Network intrusions are among the most challenging kinds of computer crime to investigate, especially when dealing with sophisticated, highly motivated intruders. Given the dynamic nature of networks, investigators must act quickly to locate and preserve potential evidence before it is lost or altered, all without disrupting operations of the organization.
Investigators also have a very compressed timeframe to answer complex questions, including what sensitive information was exposed, how and when the intruders gained access, and where they can be apprehended. To answer these questions, it is necessary to sift and correlate large amounts of data quickly in various formats from systems in multiple time zones.
Locating and preserving evidence is even more difficult when intruders are actively attempting to conceal or destroy evidence. In addition, when intruders use customized toolsets, the response and investigation may only be formulated as evidence of the intrusion is uncovered. Consequently, investigations of these intrusions are highly reactive, and outof-the-box forensic products are generally insufficient—we must combine various existing tools and methods, and develop custom tools and solutions for the specific case. For instance, investigators may need to perform advanced program analysis and create antidotes— specialized scanning and monitoring tools that detect and counteract the intruder’s tools.
Following the path of least resistance, even sophisticated intruders gain entry to networks through widely known vulnerabilities. Generally they only need to exercise their technical sophistication to maintain a foothold in the compromised network, conceal their presence, and pilfer valuable data.
Careful intruders attempt to hide or remove evidence of an intrusion by deleting logs, altering datetime stamps, and installing their own utilities to subvert the operating system. Programs like Hacker Defender alter the kernel and return false information to system calls, rendering useless most tools that incident responders have traditionally used to examine a live system for signs of compromise.
In addition to hiding suspicious files, processes, listening ports, and other signs of compromise from trusted utilities that incident responders run from a compact disk, these newer kernel rootkits can even subvert tools specifically designed to detect earlier generations of rootkits. In addition, tools are being developed specifically to make forensic examination more difficult.
This article describes how computer security professionals and digital investigators can work together to respond more effectively to major security breaches, and focuses on current challenges, recent advances, and future needs.
Click here to download the full paper