- Email: [email protected]
Network forensics and the inside job
FORENSICS
Network forensics and the inside job Simon Perry, Vice President, Security Strategy, CA EMEA Simon Perry According to recent studies undertaken by the FBI and Computer Security Institute, 80% of network attacks are instigated by authorised users and not by an external hacker. How can network forensics help uncover the inside job?
In many organizations, employee fraud and the risks created by sloppy exposure of passwords, and malicious damage from within the security perimeter, are treated as an accepted (if not acceptable) cost of doing business. The total cost of employee fraud to businesses is difficult to estimate because most employers are reluctant to admit to the problem, although in the UK this year the DTI Information Security Breaches Survey found that the average cost to large businesses of a major security incident was more than $170,000 – and 87% of them had experienced a breach. 65% reported staff misuse of computer systems. Whatever the true cost, internal threats certainly cost millions more every year than losses from viruses or spyware. Moreover, companies are being asked more often than in the past to prove the state of their security, due to regulatory pressure, which usually involves demonstrating strong capabilities around incident investigation and remediation. That external threats get all the attention is easy to understand. Hackers ‘attack’ and viruses ‘strike’, adding the essential time element that makes the threat newsworthy. The consequence is a disproportionate amount of exposure in relation to the threat.
False alarms Take the virus threat against the mobile platform for example. Much has been written about this potential doom for the mobile generation but as yet the evidence of any actual damage caused is very difficult to find. That isn’t to say that it won’t grow as a threat and that we shouldn’t consider future potential threats but with all the damage being caused to our IT systems December 2006
and our businesses right now, the amount of press attention mobile malware receives is extraordinary. Meanwhile the real areas of future ‘call to action’ in security are sometimes hidden behind the resultant smoke screen of hype and it is to these that we must look carefully. The truth is that the ‘next big thing’ is in fact rarely the next ‘big’ thing at all; it is just the next new thing.
Extension to best practice For instance, we are now definitely seeing signs that the next, ‘next big thing’ may actually be a solid and logical extension to current best practice, and involving a solution to a real, current requirement: the application of forensics skills and tools as a means to investigate security failures and breaches at a network level. Investigating attacks and incidents are by no means entirely ‘new news’ to the IT security industry. For as long as there have been IT systems there has been a need to investigate problems with those systems. What is new is that more companies are now taking a more detailed and disciplined approach to security investigations to the extent that they may be more accurately termed “forensics investigations”. The important difference between a simple investigation and a forensics investigation is that the latter is attuned to the requirements of the legal system with regard to evidence gathering and handling, and approach required to ensure admissibility of gathered evidence in legal proceedings. It is true that even forensics is not entirely new, for at least five years ago, I was already visiting some large organizations in
North America, particularly in the financial services sector, that had dedicated IT forensics departments: teams of individuals who spent their time tracking and mirroring disks from computers suspected of having been used in some malicious or inappropriate manner to cause harm to the company. The average perpetrator of these kinds of activities rarely takes the precautions to cover their tracks or thinks that they will get caught and so simply opening up their computer’s disk will provide all the evidence that is needed. For that reason IT forensics has stayed pretty much at the disk level.
