Chasing hackers and hacktivists

Powered by SC Magazine
 

Cybercrime investigators face new technologies and strategies, reports Deb Radcliff.

Ever-evolving strategies and technologies are just some of the issues facing today's cybercrime investigator, reports Deb Radcliff.

An email snagged by the FireEye inline sandbox was destined for an employee working on a sensitive R&D project. The message contained detailed information about the employee and past projects he worked on with another colleague, from whom the mail portended to come.

“The email was convincing enough to make even the most discriminating employee click the link,” says Mark Leary, CISO of TASC, a professional services company servicing US intelligence, defense and other agencies of high interest to foreign governments, terrorists and hacktivists.“When we investigated further, we realised the spear phisher got the information over LinkedIn.”

While nothing got through to the employee and no harm was done, what keeps Leary up at night is knowing that adversaries intent on espionage against his government clients are always out there – in large numbers. These attackers are funded and organised, and often are beyond the reach of the law while continually advancing their intrusion and evasion technologies.

“What we're looking at is the blurring of cybercrime, cyberespionage and cyberwarfare,” says Ronald Deibert, director of the Canada Centre for Global Security Studies and the Citizen Lab at the University of Toronto. “These activities have exploded, and criminals still have relative impunity from investigations because so many of these attacks are launched from outside the country.”

The majority of the latest cyberthreats are highly automated programs looking for low-hanging fruit on which to install botware and trojans, says David Koretz, president and CEO of Mykonos. The good news, he adds, is that law enforcement and service providers are getting proficient at investigating this type of attack.

However, more advanced threats, like those observed in Mykonos deception traps used to protect websites, are much harder to investigate, particularly in cases of state-sponsored cyberterrorism and sophisticated organied crime.

Koretz is referring to so-called APTs (advanced persistent threats), which, over periods of time, manage to get inside systems and remain hidden to siphon money and valuable financial data and intellectual property.

Chris Novak, managing principal for the investigative response unit at Verizon Business, says that while the term “APT” is being overused by victim organisations, today's attacks are more often seeking intellectual property to sell to well-financed buyers.

“We had one case where a phone was actually brought into a store for repair before that model had even been released on the market,” says Novak. “This was reported to the phone manufacturer and when we investigated, the network activity led to a contractor's PC.”

While there have been a growing number of arrests and prosecutions in cases of  international cybercrime, there's still a need for more global cooperation, says Richard Bejtlich, CSO of Mandiant and VP of the network intelligence firm's Computer Incident Response Team.

The volume of evidence produced by so many of today's different types of crime, along with the growing attack surfaces from which to gather evidence, are causing backlogs in investigations while highlighting the need for new standardised tools to support new forms of investigations.

For example, Jim Christy, retired special agent and director of Future Exploration for the Department of Defense Cybercrime Center, points to mobile phones, e-readers, iPads/notebooks, smartphones and backup media devices – all of which have different operating systems, and versions that call for specialised evidence recovery tools.

While there are solutions available for different phones and storage devices, standardisation of how these platforms collect and store data for imaging and searching would greatly help investigators, Christy says.

Then there's investigating in the cloud. For example, how does one search someone's mail when they keep it in the Gmail or Yahoo cloud, asks Duncan Monkhouse, international president for the High Tech Crime Investigative Association.

“The cloud cases are there,” says Monkhouse. “How the evidence is gathered, verified and used to prove culpability are all different in the cloud.”  

He describes one case that involved DropBox, Microsoft instant messenger, Gmail and Yahoo accounts all in the cloud. After initial imaging of the suspect's computer memory, investigators searched through the browser history to find these accounts and their login names and passwords.

Then they used another mobile application to download the contents of these web accounts to a folder on an evidentiary backup disk and copied that to another disk for searching. This folder was imaged to create a working copy for analysis.

So despite the medium in which the data is stored, the initial steps of evidentiary gathering – preserving and imaging the evidence – still applies, says Kimberly Peretti director of PricewaterhouseCooper's forensic technologies practice and former prosecutor for the US Department of Justice.

“Investigations are becoming more difficult, but there are also new sources of information and evidence trails left behind,” says Peretti, who calls this time period the “era of cybercrime.”

For example, at least one new type of threat – hacktivism – is actually leaving evidence trails that are leading to arrests and prosecutions. Collectives, such as Anonymous and LulzSec, post data they've taken from government, commerce and gaming sites, and when they talk about their exploits on blogs and Twitter, they're leaving clues behind that can be followed and linked together, Peretti says.

As new bad actors and attack surfaces enter the cybercrime scene, there has also emerged a demand for skills that exceeds supply. Mandiant's case-load is growing significantly every year, which is causing backloads of from two weeks to two months, even though the company says it is continuously training and hiring.

The US Department of Defense Cybercrime Center is also experiencing exponential growth of investigations – as well as volume of data to be processed, says Christy.

To develop new talent and tools, Christy's agency sponsors an annual “Digital Forensics Challenge,” which drew participation from more than 920 teams this year who presented at the DoD's annual Cybercrime Conference in January.

“In today's investigations, almost every case has a cyber element,” Christy says. “For that, we're going to need an educated workforce – and more tools.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Chasing hackers and hacktivists
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  20%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1498

Vote