Market Sectors

block 10


New cyber forensics can deter advanced persistent threats

Anthony Di Bello

Targeted cyber attacks are increasingly pervasive, driven by criminal and state-sponsored activity, and are becoming increasingly advanced.

According to the IBM X-Force 2010 Mid-Year Trend and Risk Report, advanced persistent threats (APT) have increased in sophistication, with 37 percent more activity involving PDF attachments observed in the first half of 2010. A recent whitepaper Guidance Software developed with IT Harvest echoed these statistics, examining two recent APT incidents: the GhostNet infiltration of the Dalai Lama's office, consulates and embassies; and the Google incident in China, part of the intrusion dubbed "Operation Aurora," as well as the difficulty involved in countering these attacks. 

Attacks like these demonstrate that even agencies with significant investments in security are not prepared to counter sophisticated efforts to penetrate their networks.

Most agencies have already invested in segmenting their networks with firewalls and intrusion prevention systems, deploying anti‐virus and anti‐spam to desktops, servers and gateways, and instituting a religious fervor when it comes to patch management. Yet, targeted attacks from insiders and determined adversaries still succeed.

Even after an agency moves to more granular access controls, stronger authentication and network protections deployed to every segment, there will still be breaches. In order to combat these kinds of APTs, which are often undetectable by traditional security solutions, agencies are turning to cyber forensics.

The most effective cyber forensics software fights APTs in two significant ways:  

First, it is designed to search memory and hard disks directly to ensure complete visibility into unstructured and volatile data. Thus, it is able to look where anti-virus programs can’t, and find APTs, botnets and malware that otherwise go undetected. Cyber forensics compares running processes to a hash database of known good or approved running processes, exposing the unknown processes. Then, the software uses forensic analysis to reveal the purpose of the unknown process. Through automated scans throughout the network, cyber forensics can help a centralized team quickly determine the scope of their agency’s exposure.

Second, cyber forensics software that features built-in similar file analysis can compare file likeness on suspect software to detect APTs that change their digital signature to evade detection by conventional tools. When malware evades a layered security defense, not only is it difficult to detect but also difficult to know where it spreads and whether it has morphed. With this development, cyber forensics exposes other iterations of a given APT, with a source file in hand. Now, for the first time, IT can conduct similar file analysis in real time on a live machine.

As cyber-criminals generate more sophisticated code, tactics and global operations that endanger the data and operations of the public sector, the public sector must increase its resilience and reduce its attack surface. As security professionals, it is our civil duty to search for new technology and leverage these cyber forensics tools that potentially allow any agency to efficiently respond to, contain and neutralize these advanced persistent threats.

Anthony Di Bello is product marketing manager for cybersecurity and compliance products at Guidance Software. He can be reached at:

[email protected]



Recent Videos

IntraLogic's official release of the "One Button" Lockdown system on CBS 2 News.
HID Global is opening the door to a new era of security and convenience.  Powered by Seos technology, the HID Mobile Access solution delivers a more secure and convenient way to open doors and gates, access networks and services, and make cashless payments using phones and other mobile devices. ...
Mobile device forensics can make a difference in many investigations, but you need training that teaches you how to get the most out of your mobile forensics hardware and software, and certifies you to testify in court. Read this white paper to learn how to evaluate mobile forensics training...
PureTech Systems is a software company that develops and markets PureActiv, its geospatial analytics solution designed to protect critical perimeters and infrastructure.  Its patented video analytics leverage thermal cameras, radars and other perimeter sensors to detect, geo-locate, classify, and...