You are here

You are here

Cyberattack CSI: Forensics investigations should start with pre-attack analysis

Tom Rowley Security Strategist, Savvius

Enterprise security teams have historically spent a lot of time, human resources, and money on developing strong defenses such as firewalls and deploying equipment and software like intrusion detection systems (IDS) to monitor the security of their networks. In fact, most enterprises have built an impressive level of expertise when it comes to configuring and monitoring these tools.

Nevertheless, as we all know, breach detection and prevention technologies are not foolproof. Given attackers' success in penetrating standard corporate defenses, enterprise teams are looking beyond these well-known technologies and incorporating better tools and training that deal specifically with incident response once attacks have been discovered.

Better tools are needed. But which ones?

So, what are the key attributes of these "better tools" security teams need to enhance post-breach forensic investigations? Probably the most important one is the ability to capture an accurate and complete record of what happened in the attack. This means that the system needs to save not only a history of the network activity that occurred the moment an attack was detected, but also the network data from a few minutes before the attack, enabling security teams to get a better view of how it unfolded.

Consider this example: Every enterprise is constantly besieged with port scans, which are remote attempts to detect and penetrate open server ports. Most of the time, these ports don’t have any vulnerabilities and the security appliances just shrug off the thousands of scans from international sites that occur every minute.

A specifically tailored scan, buried among all the others, detects a known vulnerability in a web server. A couple of minutes after the vulnerable web server has been found, the attackers use a known exploit to penetrate that server. With a little bit of digging, the attackers find some information they want to retrieve and crack, such as encrypted password files. They begin to exfiltrate that data back to their attack server, at which point the IDS finally detects the outbound data and signals an alert.

Once you're attacked, it's too late

As you can see, many security appliances begin capturing and saving network and packet data only at the point when the alert has been triggered. But a well-designed forensics investigation (FI) tool will have been continuously buffering the network traffic for some period before any alert took place. Then, the device is capturing not only a record of the data being accessed by the attackers (which is certainly valuable), but a complete history of everything that led up to the attack as well.

When the FI tool is able to save and recall packets from several minutes before the IDS’s belated alert, the security team can reconstruct the attackers’ approach, their reconnaissance, and how the actual exploitation played out. This ultimately enables the team to patch the web server’s vulnerability to stop the same attack from happening again.

Without those precious minutes of network traffic preceding the alert, the security team may know which passwords were compromised but not how the attackers actually cracked the server.

There is reason for optimism. In any well-constructed and maintained enterprise security system, one or more of the installed monitoring appliances is likely to trigger when it encounters certain attacker behavior. The attacker is going to misuse the network or access restricted data, and these unusual actions will likely be discovered.

However, it is more than likely that the IDS will not be triggered by the early actions of attackersthey may be able to access the compromised system for some period of time before being detected. The median time to detect an attack is 86 days, or nearly three full months, according to a recent Trustwave security report. Another study by The Ponemon Institute added that the median time required to resolve these attacks is 46 days.

Leaning on the log is key

The ability to save and recover network and log data for minutes, days, or weeks prior to a particular incident can be a critical key in unraveling an attack and discovering what damage was done, while preventing the same or similar vulnerabilities in the future. With attacks becoming more frequent and more sophisticated, it’s obvious that the incident response process has a lot of room for improvement.

How is your organization improving on detection and resolution of attacks? Share your strategy and thinking on improving on these fronts.

Keep learning