Community: Featured Paper


SANS Top 7 New IR/Forensic Trends In 2008

In early August 2008, the Department of Justice indicted a group of hackers on charges of breaching networks and compromising sensitive data and credit/debit card numbers of stores owned by TJX, Barnes & Noble, OfficeMax, Forever 21, Boston Market, BJ's Wholesale Club, The Sports Authority, and DSW.

These companies are not the only victims of cyber-crime. Earlier this year, Verizon Cybertrust released a data breach report that demonstrated these companies are not alone. Nothing is more startling than the data that the majority of the cases involved data compromises that were relatively quick with lethargic discovery and mitigation processes in response to the crimes.

  • From initial access of the criminals until data compromise occurred? Usually hours.
  • From data compromise until discovered by the company? Typically months.
  • From the discovery until incident mitigation? In most cases, weeks.

Would proper network security controls helped? Perhaps. However, 78% of the breaches that were analyzed would have still occurred if systems had been 100% patched immediately after a patch was available.

Defending against compromise is important using proper security policies and procedures. However, one area that needs improvement is Incident Identification and Mitigation. Companies do not have weeks or months to discover and solve incidents. Incident response and forensic techniques have to improve.

As a result, we requested industry experts attending the IR/Forensic Summit to submit forensic and incident response trends both good and bad they have directly observed over the past several years. These trends might help improve our capability to help discover and solve crime. The results of that discussion identified these seven trends.

  1. Data Breach Investigations Escalating - Attackers are increasingly superior at identifying and exploiting vulnerabilities such as SQL injection. Once exploited, attackers utilize new and sophisticated malware to maintain their presence and exfiltrate critical data. Both the attack and the malware evade perimeter and host defense tools such as firewalls, intrusion prevention/detection systems, and anti-virus products. The simplicity and effectiveness of these attacks allow for a full infrastructure compromise resulting in Personal Identifiable Information (PII) and credit card/debit account information compromised.

  2. IR/Forensic Preparedness Low - In recent years, the addition and expansion of legal and regulatory compliance requirements have served to expose the lack of preparedness of many organizations for computer security incidents and data breaches. Organizations have been very reluctant to view external sources as real threats to critical data repositories. Recent advances in technology and techniques continue to move incident response and forensic analysis of those incidents forward. However, the responsibility to respond remains on the shoulders of relatively untrained first responders. As a result, market demand for qualified incident response personnel is higher making it very difficult to recruit and retain these individuals. Companies must now invest significant time and training their personnel.

  3. Clear Need for Forensic Qualifications - The PI license requirements of some states has made digital forensic examiners apprehensive in performing eDiscovery or Forensics in a few states. In addition to the ambiguous PI licensing requirements, it forces digital forensic examiners and the organizations that hire them to consult with lawyers at high costs and with more complexity for doing business. State legislators are seeking a way to verify the qualifications of digital forensic professionals that will result ultimately in several national level certifications being recognized a marked improvement over the initial plan of requiring a PI license.

  4. eDiscovery Rising - eDiscovery legal changes to the Federal Rules of Civil Procedure in 2006 resulted in a new subsector in forensic products and services that have targeted responding to the overnight creation of a $1 billion dollar industry. The computer forensic industry has entered heavily into the eDiscovery landscape for litigation. With significant potential penalties for lack of compliance, there has been a focus on the timeliness of document/email collection for litigation purposes. Digital forensics has emerged as a viable option in eDiscovery due to the defensibility of the process, authenticity of collected evidence, and lower cost over the traditional methods.

  5. Too Much Data to Forensicate - Ever-expanding file system sizes have forced investigators to rely increasingly on ephemeral information about the state of a system. Additionally, investigators have focused on gathering only pieces of the file system to help save acquisition and analysis time to reduce costs. There has been a price to pay for this transition, however, in that piecing together a complex series of technical activity becomes more difficult without full drive images.

  6. Mobile Device Forensics - The need for robust forensics capture and analysis tools for cell phones, iPods, and PDAs increased greatly during the past two years. An increasing number of investigations are dependent on data stored in these devices that often have different formats and means of access than the traditional computer hard-drive-centric techniques used by most investigators. The need is driving some investigators to create homegrown tools for such analysis, while others have simply avoided this potentially very useful source of case information.

  7. Volatile Data Collection and Analysis Being Critical to Cases - Gone are the days of "Rip the power cord from the back of the computer." There has been amazing progress in the area of memory forensics over the last few years. Volatile memory collection and analysis dramatically augmented digital investigations and helped address many new challenges such as encryption and recovering key evidence that might only exist for seconds on a computer.

The Experts Who Helped Create The SANS Top 7 New IR/Forensic Trends In 2008

  • Jim Butterworth (Guidance Software)
  • Harlan Carvey (IBM ISS)
  • Art Ehuan (Forward Discovery)
  • Rob Lee (Mandiant)
  • Monty McDougal (Raytheon)
  • Bret Padres (Stroz Friedberg LLC)
  • Jeffrey Palatt (IBM ISS)
  • Ed Skoudis (Intelguardians)
  • Aaron Walters (Volatile Systems)