Youâ€™ve Been Hacked: Now What?
Forensic Analysis Helps Solve the Crime
In the event of a data break-in, forensic analysis -- the use of scientific techniques to investigate crimes -- is needed for various tasks, including:
- investigating crimes and inappropriate behavior,
- reconstructing computer security incidents,
- troubleshooting operational problems,
- supporting due diligence for audit record maintenance
- recovering from accidental system damage.
Without such a capability, an organization will have difficulty determining what events have occurred within its systems and networks, i.e. exposures of protected, sensitive data. Also, handling evidence in a forensically sound manner puts decision makers in a position to take the necessary actions. According to guidance published in 2006 by the National Institute of Standards and Technology (NIST), incorporating forensic considerations into the information system life cycle can lead to more efficient and effective handling of many incidents. Forensic considerations must be clearly addressed in company policies. At a high level, these policies should allow authorized personnel to monitor systems and networks and perform investigations for legitimate reasons under appropriate circumstances. The guidance has been well received, especially among security staff and system administrators who were fairly new to forensics, says Karen Scarfone, a NIST computer scientist. These people have commented that the guide was particularly helpful in better understanding the forensics process, such as the need to document the actions they perform. NIST has also received requests to provide additional information on mobile device forensics (for example, cell phone forensics), Scarfone says, and her group has produced a separate publication covering this topic (SP 800-101). In line with the NIST guidance, companies should create and maintain procedures for performing forensic tasks. The guidelines should include general methodologies for investigating an incident using forensic techniques, and step-by-step procedures should explain how to perform routine tasks.
Among the suggestions: Create a forensic toolkit for data collection, examination, and analysis. It should contain various tools to collect and examine volatile and non-volatile data and to perform quick reviews of data as well as in-depth analysis. The toolkit should allow its applications to be run quickly and efficiently from removable media (e.g., floppy disk, CD) or a forensic workstation.
Perform forensics using a consistent process. NIST guidelines suggest a four-phase forensics process: collection, examination, analysis, and reporting.
Be proactive in collecting useful data. Configuring auditing on operating systems, implementing centralized logging, performing regular system backups, and using security monitoring controls can all generate sources of data for future forensic efforts.
Be aware of the range of possible data sources. Analysts should be able to survey a physical area and recognize possible sources of data. They should also think of possible data sources located elsewhere within an organization and outside the organization.
Consider all possible application data sources. Application events might be recorded by many different data sources. They also might be used through multiple mechanisms, such as client programs installed on a system and Web-based client interfaces. In such situations, analysts should identify all application components, decide which are most likely to be of interest, find the location of each component of interest and then acquire the data.
Perform data collection using a standard process. The recommended steps are identifying sources of data, developing a plan to acquire the data, acquiring the data, and verifying the integrity of the data. The plan should prioritize the data sources, establishing the order in which the data should be acquired, based on the likely value of the data, the volatility of the data, and the amount of effort required.
Use a methodical approach to studying the data. The foundation of forensics is using a methodical approach in analyzing the available data so that analysts can either draw appropriate conclusions based on the available data, or determine that no conclusion can yet be drawn. If evidence might be needed for legal or internal disciplinary actions, analysts should carefully document the findings and the steps that were taken.
Bring together data from various sources. The analyst should review the results of the examination and analysis of individual data sources, such as data files, operating systems, and network traffic, and determine how the information fits together, to perform a detailed analysis of application-related events and event reconstruction. In the final phase, reporting, reviews of current and recent forensic actions can help identify policy shortcomings, procedural errors, and other issues that might need to be remedied, as well as ensuring that the organization stays current with trends in technology and changes in law. For more information, check out: Pub. 800-86 Guide to Integrating Forensic Techniques into Incident Response August 2006 http://csrc.nist.gov/publications/nistpubs/index.htm
Forensic Exercises Tabletop exercises that focus on how forensic tools and techniques can be used in various scenarios provide an inexpensive and effective way of building and maintaining skills and identifying problems with guidelines, procedures, and policies. The exercise participants review a brief scenario and are then asked several questions related to the scenario servers. For example...
Scenario 1: On a Saturday afternoon, external users start having problems accessing your institutionâ€™s public Web sites. Over the next hour, the problem worsens to the point where nearly every attempt to access any of the Web site fails. Networking staff responds to automatically generated alerts from an Internet border router and determines that much of the institutionâ€™s Internet bandwidth is being consumed by an unusually large volume of User Datagram Protocol (UDP) packets to and from both of the institutionâ€™s public Domain Name System (DNS).Questions: How would the forensic activity change if the DDoS attack appeared to be coming from a network in a different state? In a different country? How would the forensic activity change if the DDoS attack appeared to be coming from a business partnerâ€™s network?
Scenario 2: Over the course of a week, the number of phone calls coming into the institutionâ€™s help line for online bill presentment and payment increases by 400 percent. Most callers complain of having to resubmit payment information multiple times, and many canâ€™t complete their payment.Questions: The problems could have a non-technical cause, such as a lack of clear instructions for new users. How should the technical and non-technical aspects of the investigation be coordinated and balanced? How might privacy considerations affect the use of forensic tools and techniques? How would forensic tools and techniques be used if application developers were confident that an operational problem was causing the issues?