Breach Forensics - Preventing The Worse From Happening

By Author: eccuni
Total Articles: 211
Comment this article

In every incident response after a breach, the aftermath is indeed challenging in uncovering the crime, but from there the challenge becomes tougher. Whenever cyber criminals clear the digital vault, the only thing they have to do is to get away clean – that is very simple to most criminals in the cyber-underground society.

However, there are still a few things an incident handling team can do to prevent the worse thing from ever happening after data breaches and still track the footprints that were left behind.

There have been many data breaches that happened to different sectors in industry and even if the some evidences point out to a certain origin of the attack, it is not enough to initiate an arrest or point out the involvement. Sometimes these crooks use and control botnets to cover their tracks after the dark deed has been completed. Soon security experts will have ...
... to play a catch-up game with these crooks.

However, not all evidences are deliberately erased by the crooks and it happens a lot in many cyber crimes. Network admins would try to assess the depth and severity of the breaches and sometimes their access could accidentally or perhaps deliberately destroy some evidences that would quickly resolve the situation. You can compare it to an innocent bystander who could complicate the police investigation by accidentally stepping on the evidence. Sometimes the network administrator could have failed to recover the evidence that will determine how, when and where the attack happened. It is important for experts to properly collect and also maintain the evidences because the evidences are the only key in revealing not only the means of the attack and who is behind it but also reveal the scope of damage in the system.

According to experts, incident handling teams must undergo the right incident handling training to acquire the right skills in performing analysis on malware attacks or data breaches. Moreover, they must know how to determine a threat of a malware to a system by analyzing it in a sandboxed environment, thus it is possible for them to determine ex-filtrations methods of a certain malware and aid their efforts in remediation. Since, malware are dynamic and can communicate on many hosts, the results of the analysis can be of help to create an excellent block list. This block list will be used to limit the amount of exposure of some applications and also detect malware ex-filtration. This is one of the best solutions on detecting any exiting data.

In the event that the infected systems have been finally identified, the network administrators must turn off those systems and map them in a specific way so that they can picture out how the structure has been modified. Then the infected system must be replaced with a cleaner and more secure structure. If the attacker has breached the database and is retrieving important data remotely, then administrators have to cut the connection of that server or database temporarily. By analyzing the network traffic, experts could pinpoint the domains, addresses or any ex-filtration points that are used to retrieve information. These addresses and domains must be added to the existing firewall so that the compromised system will prevented in making any outbound connection to these ex-filtration point. With this, it is possible to limit the loss of data and determine how the breach happened and also how to rectify it.

Analyzing the log is also important in breach investigation; however, log systems must not be in the default system so that evidences will not be overwritten and preserved. Thus it is important to set a proper retention policy and implement log aggregation or right management in any security event. But logs have a limit and that is because they only provide intelligence on how the systems generate them.

Log data is definitely one of the places an attacker will leave his or her mark. It is very obvious and any smart administrator would check the log data first because most of the time, the log data is the first place where attackers would try to hide his or her tracks first. An attacker may delete or perhaps modify log entries, entries that would indicate the breach on the system.

Important data will provide leads on the breach's source, the construction of malware, ex-filtration point of data and the identification as well as the nature of the compromised data.

The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cybersecurity and e-commerce. It is the owner and developer of 20 security certifications. EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. These certifications are recognized worldwide and have received endorsements from various government agencies. They also offer trainings in penetration testing.

More information about EC-Council is available at www.eccouncil.org.