Lack of know-how Financial services companies obviously have much to lose from activities such as employee fraud and so their proactivity is to be expected. It is worth noting however that the skills required to conduct such investigations have until now been so lacking, that it might be said that the best forensics investigator might struggle to find any pool of such skills anywhere. Certainly the lack of expertise and resources within the conventional law enforcement community for investigating computer crimes has meant that private organizations have had to take it upon themselves to investigate any suspected cases of IT fraud or misuse to gather the necessary evidence to either take action against employees or to hand the evidence over to law enforcement for prosecution. For most organizations however, the need to investigate security breaches was a case of ‘I’ll worry about it when it happens to me’ and ‘I’m sure I ought to do it but I have other things to worry about.’ Key drivers for network forensics • The high toll of the average security incident • Companies are increasingly required to prove their state of security for regulatory purposes • It is increasingly difficult for a company to ignore a security breach • Microsoft Vista encrypts disks as default which complicates traditional forensics approaches • Law enforcement has limitations when addressing IT security attacks
Network Security
11
FORENSICS
Three key developments Three developments are taking place in the industry that make the ‘ought to do’ attitude very much a ‘have to do’ attitude. They are also responsible for moving IT forensics from the disk level to the network level and are the reason why network forensics is becoming the next big thing in IT security. Firstly, it is now increasingly difficult for a company that has suffered a security breach to sweep the fact under the carpet. In the past it was in fact very common for companies to turn something of a blind eye to breaches and even simply to dismiss an employee quietly who was involved in a security incident. Over the last few years (and especially the last 12 months) we have witnessed numerous significant and public ID theft breaches with various levels of damage caused, from the embarrassment of having the salaries of BBC employee exposed to the public, to the sale of confidential customer information by call centre employees. The US-based Privacy Rights Clearinghouse organization (http://privacyrights.org) has documented the fact that in excess of 93 million private data records of US citizens and residents have been exposed due to security breaches since early 2005. Privacy Rights’ chronology of data breaches is sobering reading in this regard (http://www.privacyrights. org/ar/ChronDataBreaches.htm)
Boards under pressure Fuelled by (understandable) citizen and government outrage over such breaches Boards of Directors now find themselves under increasing pressure to ensure that they adequately prevent breaches however possible, and investigate any that occur. They are now less willing to accept breaches and exposure as an accepted cost of doing business. In addition, new regulations are coming into play that could make this not just a good governance practice but a compliance requirement. Probably the most well known is California’s SB1386 which requires any organization doing business in the US to notify its customer base of a data breach within three days of it taking place should the company’s customer 12
Network Security
reside in California and if personal identifiable data be released. Questions will start to be asked of the IT department about how they are helping the company avoid breaking these regulations and that pressure will be the catalyst for forensic becoming a must have security process.
“The important difference between a simple investigation and a forensics investigation is that the latter is attuned to the requirements of the legal system with regard to evidence gathering and handling, and approach required to ensure admissibility of gathered evidence in legal proceedings.”
Vista’s new dimension The second factor that is shifting the approach to cyber forensics is the imminent launch of the Microsoft Vista operating system which will put the ‘network’ into ‘network forensics’ as Vista adds a new dimension by encrypting the disk by default. Whilst my previous example of a dedicated forensics team mirroring a computer’s disk is the most obvious way to conduct a forensics investigation, more common encryption of disk content will make this approach very difficult. In the case of investigations taking place without the knowledge of the (investigation) target it becomes all but impossible.
Future barriers Encryption is not new and is easy for anyone to do but as already stated, even when people are doing bad things they often fail to follow the most basic processes to cover their tracks. This will make computer-based forensics problematic. In that situation, the ability to read documents as they pass over the network becomes vital.
