DCN November 2016 | Page 19

security prevention approaches or attempting to catch the perpetrator ‘in-theact’ like modern Intrusion Detection Systems (IDS) attempt to do, teams are now turning to strategies that can find an attacker already embedded in the network, and ejecting the bad actor before he can do serious damage. This is sometimes referred to as ‘post-breach forensics’, and it is becoming an increasingly important aspect of the incident response workflow. The fundamental problem with the existing tools that attempt to catch an assault on-thefly is the speed with which modern networks operate. In today’s gigabit networks, high volumes of network traffic (in the form of data packets) pass through the detection systems in microseconds. With such limited time available to analyse the contents of those packets, the complexity of pattern detection that these devices can feasibly employ is severely limited to just the most basic templates. In addition, many attacks would only be evident if a specific sequence of events is observed, requiring the detection systems to maintain ‘state’ information, sometimes for many minutes, days or even weeks. Even modern ‘stateful’ firewalls don’t have that kind of long term visibility. The answer seems to lie in a new breed of automated post-breach forensics tools, which do not have the same constraints. If a record of all the activities in each of the domains of the computing environments – the memory, the system and application logs of each host, and the network traffic – is maintained, then much more sophisticated pattern matching and behaviour detection systems can be deployed. Some of these data sets, like memory dumps or system logs, are readily available today, although not all enterprises have them enabled. Long term collection and storage of application logs and, in particular network traffic, require more specialised tools. With such large amounts of critical data flowing over a network every day, attempting to store every packet for forensics purposes just doesn’t make sense; it would take up too much costly storage space. That is, unless, it can be carefully constrained by using a dedicated network forensics appliance.
 Indicators of compromise A security team with access to this information has the freedom to conduct a wide variety of analyses and investigations directly on the packet data that they suspect may have led to a breach. They can automatically detect signs of intrusion, called ‘indicators of compromise’ and use these techniques to reconstruct the attack’s initial point of penetration. Other times, the attacker will be detected by his actions inside the network. There are also tools which may provide evidence that the attacker is transferring or exfiltrating the stolen data to an external site. In each case, it is the ability to apply more extensive automated tools across large amounts of historical data that enables the embedded attacker to be discovered. Collectively, these techniques are becoming referred to as ‘Security Analytics’, and they employ many of the proven data science techniques that have been successful in many other areas. From a business standpoint, the ability of automated post-breach forensics to find and expel an attacker before they have done serious damage is very compelling. Although evidence indicates that attackers are successfully gaining footholds in corporate networks, that, by itself, is not destructive. They haven’t stolen or damaged anything yet. And, frequently, the first wave of an assault is in a non-critical system or ancillary department, giving the attacker the ability to conduct a more detailed reconnaissance from this new vantage point inside the network. Patiently and methodically, the attacker will explore the corporation’s hosts to find what assets they contain and what additional hosts can be compromised in order to more broadly expand his position in the network. It’s only when a critical asset such as credit card information, patient records or password files has been found and exploited that the intrusion becomes threatening. In the case of large data files like patient records, the attacker may still have to stay in the targeted system for an extended period while the data is stealthily exfiltrated without triggering an alarm system. During all this time, which may extend over days, weeks or months, there are still opportunities for the security analytics tools that automate postbreach forensics to intercept the attacker before he can abscond with the valuable information.

Skilled investigators have been able to sift through the records of a breached system and determine what has happened for some time. But now, the ability to store vast amounts of historical data married with automated security analytics techniques is making this post-breach forensics capability available to SMBs and large enterprise corporate security teams alike. This emerging capability is a clear and important means to regain the upper hand against attackers. 19