Crime scene

Piers Ford peers in the murky world of post-incident IT forensic – where response time is everything if you want to catch the perpetrator. But will companies admit their breaches in time – and is the Middle East really prepared to handle the consequences of an attack?

  • E-Mail
By  Piers Ford Published  February 14, 2009

Piers Ford peers in the murky world of post-incident IT forensic – where response time is everything if you want to catch the perpetrator. But will companies admit their breaches in time – and is the Middle East really prepared to handle the consequences of an attack?

Your cyber walls are under siege. Hackers, malware, viruses and Trojan horses are constantly chipping away at them in search of cracks that will allow them access to your prize digital assets.

And if that isn't enough, there are probably people already inside your organisation who are compromising the security of those assets through fraud or data theft.

A large number of incidents are identified by unusual activity that is observed by users or system administrators, so that training of these individuals is especially important. The best course of action is to treat each incident with care and to always assume the worst.

This might sound like scare mongering but the truth is that nobody is immune from digital crime today. With estimates of the global cost of computer crime ranging from US$10 billion all the way up to $200 billion, protecting corporate systems and data against the constant threat of attack is a major headache for every CIO.

But however much effort goes into the creation of preventive security policies and investment in firewalls and anti-virus tools, too many IT managers are reluctant to face up to the inevitable.

The cyber walls will be breached at some point. And even if they aren't, the systems might be under fire internally. What plans do you have in place to preserve the scene of the crime when the worst happens? In most cases, it would appear, very few.

"The Middle East has seen an increase in hacker activity as organised criminals continue to target financial institutions and merchants who handle credit card data," says Steve Anson, a director who manages the Dubai office of computer forensics and incident response consultancy Forward Discovery.

"With the global economic downturn, we also anticipate that threats from the inside of organisations will increase as layoffs and downsizings leave employees and former employees disgruntled and financially challenged," he continues.

"The truth of the matter is that in today's environment, if you detect one compromised computer on your network, there are probably more. Many organisations are lulled into a false sense of security due to their use of firewalls, intrusion prevention systems and anti-virus software," adds Anson.

Anson says that useful as these systems are, most of them are signature based and do not protect against unique variants of malware that are used to infiltrate a network.

"A large number of incidents are identified by unusual activity that is observed by users or system administrators, so that training of these individuals is especially important," he adds.

"The best course of action is to treat each incident with care and to always assume the worst. That way, when the worst happens, your response will be timely and appropriate."

The trouble is that many CIOs are reluctant to assume the worst, making it very difficult for forensic IT specialists when they are called in to investigate a suspected crime. Anson says the best time to respond to an incident is "before it happens".

"What I mean by this is that security incidents leave behind a trail of clues for digital forensic investigators to discover. With proper planning, your organisation can help ensure that these clues leave a much clearer trail, allowing for a more rapid and effective response," he continues.

"By performing forensic readiness assessments and planning before an incident, organisations can ensure that their networks are logging and recording the evidence that will later be necessary to detect exactly what occurred after an incident. If the incident was never recorded due to poorly configured auditing or access control then the chances of a successful investigation can be greatly impacted."

How to preserve the scene

Forewarned is forearmed and at the very least, CIOs should have a predefined response plan in place. Ideally, a system should be untouched from the moment a crime is suspected to the arrival of the digital forensic expert, advises Steve Anson, director of Forward Discovery's Dubai office.

But if this is not practical, it should at least be isolated from the others on the network. Many pieces of malware sit only in RAM, so even turning the system off can lead to the destruction of vital evidence.

"It is important to involve properly trained forensic examiners in the incident response as soon as possible," he says. "Many system administrators feel compelled to conduct their own internal investigation. Without proper training, such activity can destroy the very evidence that it seeks to discover."

Anson explains that proper techniques must be used to ensure that the evidence is not destroyed by the acts of the unskilled or untrained investigator.

Since log files, time stamps, and other automatically generated data are impacted by system and user activity, these are particularly vulnerable to destruction through the acts of well-intentioned users or administrators. By accessing files, for example, the last accessed times for these files are changed and evidence correlating them temporally to the incident can be lost.

"Even the simple act of delay can destroy evidence," he adds. "Most log files are scheduled to overwrite in a first-in-first-out fashion. The longer the delay between an incident and its investigation, the greater the chance that vital clues will be overwritten either by automatic systems (like log rotation) or the actions of other users.

"It is important to begin the process of evidence preservation as soon as practical after the discovery of an incident. This again points to the requirement to have a predefined incident response team and plan in place before an incident. This will ensure that the appropriate steps can be taken without undue delay."


Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code