Experienced forensics investigators can even deal with document level encryption. Even if the user does encrypt the document so it can’t be read in cleartext as it passes over the network, a good network forensic investigation can highlight suspect behaviour and build a body of evidence. They can still see for instance that transmissions have taken place from machine A to machine B, using such and such a protocol, and identify document characteristics such as type and size. For instance, if you are worried that a departed sales manager has stolen confidential client and sales forecast information and taken it to their new company, an investigation of the activity emanating from their account including where emails are being sent to, whether they have attachments and what size those attachments are could provide enough evidence to take action (albeit such evidence may not be enough to prove a case in a court of law). Finally, the ongoing limitations of traditional law enforcement will ensure that network forensics is undertaken at a private level. For instance in the UK, where the National High Tec Crime Unit is being merged into the Serious Organised Crime Agency (April 2006) the IT capabilities and resources of UK law enforcement would seem to have only been diluted further. To investigate a breach or any kind of behaviour, law enforcement will be reliant on organizations to conduct investigations and build a body of evidence that they can then use to decide whether to prosecute an offender. It might seem a logical conclusion therefore that every organization will soon have its own forensics department and be running network forensics in-house. However, it isn’t just a case of having the software tools to conduct the investigation. For evidence to hold up in court, proper procedure needs to be observed and careful processes followed. At a very basic level an investigator needs to know what they are looking for and what certain types of activity mean. An amateur investigation by an inexperienced IT department could have quite the opposite effect of responsible network forensics. At best, the resultant evidence will be deemed inadmissible to a court of law and at worst the investigation could be December 2006
FORENSICS construed to be a breach of standing company procedure and relevant privacy laws. This could result in an organization getting into serious trouble for inappropriate investigatory practices. IT forensics investigation veers too close to too many different legal requirements to be approached unprofessionally. ISPs are an obvious candidate for using network forensics themselves as pressure increases on them to take responsibility for what passes over their networks. Network forensics could in fact protect them from some of the more ethically difficult questions about how they monitor their networks by demonstrating a capability to investigate an incident when it occurs without having to constantly monitor traffic or impinge on the privacy of the vast majority of ‘good’ users. In addition, those large organizations that currently have inhouse computer
forensics teams will no doubt adopt network forensics into their repertoire since they already have the expertise and resources. For the rest, network forensics will probably be adopted as a managed service from specialist and trusted service providers. We are already starting to see organizations with correct investigatory expertise and capabilities offering these kinds of services and we are also seeing interest in these services from companies eager to stop fraud being a cost of doing business.
Conclusion All of the reasons stated here are driving the growth of network forensics and I anticipate that we will see a great deal of activity in this area. Large security vendors are starting to look for network forensics solutions to add to their portfolios and I expect the small niche vendors that currently own much of the technology will be
swallowed up quite quickly. User demand will drive this harder, particularly if some of the breach disclosure proposals become law. For the first time I believe we will actually see a security technology related to the more significant internal threat overtake external threats to stake the claim as the next big thing in IT security.
About the author Simon Perry is Vice President of Security Strategy for CA EMEA. He works with CA customers to develop policies, processes and systems to better manage security as part of the overall IT environment. He was recently appointed to the Permanent Stakeholder Group of the European Network and Information Security Agency (ENISA), a European Union agency. The mission of the agency is to assist the Community to achieve high levels of network and information security.
KEY MANAGEMENT
Cryptographic key management for the masses Bruce Potter Keeping track of cryptographic keys has usually been considered something of a ‘no-brainer’ – simpler, in fact, than keeping tabs on what office keys users have. This must change, though, if a jangling result is to be avoided. As we have adopted more security not often compromised or rotated. products for our enterprises, we have Administration keys, such as those used also had to accept the fact that all of in SSH, are usually managed directly these products need to be managed. by the users and administrators. The Management consoles for IDSs and largest and most complicated use of firewalls, policy management servers cryptographic keys is often a public for AV, and many audit trails need to key infrastructure. However, many PKI be kept track of. As useful as firewalls, systems are self contained; they have IDS, and AV programs are, they would their own management, issuance, and be impossible to operate at a large scale revocation processes. PKI systems are without these sophisticated managethe 800lbs gorilla that stands on its ment interfaces. own without interacting with any other Cryptographic key management, key material in your network. however, has not been an area of But as more and more IT systems concern. Historically keys have taken have security features embedded in several forms. SSL keys on webservthem, the need to manage the issuance, ers tend to only number in the tens management, revocation, and auditing or hundreds in an enterprise and are of keys is increasing dramatically. December 2006
Without preparing for this problem now, especially in the budget and architectural planning processes, you may end up with a tangled mess of encrypted data, confused users and administrators, and lost information that can never be recovered.
“The need to manage the issuance, management, revocation, and auditing of keys is increasing dramatically.”
Keys that need to be managed One of the largest sources of key material that will need to be managed comes from the Trusted Platform Module (TPM) that is being integrated into many new business PCs such as those available from Dell and IBM. In the next several years this means that millions of PCs throughout Network Security
13
Network forensics and the inside job Simon Perry, Vice President, Security Strategy, CA EMEA Simon Perry According to recent studies undertaken by the FBI and Computer Security Institute, 80% of network attacks are instigated by authorised users and not by an external hacker. How can network forensics help uncover the inside job?
