial piece of evidence which makes getting to
the truth more time consuming and costly. So how can organisations get to
the root cause of an incident most effectively?

Challenges of forensics investigations

In any investigation where time is of the essence, it is much easier, more
accurate and usually cheaper to conduct forensics immediately rather than
after weeks or months have passed. The starting point for this is typically
examining the logs. Once a breach has happened, you're reliant on logs
generated by network devices and applications to determine the initial
cause and piece together exactly what happened. However, this can be like
finding a needle in a haystack and sifting through reams of information can
take days.

The way in which data is collected and presented can also present hurdles
and it's not only the time taken in an investigation which can be hampered.
The integrity of the log data itself may also be called into question in a
legal process if it has been changed from its original format. Logs need to
meet the legal standard for evidence (stored in a tamper-proof manner) and
any that have been changed or have not been securely stored may not be
accepted as evidence in a court of law.

Even for organisations that have implemented proper log collection and
management, crucial information can be missing that would enable
organisations to reconstruct the details of a breach and unveil the root
cause of the problem. Forensics investigation is especially important in
incidents where privileged accounts are affected as those accounts have the
key to the kingdom.

Building the trail of evidence is now a significant issue for organisations
as cyber-attackers are increasingly hijacking insider accounts to gain
privileged access to the IT assets. By targeting system administrators and
other 'super users' who have very high or even unrestricted access rights
on operating systems, databases and application layers, they have the power
to destroy, manipulate or steal the company's sensitive information, such
as financial or CRM data, personnel records or credit card numbers.

Removing the blindspot

Pinpointing exactly what happened, and by whom, in a forensic investigation
can, therefore, be hindered by challenges. Issues with speed of response as
well as the scope, quality and integrity of evidential information can
prevent investigators - whether they're internal professionals, or external
agencies - in getting to the root cause and the responsible person.

New approaches to user monitoring and behavioural analytics are enabling
firms to analyse all user activity, including malicious events, throughout
IT systems. This allows enterprises to track and visualise user activity in
real-time to understand what is really happening on the network. If there
has been an unexpected shutdown, data leakage, or database manipulation,
the circumstances of the event are readily available in audit trails so the
cause of the incident can be quickly identified. These recorded,
tamper-proof audit trails can be played back like a movie, recreating all
actions of the user. The audit trails are invaluable for both real time and
post breach investigations, and also enabling automatic user behaviour
analytics.

Companies can be hit with hacks, denial of service, fraud attempts or the
theft of sensitive data. An audit trail of user actions that is time
stamped, encrypted and signed not only provides critical evidence in the
case of legal proceedings but also gives you the assurance that you can
pinpoint the cause of an incident beyond what's tracked through log data.
When it is complemented with behavioural analytics, organisations can
accelerate the time and lower the cost of forensics investigations and, at
the same time, proactively respond to the latest threats in real-time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160517/22a0aaf0/attachment.html>


More information about the BreachExchange mailing list