Memory-Resident Malware Creating Forensics ChallengesVerizon's Novak Analyzes How the Changing Threat Landscape Changes Breach Detection
Because attackers are now using memory-resident malware and tools that leave no trace on the disk, forensics experts must take a different approach to their investigations, says Christopher Novak, director of Verizon's global investigative response unit.
Organizations relying heavily on disk-based forensics may fail to detect breaches, he warns in part two of an interview with Information Security Media Group. "The reality of it is they might have had a very serious breach but it's all memory-resident," he says. "A lot of incident response firms out there rely heavily on taking forensic disk images."
Just as cybercriminals are relying more on automation and collaboration, so too organizations defending against attacks must become more sophisticated in their breach detection and prevention efforts and work with others on threat information sharing, Novak stresses.
"The whole landscape has changed both for the attacker and the defender, and people sometimes wish they could go back to the old days where breaches just meant simple things like website defacement," he says.
Rather than relying on a mainly manual process, as was common in early data breaches, today's threat actors use sophisticated automation to enable them to compromise hundreds of victims at a time, Novak says.
`"They just need to point their scanning tools and exploit kits at a range of IP addresses, and if they find 400 vulnerable IPs, the exploit kit will self-install and start exfiltrating data," he says.
"The reality of it is that a lot of the work that threat actors have to do today is coming up with the tools, coming up with the techniques to discover new victims, and then making sure they have a repository to accept all the exfiltrated data," Novak adds.
In this interview, Novak addresses:
- The evolution in the threat landscape since Verizon's Data Breach Investigations Report began;
- The challenges today and the need for new defense methods;
- Bringing balance to the attacker-defender equation.
In part one of this interview, Novak addresses the need to ramp up security for operational technology.
Novak is the co-founder and director of the investigative response unit for Verizon Enterprise Services. With more than 12 years of experience in the field, Novak has assisted corporations, government agencies and attorneys with computer forensics, fraud investigations and computer security incident response matters. He has been certified in various jurisdictions as an expert witness and has testified in both civil litigation and criminal prosecutions. Novak has been an adviser on dozens of high-profile cases around the globe.