Font Size

- Aa +

Sun 15 Feb 2009 04:00 AM

Font Size

- Aa +

Crime scene

Piers Ford peers in the murky world of post-incident IT forensic – where response time is everything if you want to catch the perpetrator. But will companies admit their breaches in time – and is the Middle East really prepared to handle the consequences of an attack?

Piers Ford peers in the murky world of post-incident IT forensic – where response time is everything if you want to catch the perpetrator. But will companies admit their breaches in time – and is the Middle East really prepared to handle the consequences of an attack?

Your cyber walls are under siege. Hackers, malware, viruses and Trojan horses are constantly chipping away at them in search of cracks that will allow them access to your prize digital assets.

And if that isn't enough, there are probably people already inside your organisation who are compromising the security of those assets through fraud or data theft.

A large number of incidents are identified by unusual activity that is observed by users or system administrators, so that training of these individuals is especially important. The best course of action is to treat each incident with care and to always assume the worst.

This might sound like scare mongering but the truth is that nobody is immune from digital crime today. With estimates of the global cost of computer crime ranging from US$10 billion all the way up to $200 billion, protecting corporate systems and data against the constant threat of attack is a major headache for every CIO.

But however much effort goes into the creation of preventive security policies and investment in firewalls and anti-virus tools, too many IT managers are reluctant to face up to the inevitable.

The cyber walls will be breached at some point. And even if they aren't, the systems might be under fire internally. What plans do you have in place to preserve the scene of the crime when the worst happens? In most cases, it would appear, very few.

"The Middle East has seen an increase in hacker activity as organised criminals continue to target financial institutions and merchants who handle credit card data," says Steve Anson, a director who manages the Dubai office of computer forensics and incident response consultancy Forward Discovery.

"With the global economic downturn, we also anticipate that threats from the inside of organisations will increase as layoffs and downsizings leave employees and former employees disgruntled and financially challenged," he continues.

"The truth of the matter is that in today's environment, if you detect one compromised computer on your network, there are probably more. Many organisations are lulled into a false sense of security due to their use of firewalls, intrusion prevention systems and anti-virus software," adds Anson.

Anson says that useful as these systems are, most of them are signature based and do not protect against unique variants of malware that are used to infiltrate a network.

"A large number of incidents are identified by unusual activity that is observed by users or system administrators, so that training of these individuals is especially important," he adds.

"The best course of action is to treat each incident with care and to always assume the worst. That way, when the worst happens, your response will be timely and appropriate."

The trouble is that many CIOs are reluctant to assume the worst, making it very difficult for forensic IT specialists when they are called in to investigate a suspected crime. Anson says the best time to respond to an incident is "before it happens".

"What I mean by this is that security incidents leave behind a trail of clues for digital forensic investigators to discover. With proper planning, your organisation can help ensure that these clues leave a much clearer trail, allowing for a more rapid and effective response," he continues.

"By performing forensic readiness assessments and planning before an incident, organisations can ensure that their networks are logging and recording the evidence that will later be necessary to detect exactly what occurred after an incident. If the incident was never recorded due to poorly configured auditing or access control then the chances of a successful investigation can be greatly impacted."

How to preserve the scene

Forewarned is forearmed and at the very least, CIOs should have a predefined response plan in place. Ideally, a system should be untouched from the moment a crime is suspected to the arrival of the digital forensic expert, advises Steve Anson, director of Forward Discovery's Dubai office.

But if this is not practical, it should at least be isolated from the others on the network. Many pieces of malware sit only in RAM, so even turning the system off can lead to the destruction of vital evidence.

"It is important to involve properly trained forensic examiners in the incident response as soon as possible," he says. "Many system administrators feel compelled to conduct their own internal investigation. Without proper training, such activity can destroy the very evidence that it seeks to discover."

Anson explains that proper techniques must be used to ensure that the evidence is not destroyed by the acts of the unskilled or untrained investigator.

Since log files, time stamps, and other automatically generated data are impacted by system and user activity, these are particularly vulnerable to destruction through the acts of well-intentioned users or administrators. By accessing files, for example, the last accessed times for these files are changed and evidence correlating them temporally to the incident can be lost.

"Even the simple act of delay can destroy evidence," he adds. "Most log files are scheduled to overwrite in a first-in-first-out fashion. The longer the delay between an incident and its investigation, the greater the chance that vital clues will be overwritten either by automatic systems (like log rotation) or the actions of other users.

