The Sandbox
Understanding CyberForensics

Cisco recently released their “Cisco 2Q11 Global Threat Report” which provided data on the breaches and risks occurring across the world. For me, it reinforced the mantra that companies are suffering and putting themselves at risk because “they don’t know what they don’t know.”

Cisco states that advanced persistent threats (APTs) played a key role in many breaches. APTs are generally rootkit-enabled*, exhibit no visible symptoms of infection, and often employ escalation of privilege and other forms of exploit to traverse the compromised network. Malware used in this type of attack can bypass signature detection and other standard forms of security protection. As a result, APTs are seldom passively discovered; instead, active and ongoing analysis of in-house security data sources and traffic analysis is required.

In other words, standard security software for detection may not be much help. One must assume they have been infiltrated at some point and make continuous checks and forensic programs a part of daily security hygiene.

Gavin Reid, manager of the Computer Security Incident Response Team (CSIRT) at Cisco, says “an organization’s ability to detect and respond to APTs can improve when well-understood computer security incident response capabilities are deployed.”

Some of these capabilities include:

The capacity to produce, collect, and query logs—the more the better, but at least the important ones—from a security perspective (e.g., host logs, proxies, and authentication and attribution logs).
Some form of deep packet inspection that covers all the important “choke points” on your network.
The ability to quickly query network connections or flows across all network choke points.
Ongoing data analysis that can help you baseline what is normal for your enterprise, an important first step in readily identifying new or previously unseen incidents
Development of trust-based relationships with other organizations to share intelligence on events. For instance, join an organization like the Forum of Incident Response Teams (, which helps facilitate this type of information sharing.
Some degree of malware analysis (in-house or outside).

On a final note, Reid adds, “If you have something of interest and you’re not seeing APT attacks in your organization, it is probably not that they are not occurring or that you’re safe. It’s more likely that you may need to rethink your detection capabilities.”

Make an effort to “know what you don’t know.”

*Rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. The real problem is an attacker being able to install a rootkit on a computer because he was able to obtain root-level access, either by exploiting a known vulnerability or, more likely, by obtaining a password (either by cracking the encryption, or through social engineering tactics)

Leave a Reply

Your email address will not be published. Required fields are marked *