Hackers are frustrated people. You spend hours behind a computer screen learning about system internals, vulnerabilities and developing sophisticated toolkits only to find that you don’t need to use any of that hard-earned knowledge and technology. The walls of the digital fortress are built high and thick, but there are too many doors, not enough guards and too many people using them.
Take the case of Gary Mckinnon, the hacker who broke into the Pentagon and NASA over ten years ago. Gary has been in the news having successfully won his appeal to not be extradited to the US. He’s clearly a very clever individual, but nowadays you don’t need Gary’s skills to gain access to a corporate’s systems.
Often, it’s said that the weakest point in any network lies between the keyboard and the back of a chair, and while most of us now realise that we haven’t won the Nigerian state lottery, hackers are finding increasing crafty ways in which to make us part with our passwords and other sensitive information
The more things change…
Hacking is certainly not a new phenomenon, so one would expect that there’s a wealth of skill out in the wild regarding how you investigate these incidents when they occur. Unfortunately, that’s not the case.
The key is firstly to recognise the difference between IT security (preventative) and investigation (reactive) functions and, second, to appreciate that any large organisation will inevitably be hacked – and often.
Once you understand this, it enables you to reprioritise the role of the investigation function.
Imagine a world where everyone just focused on security, but where we didn’t have any police…
One of the key difficulties in investigating a hack is one of scale (again!). To be honest, the ability to competently investigate a network intrusion is a rare skill as it is. However, organisations must now also be able to deal with the vast amounts of computing equipment and network traffic that exists within their walls.
Of course, there are many intrusion detection systems and data leakage prevention systems on the market that can help with this. However, all-too-often the users of these systems are either flooded with potential ‘red flags’ or simply don’t have the training to follow up on incidents when they arise.
For example, if there’s a botnet rampaging through your network how can you quickly identify the compromised computers? Often this involves a hugely time intensive process of following breadcrumbs around your estate unless you know very quick ways of searching across a large number of machines and domain controllers.
Similarly, if someone has compromised your Active Directory server, they may well have the keys to your entire organisation.
Identify what looks out of place
The complexity involved with investigating these events, and the associated panic, leads to the common response: ‘Just rebuild the server’. Will this help you if organised criminals have compromised someone within IT? Investigations aid prevention by informing you of the threat.
Crucial to investigating a network intrusion is identifying anything that looks out of place. To get a feel for this, I often ask trainee investigators to go through every folder on their hard drive and to make sure they know what everything does. If you try it, you will see that this is actually quite a large task!
If you don’t know what’s supposed to be there, it’s hard to develop an intuition for recognising what’s out of place. All program executables should be assumed guilty unless proven innocent!
One good way to do this is to use a list of program hashes (there are many in circulation for the various operating systems and applications) to filter out innocent files. This is a sound method of identifying renamed programs (svchost is a popular choice) or rogue applications such as remote access tools, keyloggers or proxies. It’s also a good way to identify hitherto undocumented sources of evidence.
I once conducted an investigation where a hacker inadvertently ‘fixed’ a problem with an application when they disabled the computer firewall. I could tell the moment that the hacker did this because the application stopped reporting errors at that precise moment in time!
Network packet captures are also a great mine of information. Again the problem is one of scale. A week’s worth of network data captured at the perimeter of a large organisation can run into the Terabytes.
What do you do with this data once you get a hold of it? Finding a tool that can deal with such a large corpus is challenging enough. Simple lightweight tools are very useful in this respect: such a simple unix commands and your favourite database environment. Then data can be filtered down on interesting protocols, IP addresses or dates to help close in on phenomena of interest.
The Big Issues for 2013
One of the interesting phenomena that have matured over the past couple of years is the malware and hacker underground markets. You can now buy banking malware ‘kits’ such as Zeus and Spy Eye for relatively small sums. These kits provide a point-and-click interface to allow a hacker to produce a man-in-the-browser attack whereby users are tricked into divulging banking and other details.
Some of these malware even connect to mobile devices to intercept cell-phone based verification technologies. There’s even talk of ‘Hackers for Hire’ and the leasing of compromised servers for other hackers to use.
The rise of hacker activists (or hacktivists) has also given rise to the ‘hacker brand’. There’s very little brand protection going on in the hacker community, and so if someone wants to call themselves ‘Anonymous’ and blackmail a corporate under that name it can be difficult to determine what exactly the threat is in real terms.
Such ‘false flag’ attacks are common in the world of cyber espionage and cyber warfare.
What you should do next…
The key thing here is that it has never been easier for someone to hack a network or the people that use it. Similarly, the defences we put across our network that we have always known will not guarantee 100% security. As such, it is important to develop techniques for recognising unusual patterns and red flags across your key computer systems and investigate these forensically when they appear.
Sometimes this can mean sampling your network on a proactive basis and looking for irregularities. It may be that your network has been compromised for some time, and conducting regular reviews can raise your defensive stance.
Stopping an attack early can make all the difference, especially as most organisations are unable to detect an attack upon its inception. Often, hackers will compromise a system so that they can gain access to other, more secure systems. An early interception can prevent this from happening.
For example, a review of deleted user accounts on key systems, cross-matching live running processes across a number of servers or identifying pirated or rogue software are all processes that may be executed very quickly, and help expose the ‘footprints in the sand’ that an intruder leaves behind.
Educating your users will always be paramount. Try a session whereby you invite your team to a security briefing and ask them to write down their computer username and password without showing them to anyone… Then pause for dramatic effect before reminding them to never write down their username and password!
Simon Placks leads the Ernst & Young IT Forensics team
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
