In the face of an existing threat to information resources and customer confidence, the justification for outsourcing to a specialist can be vital – a breach has occurred and the risk must be contained before additional damage can occur. But, clearly quantifying IT risks after an attack can be a daunting process.
Partnering with an experienced forensics team can give an organization a unique perspective on where breaches are taking place and how they are occurring, as well as offering insight on how the organization should be secured and where they should focus IT security spending going forward. Furthermore, the threat to the future security posture of the organization can't be dismissed. By better posturing spending budgets for baseline security assessments, organizations can maximize their security investment.
With complex cyber attacks striking across a wide range of industries, just knowing an attack has occurred is no longer enough - organizations need to know where it happened, how it happened and why it happened. Aside from organizational drivers for a secure environment, many industries face regulatory requirements that mandate security strategy. For instance, adoption of forensic analysis has been rapid in the financial services industry where the sensitive nature of customer data mandates the strongest security technology available. Programs such as Visa's Card-Holder Information Security Program (CISP) and Master Card's Site Data Protection Program (SDP) illustrate this growing trend.
What do these organizations know that others may not? How is forensics helping them avoid further exposure and how can it help you?
The Investigation: A Network Post-Mortem
Forensic analysis can be best thought of as a network post-mortem. Much like law enforcement forensic investigators who arrive at crime scenes to gather evidence, network forensics investigators conduct a third-party examination of security breaches to "solve the case."
The on-site component of a thorough forensics investigation should focus on three key phases:
- A discovery process focused on understanding the application and network infrastructure, as well as the organization's flow of business information;
- Interviews with key personnel to collect the facts of the case from the customer's perspective and identify suitable sources of forensics data; and,
- Data collection intended to gather critical sources of forensic evidence to support the investigation, followed by comprehensive analysis.
The investigation should establish a timeline of the attack that effectively reconstructs the attacker's steps and sheds light on the extent of the breach, the tools and methods employed, as well as the source of the attack. Aside from identifying the scope and source of a suspected security breach, the investigation should also tie together bits of evidence left behind by the attacker to establish a footprint that can be used to assist in prosecution or in litigation support.
The Pillars of Security: Making Sure the Foundation is in Place
An experienced forensics team will be able to advise organizations on common patterns of attack and links between various breach sources. Most often, the team will highlight four common exposures as the root cause: insufficient monitoring, weak application level security, weak network security and patch management. Further, viewing security assessments as pillars of the security house, forensic investigation often reveal that a breach has occurred because one of the pillars is missing and the organization hasn't effectively applied proactive and reactive vulnerability assessments.
The best thing an organization can do to protect itself is to implement a best-of-breed security strategy that incorporates a baseline security assessment. This assessment should properly design the security structure and be supported by an in-house security policy that oversees the management, daily activities, and procedures of the organization. By using in-house tools with ongoing policy compliance and penetration testing, organizations are better positioned to avoid attack or support the forensic investigation once an attack occurs.
Helping the Forensics Team Help You
There are two critical mistakes an organization can make after an attack that can compromise a successful forensic investigation.
First is not maintaining the quality of the scene for investigators. Making any changes to the network prior to the investigation will slow the work of the forensics team, as they must weave through what's been changed or search for data that's been erased to find the attacker's footprint. Just as criminal investigators do, IT and security personnel should help the forensics team 'seal off' portions of the network under attach to preserve evidence.
Second, is not ensuring a level of quick response. While it is sometimes impossible for this to be avoided, such as when a breach isn't discovered till after the fact, organizations can get around this by being properly set up to rapidly respond to incidents. This involves having the proper logging and alert notification facilities in place to be positioned for success. Proactively selecting an experienced forensics team before a breach ever occurs will also speed response time, especially in urgent situations when time can't be wasted finding experts who might be available.
Selecting a trusted partner to respond during the vulnerable moments after a breach can not only give an organization a valuable perspective on how they should be secured, but more importantly, it can give piece of mind.
A. Bryan Sartin is Director of Technology for Ubizen