In many organizations, employee fraud and the risks created by sloppy exposure of passwords, and malicious damage from within the security perimeter, are treated as an accepted (if not acceptable) cost of doing business. The total cost of employee fraud to businesses is difficult to estimate because most employers are reluctant to admit to the problem, although in the UK this year the DTI Information Security Breaches Survey found that the average cost to large businesses of a major security incident was more than $170,000 – and 87% of them had experienced a breach. 65% reported staff misuse of computer systems. Whatever the true cost, internal threats certainly cost millions more every year than losses from viruses or spyware. Moreover, companies are being asked more often than in the past to prove the state of their security, due to regulatory pressure, which usually involves demonstrating strong capabilities around incident investigation and remediation. That external threats get all the attention is easy to understand. Hackers ‘attack’ and viruses ‘strike’, adding the essential time element that makes the threat newsworthy. The consequence is a disproportionate amount of exposure in relation to the threat.
False alarms Take the virus threat against the mobile platform for example. Much has been written about this potential doom for the mobile generation but as yet the evidence of any actual damage caused is very difficult to find. That isn’t to say that it won’t grow as a threat and that we shouldn’t consider future potential threats but with all the damage being caused to our IT systems December 2006
and our businesses right now, the amount of press attention mobile malware receives is extraordinary. Meanwhile the real areas of future ‘call to action’ in security are sometimes hidden behind the resultant smoke screen of hype and it is to these that we must look carefully. The truth is that the ‘next big thing’ is in fact rarely the next ‘big’ thing at all; it is just the next new thing.
Extension to best practice For instance, we are now definitely seeing signs that the next, ‘next big thing’ may actually be a solid and logical extension to current best practice, and involving a solution to a real, current requirement: the application of forensics skills and tools as a means to investigate security failures and breaches at a network level. Investigating attacks and incidents are by no means entirely ‘new news’ to the IT security industry. For as long as there have been IT systems there has been a need to investigate problems with those systems. What is new is that more companies are now taking a more detailed and disciplined approach to security investigations to the extent that they may be more accurately termed “forensics investigations”. The important difference between a simple investigation and a forensics investigation is that the latter is attuned to the requirements of the legal system with regard to evidence gathering and handling, and approach required to ensure admissibility of gathered evidence in legal proceedings. It is true that even forensics is not entirely new, for at least five years ago, I was already visiting some large organizations in
North America, particularly in the financial services sector, that had dedicated IT forensics departments: teams of individuals who spent their time tracking and mirroring disks from computers suspected of having been used in some malicious or inappropriate manner to cause harm to the company. The average perpetrator of these kinds of activities rarely takes the precautions to cover their tracks or thinks that they will get caught and so simply opening up their computer’s disk will provide all the evidence that is needed. For that reason IT forensics has stayed pretty much at the disk level.