"It is important to begin the process of evidence preservation as soon as practical after the discovery of an incident. This again points to the requirement to have a predefined incident response team and plan in place before an incident. This will ensure that the appropriate steps can be taken without undue delay."

But what if you haven't responded in advance? Simon Janes is operations director at the Computer Forensic Alliance, a UK organisation which has done some work in the Middle East. He confirms that digital crime is increasingly common in the region.

"The long and the short of it is that no matter where you are, you're a global company these days," he says. "And any information that you have - whether it's a customer database or financial documents - has an intrinsic value to somebody. And no matter how they attempt to compromise it, there will be some evidence on a computer, a network or a device; and that rich vein of evidence must be preserved."

This is the equivalent of bagging the smoking gun. The compromised computer - whether it's a corporate server or the CEO's desktop - is the scene of the crime, and any modifications will hold the clues.

With the global downturn, we also anticipate that threats from inside organisations will increase as layoffs leave employees and former employees disgruntled.

Similarly, a machine used by the criminal to access corporate data will contain traces of files that have been opened. Something as fundamental as Word creates temporary files which constitute a raft of evidence for forensic investigators.

"But every time that computer is turned on, the evidence becomes weaker. It should be locked in a cupboard and a professional called in," says Janes. "Don't wait for the laptop to leave the business! We see this time and again: ‘$5000 is missing and we suspect X but we haven't stopped him from taking his laptop home every evening.'

"When actually conducting an investigation, almost any piece of information can be a potential clue," agrees Anson. "Seemingly legitimate access to files or systems may actually be unauthorised used of a compromised account to steal sensitive data. Date and time stamps from files can provide critical information regarding the timing of the incident and the files and systems impacted by the incident."

"Since each incident is unique, there is no fixed template for conducting a digital forensic examination. The investigative ability of the examiner is just as important as his or her technical skills," he continues.

The advent of the bit copy - a comprehensive image of everything on the hard drive - has made it easier for forensic detectives to analyse changes and establish a chain of evidence by securing the original and working on an exact copy. Successful prosecutions will almost certainly require evidence that the evidence itself has not been tampered with!

But taking a bit copy once a target machine has been identified should simply be one of a series of procedures according to Dominic Storey, technical director at enterprise threat management system vendor Sourcefire.

The company has developed a range of tools to protect and monitor systems in real time and deal with the fallout when defences are breached. Various hardware media, software and networks are all analysed so that every eventuality can be dealt with.

"One of our tools is Real Time User Awareness (RUA) technology," he says. "Computer crime is committed by people, so why should securing your systems just tell you about the machine, and not the people using it? This technology identifies who is using the machine and what's travelling across the wire so that if they are committing fraud, it can capture that information in packets.

"Two months ago, I visited several customers in the UAE and it was clear that a huge backdrop of IT is being implemented to support the phenomenal growth in the region. That all needs protecting. All the businesses and banks need to protect their uplinks and downlinks. And CIOs are beginning to take it responsibly rather than taking the line of ‘what will be, will be'," concludes Storey.

The view from the outside

Digital criminals get away with their crimes because forensic analysis is not an exact science and they are often able to keep one step ahead of the detectives, even where there is a trail of evidence to follow.

That's the bad news, according to Petko Petkov, information security consultant and founder of think tank Gnucitizen, which aims to advance public understanding of offensive and defensive information security technologies.

Petkov agrees that where the attacker's equipment has been confiscated and secured, forensic analysis can be effective. The trouble is that few CIOs or system administrators are forensic experts themselves, which means that practically everything they are likely to do in response to a suspected crime (and the absence of a response plan) - shut down the system or the network - will probably destroy the evidence.

"Another factor that you need to consider is that not that many companies will be interested in forensics for a few reasons," he says.

"First of all, companies rarely report security incidents in order to save themselves public humiliation. Second, companies often do not report security incidents because they don't know that they have been compromised. Those who do detect the compromise may not report to their superiors for fear of losing their jobs."

Petkov says education is the best way for organisations to improve their digital security, rather than spending the bulk of their security budgets on preventive products which do not take into account the more obscure ways in which security can be compromised.

"The more educated people are the smaller the chances for someone to make the most fatal mistake for the organizations they are working for," he says. "And this is the reason why we concentrate our efforts on educating people through our briefings and by following on security issues with our blog."

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.