security
prevention approaches or attempting
to catch the perpetrator ‘in-theact’ like modern Intrusion Detection
Systems (IDS) attempt to do, teams
are now turning to strategies that can
find an attacker already embedded
in the network, and ejecting the
bad actor before he can do serious
damage. This is sometimes referred
to as ‘post-breach forensics’,
and it is becoming an increasingly
important aspect of the incident
response workflow. The fundamental
problem with the existing tools that
attempt to catch an assault on-thefly is the speed with which modern
networks operate. In today’s gigabit
networks, high volumes of network
traffic (in the form of data packets)
pass through the detection systems
in microseconds. With such limited
time available to analyse the contents
of those packets, the complexity of
pattern detection that these devices
can feasibly employ is severely limited
to just the most basic templates. In
addition, many attacks would only
be evident if a specific sequence
of events is observed, requiring the
detection systems to maintain ‘state’
information, sometimes for many
minutes, days or even weeks. Even
modern ‘stateful’ firewalls don’t have
that kind of long term visibility.
The answer seems to lie in a new
breed of automated post-breach
forensics tools, which do not have the
same constraints. If a record of all
the activities in each of the domains
of the computing environments – the
memory, the system and application
logs of each host, and the network
traffic – is maintained, then much
more sophisticated pattern matching
and behaviour detection systems
can be deployed. Some of these
data sets, like memory dumps or
system logs, are readily available
today, although not all enterprises
have them enabled. Long term
collection and storage of application
logs and, in particular network
traffic, require more specialised
tools. With such large amounts of
critical data flowing over a network
every day, attempting to store every
packet for forensics purposes just
doesn’t make sense; it would take
up too much costly storage space.
That is, unless, it can be carefully
constrained by using a dedicated
network forensics appliance.
Indicators of compromise
A security team with access to this
information has the freedom to
conduct a wide variety of analyses
and investigations directly on the
packet data that they suspect may
have led to a breach. They can
automatically detect signs of intrusion,
called ‘indicators of compromise’ and
use these techniques to reconstruct
the attack’s initial point of penetration.
Other times, the attacker will be
detected by his actions inside the
network. There are also tools which
may provide evidence that the
attacker is transferring or exfiltrating
the stolen data to an external site.
In each case, it is the ability to apply
more extensive automated tools
across large amounts of historical
data that enables the embedded
attacker to be discovered.
Collectively, these techniques
are becoming referred to as
‘Security Analytics’, and they
employ many of the proven data
science techniques that have been
successful in many other areas.
From a business standpoint, the
ability of automated post-breach
forensics to find and expel an attacker
before they have done serious
damage is very compelling. Although
evidence indicates that attackers
are successfully gaining footholds in
corporate networks, that, by itself,
is not destructive. They haven’t
stolen or damaged anything yet.
And, frequently, the first wave of an
assault is in a non-critical system
or ancillary department, giving the
attacker the ability to conduct a more
detailed reconnaissance from this
new vantage point inside the network.
Patiently and methodically, the
attacker will explore the corporation’s
hosts to find what assets they contain
and what additional hosts can be
compromised in order to more broadly
expand his position in the network.
It’s only when a critical asset such
as credit card information, patient
records or password files has been
found and exploited that the intrusion
becomes threatening.
In the case of large data files like
patient records, the attacker may still
have to stay in the targeted system
for an extended period while the
data is stealthily exfiltrated without
triggering an alarm system. During
all this time, which may extend over
days, weeks or months, there are
still opportunities for the security
analytics tools that automate postbreach forensics to intercept the
attacker before he can abscond with
the valuable information. Skilled
investigators have been able to sift
through the records of a breached
system and determine what has
happened for some time. But now,
the ability to store vast amounts of
historical data married with automated
security analytics techniques is
making this post-breach forensics
capability available to SMBs and large
enterprise corporate security teams
alike. This emerging capability is a
clear and important means to regain
the upper hand against attackers.
19