Wednesday, April 02, 2008

Detection, Response, and Forensics Article in CSO

I wrote an article for CSO Online titled Computer Incident Detection, Response, and Forensics. It's online now, and it should appear in the next print edition as well. From the beginning of the article:

2008 is a special year for the digital security community. Twenty years have passed since the Morris Worm brought computer security to the attention of the wider public, followed by the formation of the Computer Emergency Team/Coordination Center (CERT/CC) to help organizations detect, prevent and respond to security incidents. Ten years have passed since members of the L0pht security research group told Congress they could disable the Internet in 30 minutes. Five years have passed since the SQL Slammer worm, which was the high point of automated, mindless malware. The Internet, and digital security, have certainly changed during this period.

The only constant, however, is exploitation. For the last twenty years intruders have made unauthorized access to corporate, educational, government, and military systems a routine occurrence. During the last ten years structured threats have shifted their focus from targets of opportunity (any exposed and/or vulnerable asset) to targets of interest (specific high-value assets). The last five years have shown that no one is safe, with attackers exploiting client-side vulnerabilities to construct massive botnets while pillaging servers via business logic flaws.

Read more here.


H. Carvey said...

Excellent article! I fully agree with most of your points, particularly regarding incident response and forensics, albeit for reasons different than those presented in the article.

Case in point...customer calls with regards to an intrusion, and reports that one system in particular was found sending traffic off of the infrastructure, to an IP address out "on the Internet". Prior to calling for assistance, the system was disconnected from the network and rebooted. No volatile data was preserved, nor was any actual network traffic captured.

The customer's question was, "What was the system sending out?"

Anonymous said...

With regard to the data center comment...I share your idealogical view on this, many data centers run VMs for that reason. Redundancy and some type of quasi-security to mention a few reasons. Push the reset button and drive on - few care about prosecution – it costs them time and money. I like the idea of forensic examination of virtual machines and their “file systems” in this case.

The strategy of “pulling the plug” is not a discredited process in the “forensic” community. With regard to intrusion cases and the like, yes, you would be correct in my opinion – “memory” is where it's at. With regard to “every day” child pornography cases, no, you would not be correct in my opinion. Unfortunately, attorneys and the like take these (your) words literally and like to through them in the face of the average gum shoe forensic investigator. Though what you say may be considered the “best practice” when performing digital forensic investigations (in many cases), your sentiments have been echoed throughout some forensic communities without regard to case specifics. I point this out simply because there needs to be a bit more responsibility with regard to broad brush classifications within this field, like the statement within the article. Many interpret this to mean that pulling the plug is not acceptable and should not, could not and never shall be utilized in forensic related investigations, all without distinction.

For many years, security professionals and vendors, such as Technology Pathways (ProDiscover) and Guidance Software (EnCase) have been saying the same thing with regard to live preview and capture of information - not a particularly new view. Forensic imaging should never have been referred to as a "bit for bit copy" since it was never an accurate depiction of the situation - technically speaking. This was a term devised due to the "dumbing" down of the matter at hand for juries and specifically judges. This was done in an effort to assist them with comprehension, while being used as a sales term to gain confidence with law enforcement. Juries now demand perfection in these cases and settle for little less - regardless of the insurmountable evidence otherwise presented.

Forensics has become a term that must be used rather carefully in todays digital climate. If we are not specific with our wording and we don't soon accept that judges, prosecutors, district attorneys and the like - not to mention juries - are NOT tech savvy, forensics will be in serious trouble. Those in the justice system are only seeing the beginning of what could very well be end of "forensics" as we have been taught – good, bad or indifferent.

The point I am attempting to make here is simply this. You, I and others within this field need to educate those needing educated with regard to terminology, ideology and accepted practices with a concentration on the “prize” or goal – not necessarily the methodology. Most areas within the security field are still considered “black magic” and “Voodoo” by the average “joe” and need to be addressed accordingly.

With great respect and regards,

MC. Taylor