New cyber forensics can deter advanced persistent threats
Anthony Di Bello
Targeted cyber attacks are increasingly pervasive, driven by criminal and state-sponsored activity, and are becoming increasingly advanced.
According to the IBM X-Force 2010 Mid-Year Trend and Risk Report, advanced persistent threats (APT) have increased in sophistication, with 37 percent more activity involving PDF attachments observed in the first half of 2010. A recent whitepaper Guidance Software developed with IT Harvest echoed these statistics, examining two recent APT incidents: the GhostNet infiltration of the Dalai Lama's office, consulates and embassies; and the Google incident in China, part of the intrusion dubbed "Operation Aurora," as well as the difficulty involved in countering these attacks.
Attacks like these demonstrate that even agencies with significant investments in security are not prepared to counter sophisticated efforts to penetrate their networks.
Most agencies have already invested in segmenting their networks with firewalls and intrusion prevention systems, deploying anti‐virus and anti‐spam to desktops, servers and gateways, and instituting a religious fervor when it comes to patch management. Yet, targeted attacks from insiders and determined adversaries still succeed.
Even after an agency moves to more granular access controls, stronger authentication and network protections deployed to every segment, there will still be breaches. In order to combat these kinds of APTs, which are often undetectable by traditional security solutions, agencies are turning to cyber forensics.
The most effective cyber forensics software fights APTs in two significant ways:
First, it is designed to search memory and hard disks directly to ensure complete visibility into unstructured and volatile data. Thus, it is able to look where anti-virus programs can’t, and find APTs, botnets and malware that otherwise go undetected. Cyber forensics compares running processes to a hash database of known good or approved running processes, exposing the unknown processes. Then, the software uses forensic analysis to reveal the purpose of the unknown process. Through automated scans throughout the network, cyber forensics can help a centralized team quickly determine the scope of their agency’s exposure.
Second, cyber forensics software that features built-in similar file analysis can compare file likeness on suspect software to detect APTs that change their digital signature to evade detection by conventional tools. When malware evades a layered security defense, not only is it difficult to detect but also difficult to know where it spreads and whether it has morphed. With this development, cyber forensics exposes other iterations of a given APT, with a source file in hand. Now, for the first time, IT can conduct similar file analysis in real time on a live machine.
As cyber-criminals generate more sophisticated code, tactics and global operations that endanger the data and operations of the public sector, the public sector must increase its resilience and reduce its attack surface. As security professionals, it is our civil duty to search for new technology and leverage these cyber forensics tools that potentially allow any agency to efficiently respond to, contain and neutralize these advanced persistent threats.
Anthony Di Bello is product marketing manager for cybersecurity and compliance products at Guidance Software. He can be reached at: