By George Aquila, Associate Product Marketing Manager
Recently we featured an excellent guest post by Richard Stiennon, who illuminated the need for accelerating response times against attackers who will increasingly be moving down the kill chain with greater speed. This week we drill down on the practice of incident response, into the realm of cyber forensics, to address how analytics tools help put the pieces back together when an adversary successfully executes an attack.
The recent breach of the Office of Personnel Management (OPM) and its ongoing saga of escalating damage assessments has called attention to the need for effective incident response, especially when a large data exfiltration has occurred. While many organizations put great effort into prevention and detection, there is a lot of uncertainty when it comes to responding to incidents after the fact. In the past year, we have seen both Fortune 500 companies and US government agencies struggle to determine the precise size and scope of their breaches following an attack. To prepare for the worst and be able to reconstruct the details of a breach after it occurs, you need more than just incident response; you need cyber forensics.
Investigating the Crime Scene
Cyber forensics looks a lot like criminal forensics. It is the practice of searching through a network that has been compromised to determine the extent of an intruder’s presence and the damage done. In other words, it is the investigation of the scene of the crime. You need to determine what has been taken and what might still be compromised. Unfortunately, determining either of the two with 100% certainty is difficult.
Data is the key in this process. From ensuring that intruders are no longer in your network to determining how they entered in the first place, you need evidence in order to reconstruct the events of a breach. This kind of evidence can present itself in a variety of forms, including network focused transaction logs, email records, or even malware programs left behind on a system.
Storing the Clues
Recent breaches have shown that, even in government agencies like the OPM, organizations store log data for relatively short amounts of time, in some cases for as little as little as 60 days. In an age where the average detection time for a breach can be upwards of 200 days, such short data storage intervals are clearly not enough, and hamper investigative efforts. Organizations must be able to store relevant data far back enough that the scope and duration of a breach can be fully mapped.
A scalable data analytics platform like Sqrrl Enterprise enables the storing of massive quantities of endpoint and netflow logs, email records, HR information, and various other data sources. The flexibility of databases like Apache Accumulo allows for any variety of raw data to be securely stored for later use in outlier detection and predictive analytics. On average, a viable standard for storage length should be a minimum of a year’s worth of data, in order to reconstruct what was happening on a network at any interval during that time.
Analyzing the Results
Making sense of the evidence in an investigation is a challenge in its own right, even with the right data. This process involves determining what information was exfiltrated and, often more importantly, what systems might still be affected. Analytics platforms make this easier by leveraging advanced data science techniques and implementing approaches like a linked data model to create powerful context-based visualizations of a network. With the right data and effective analytics tools, security analysts can easily revisit the conditions under which a breach might have occurred, and pinpoint anomalous activity with outlier detection techniques. After finding the original entrypoint, an analyst can easily inspect all subsequently related data points, and can follow the trail through a network to any entities that might still be compromised.
A network visualization on Sqrrl. Nodes represent various entities and edges represent relationships
Imagine if the OPM had over a year’s worth of data for their investigation. Better yet, imagine if the OPM also had a contextual visualization of all traffic and information transfers across their network for all of that time. There would be far less doubt about what was stolen and to what extent the breach may have affected other systems.
Gathering information on the details of a breach is critical for reasons beyond just the need for containment and eradication of lingering threats. Companies in many industries are legally bound to compliance standards. If you are an organization that has strict regulations to uphold, something like a healthcare insurance company for example, being able to show that you were up to par with regulations after the fact is extremely important from a legal perspective, and can be crucial in a court of law. Regardless of industry, any organization will always be beholden to various groups to show how a breach occurred. Good cyber forensics is often the only way of finding those much needed answers.