Forensics Trends for 2013

External Attacks, Data Loss are Top Concerns

By , January 2, 2013.
Forensics Trends for 2013

Forensics expert Rob Lee says its not new types of attacks that concern him. It's the old ones that continue to impact organizations. How can organizations learn from past incidents and respond in 2013?

See Also: How Cybercriminals Use Phone Scams To Take Over Accounts and Commit Fraud

The bulk of the cases he investigates are external breaches, not insider cases, says Lee, a seasoned forensics professional and curriculum lead and author for digital forensic and incident response training at the SANS Institute. When analyzing the incidents and reporting back to technical teams or executives, he's often faced with the question, "How do we stop this?"

"Even though we're learning more about what the capabilities are of the hackers and adversaries, we have not done a decent job of being able to truly implement solutions that will slow them down ... and even stop the initial infiltration," he says in an interview with Information Security Media Group [transcript below].

Moving forward, organizations need to address the breach at the point of data exfiltration.

"That ends up being a much louder and significant event on a host and a network and much easier to detect as a result," Lee explains.

The main trend heading into 2013 will be for enterprises to formulate effective breach responses to tactics that continue to overwhelm them. And to get to that point, organizations need to embrace the power of big data, which has been difficult for some entities because of the sheer amount of information gathered within an enterprise.

"But as we're moving forward, we're starting to see some solutions creep forward that will give us that visualization and give us the capabilities to identify these anomalies as they're ongoing," Lee says.

In an interview about the process, skills and tools needed in a forensics investigation, Lee discusses:

  • Typical investigations he conducts;
  • Attack trends and what we can learn from them;
  • Most important skills for forensics pros to master.

Lee is an entrepreneur and consultant in the Washington, D.C., area, specializing in information security, incident response and digital forensics. He also is the curriculum lead and author for digital forensic and incident response training at the SANS Institute, a computer security training, certification and research organization. He has more than 15 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention and incident response.

Typical Forensics Cases

TOM FIELD: We've talked about forensics a number of times in the past. What do you find to be the types of forensics cases that you're typically seeing these days?

ROB LEE: I'm typically involved in a lot of information security data breach-style cases where there's some sort of intellectual property that's stolen. There are a lot of different forensics cases that are out there, but that's the kind I'm personally seeing, where some people might be doing intellectual property theft, insider threat-type things, but there seems to be a huge need right now, especially on the data breach investigation side.

In-Demand Skills

FIELD: Let's talk about the skills. What do you find to be the forensic skills that most commonly get called upon to use in these cases that you're involved in?

LEE: One of the key skills that I have found that's particularly useful for investigators is not only to have firm knowledge in digital forensics and as it applies to the operating system, but have a firm knowledge of what adversaries are potentially capable of accomplishing within your enterprise environments. How do they breach a system? How do they gain domain admin? Where do they go? How do they move from system to system? Finally, how do they collect the information from the organization in order to exfiltrate it from your network? Knowing key hacking skills tells you pretty much what to look for on the network.

In the same vein though, having a really firm understanding of how domain environments work, where enterprise environments are laid out in an organization, also ends up being very helpful. I have spent many hours over the past year really trying to educate myself on typical things that probably a domain system administrator finds easy work, but for me it's all brand new.

Inside an Investigation

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE FCC Adopts 'Net Neutrality' Rule

The FCC's new "net neutrality rule," which prevents ISPs from slowing down content streaming along...

Latest Tweets and Mentions

ARTICLE FCC Adopts 'Net Neutrality' Rule

The FCC's new "net neutrality rule," which prevents ISPs from slowing down content streaming along...

The ISMG Network