SANS Digital Forensics and Incident Response Blog

Case Leads: DFIR Lessons from Sandy; The Advanced Persistent Intruder; The Secure Breach; Windows8 Forensics; South Carolina Tax Info Protected by "TWO FIREWALLS"

The general public is getting a lesson in incident response with the post Hurricane Sandy storm damage in the Northeastern part of the United States. Your case leads blogger is working on incident responses related to the storm. Many non-technical professionals have had a chance to witness the challenges of DFIR. And some are starting to ask some very intelligent questions: How resistant are IT systems to intentional cyber attacks? Could attackers do more damage than a natural disaster? We have stories this week that try to answer the question this way: Do we need a strategic shift in how we respond to incidents? Listen to the interview with Conrad Constantine on his take regarding a new approach to incident response.

Before all the storm coverage saturated the news, there were a flurry of news stories following Secretary of Defense Leon Panetta's statements on how poorly prepared the nation's critical infrastructure is vulnerable to cyber attacks. And, after Hurricane Sandy, Homeland Security Secretary Janet Napolitano said, "If you think a control-system attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities.." A more fundamental question: Do we need an entirely different strategic approach to both incident response and information security? Is the new normal a threat surface where attackers are persistently in our networks with a cocktail of attacks? If so. then the non-technical manager's response to cyber attacks should not be "fix the hole," and install "stronger firewalls." In the new normal, DFIR professionals must protect information assets while under "live fire." Maybe we should recognize that the new normal is what could be called: The Advanced Persistent Intruder. More about this in our Good Reads/Good Listens section this week.

In our tools section, forensic tool vendors are starting to announce support for Windows8. And we have another interesting toolkit for the Windows platform. It will be interesting to see how long will it take for the vendors to offer forensic tools for WindowsRT - the new, special version of Windows for Surface tablets.

Good Reads/Good Listens:

  • The New Normal? Cyber War Rooms: Why IT Needs New Expertise To Combat Today's Cyberattacks
  • The New Normal? Breach prevention is dead. Long live the 'secure breach'
  • The Traditional Approach: What to Do If You Have a Security Breach in Your Data Center
  • Companies Should Think About Hacking Back Legally, Attorney Says. Fighting back against cyber criminals can be risky, but there are legal ways to do it, says Hacker Halted speaker.
  • Conrad Constantine of Alien Vault, talks about a new approach to incident response on CyberJungle Radio. His segment begins at about the 19min mark. You may download the file directly — great for listening on many smartphones. Or, you may go to the listening options page on the site and browse for other ways to hear the show. Disclosure: This blogger is the host of CyberJungle Radio.
  • Ben Rothke writes this review of Digital Forensics for Handheld Devices: "... author Eamon Doherty provides an invaluable resource on how one can obtain data, examine it and prepare it as evidence for court. One of the reasons many computer crime cases fail to be prosecuted is that the evidence was not properly handled and could therefore not be admitted into court." Amen. Read more in this SlashDot posting.
  • Forensic Analysis of Windows 7 Jump Lists: Jump Lists presents "...the user with links to recently accessed files grouped on a per application basis. The records maintained by the feature have the potential to provide the forensic computing examiner with a rich source of evidence during examinations of computers running the Microsoft Windows 7 Operating System. This paper explores the type and level of information recorded by the Jump List feature, the structure of those records and the user actions which result in them being updated."


News Items:

  • Panetta Sounds Alarm on Cyber-War Threat: Defense Secretary Leon Panetta issued what he said is a "clarion call" ...for Americans to wake up to the growing threat posed by cyber war.
  • Janet Napolitano warns of cyberattack on utilities: A debilitating cyberattack on power plants or water systems could produce the same sort of rampant outages and widespread disruptions caused by Hurricane Sandy, Homeland Security Secretary Janet Napolitano warned...
  • South Carolina Tax Info Breach: Government officials are amazed, since their network had "two firewalls."
  • Hiring InfoSec Pros: Do We Need To Throw Out The Rules?


  • This week was Halloween. SonicWall put a fun info sec quiz online. It does have a main focus on firewalls (no shock), but still worth checking out: InfoSec Zombie Apocalypse

Coming Events:

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor.