How To

Detecting a Cybersecurity Breach: Forensics First

Bryan Sartin, director of technology for Ubizen, which provides managed security solutions, including assistance in planning and implementing security policies, answers readers' questions about how to detect and respond to a cybersecurity breach

By Bryan Sartin

October 01, 2004 — CSO — Q: In a perfect world, what events and audit logs would a forensics investigator like to see enabled on servers and on network devices to provide the best possible evidence trail?

A: Regardless of the system or server type, a forensics investigator will look for the following items: at the application and system level, logs indicating both successful and unsuccessful authentication attempts; logging of all root or administrator-level actions; and logging of all critical object access attempts. These include accesses to privileged system files such as system logs and password files as well as sources of protected information such as credit card information and personnel records. These log files should include the date and time, source, and a description of the event in question. There are, of course, other items that might make the wish list, but these are the basics that forensics investigators will need in order to gain a clear picture of any footprint left behind by an intruder. Q: Before I even react to a breach, I have to detect it. My logs are getting huge and unmanageable. How can I expect a managed security service provider (MSSP) to handle this when it's dealing with logs from hundreds of companies?A: The ability to recognize the actual threats among the volumes of security events and log data processed is exactly what separates the leading MSSPs from the rest of the pack. Industry leaders in the MSSP space will use event correlation engines to rapidly recognize unwanted or malicious network activity (an event) and interpret its level of risk to generate an appropriate response (an alert). This process involves a combination of event and target correlation. Event correlation will typically rely on predefined signatures within a data-mining infrastructure to rapidly identify harmful events inside everyday network traffic. Once identified, target correlation assigns a risk level for the given event based on the unique aspects and technologies present in the customer's environment. These enable the MSSP to generate effective threat alerts, customized for your environment, that play well into your organization's incident response plan.Q: If I can do only one thing after a breach, what should it be?A: Remove affected systems from the network. Do not make any changes to them. Don't power them off, don't reboot them, don't install anything on them. As a forensics investigator, one of the most frustrating things that you'll encounter once an investigation commences are the changes made to the affected systems and surrounding environment. When a compromised system is powered off, important information or evidence stored in volatile memory may be lost. When that system is powered back on, session-only log files may be overwritten. Further, installing software designed to detect trojans and hacking utilities, or implementing system-level changes intended to harden the affected host or network device may adversely impact the quality of the forensic evidence available. This not only may make a good forensics investigator's job more difficult, it may also prevent the evidence from being used to support the prosecution of the intruder. Q: Managed services can automate detection of malware and suspect code. What can you do about confidence tricks, phishing and other socially engineered security breaches? A: Ultimately, this is always the responsibility of an organization's management. The only protection against socially derived attacks is a commitment to promoting security awareness, conducting regular training, and enforcing polices and procedures across the organization. The degree of impact a managed services provider can have on the susceptibility of a client organization to socially derived attacks is directly related to the nature of the provider-client relationship.