Lack of know-how Financial services companies obviously have much to lose from activities such as employee fraud and so their proactivity is to be expected. It is worth noting however that the skills required to conduct such investigations have until now been so lacking, that it might be said that the best forensics investigator might struggle to find any pool of such skills anywhere. Certainly the lack of expertise and resources within the conventional law enforcement community for investigating computer crimes has meant that private organizations have had to take it upon themselves to investigate any suspected cases of IT fraud or misuse to gather the necessary evidence to either take action against employees or to hand the evidence over to law enforcement for prosecution. For most organizations however, the need to investigate security breaches was a case of ‘I’ll worry about it when it happens to me’ and ‘I’m sure I ought to do it but I have other things to worry about.’ Key drivers for network forensics • The high toll of the average security incident • Companies are increasingly required to prove their state of security for regulatory purposes • It is increasingly difficult for a company to ignore a security breach • Microsoft Vista encrypts disks as default which complicates traditional forensics approaches • Law enforcement has limitations when addressing IT security attacks
Network Security
11
FORENSICS
Three key developments Three developments are taking place in the industry that make the ‘ought to do’ attitude very much a ‘have to do’ attitude. They are also responsible for moving IT forensics from the disk level to the network level and are the reason why network forensics is becoming the next big thing in IT security. Firstly, it is now increasingly difficult for a company that has suffered a security breach to sweep the fact under the carpet. In the past it was in fact very common for companies to turn something of a blind eye to breaches and even simply to dismiss an employee quietly who was involved in a security incident. Over the last few years (and especially the last 12 months) we have witnessed numerous significant and public ID theft breaches with various levels of damage caused, from the embarrassment of having the salaries of BBC employee exposed to the public, to the sale of confidential customer information by call centre employees. The US-based Privacy Rights Clearinghouse organization (http://privacyrights.org) has documented the fact that in excess of 93 million private data records of US citizens and residents have been exposed due to security breaches since early 2005. Privacy Rights’ chronology of data breaches is sobering reading in this regard (http://www.privacyrights. org/ar/ChronDataBreaches.htm)
Boards under pressure Fuelled by (understandable) citizen and government outrage over such breaches Boards of Directors now find themselves under increasing pressure to ensure that they adequately prevent breaches however possible, and investigate any that occur. They are now less willing to accept breaches and exposure as an accepted cost of doing business. In addition, new regulations are coming into play that could make this not just a good governance practice but a compliance requirement. Probably the most well known is California’s SB1386 which requires any organization doing business in the US to notify its customer base of a data breach within three days of it taking place should the company’s customer 12
Network Security
reside in California and if personal identifiable data be released. Questions will start to be asked of the IT department about how they are helping the company avoid breaking these regulations and that pressure will be the catalyst for forensic becoming a must have security process.
“The important difference between a simple investigation and a forensics investigation is that the latter is attuned to the requirements of the legal system with regard to evidence gathering and handling, and approach required to ensure admissibility of gathered evidence in legal proceedings.”
Vista’s new dimension The second factor that is shifting the approach to cyber forensics is the imminent launch of the Microsoft Vista operating system which will put the ‘network’ into ‘network forensics’ as Vista adds a new dimension by encrypting the disk by default. Whilst my previous example of a dedicated forensics team mirroring a computer’s disk is the most obvious way to conduct a forensics investigation, more common encryption of disk content will make this approach very difficult. In the case of investigations taking place without the knowledge of the (investigation) target it becomes all but impossible.
Future barriers Encryption is not new and is easy for anyone to do but as already stated, even when people are doing bad things they often fail to follow the most basic processes to cover their tracks. This will make computer-based forensics problematic. In that situation, the ability to read documents as they pass over the network becomes vital.
Experienced forensics investigators can even deal with document level encryption. Even if the user does encrypt the document so it can’t be read in cleartext as it passes over the network, a good network forensic investigation can highlight suspect behaviour and build a body of evidence. They can still see for instance that transmissions have taken place from machine A to machine B, using such and such a protocol, and identify document characteristics such as type and size. For instance, if you are worried that a departed sales manager has stolen confidential client and sales forecast information and taken it to their new company, an investigation of the activity emanating from their account including where emails are being sent to, whether they have attachments and what size those attachments are could provide enough evidence to take action (albeit such evidence may not be enough to prove a case in a court of law). Finally, the ongoing limitations of traditional law enforcement will ensure that network forensics is undertaken at a private level. For instance in the UK, where the National High Tec Crime Unit is being merged into the Serious Organised Crime Agency (April 2006) the IT capabilities and resources of UK law enforcement would seem to have only been diluted further. To investigate a breach or any kind of behaviour, law enforcement will be reliant on organizations to conduct investigations and build a body of evidence that they can then use to decide whether to prosecute an offender. It might seem a logical conclusion therefore that every organization will soon have its own forensics department and be running network forensics in-house. However, it isn’t just a case of having the software tools to conduct the investigation. For evidence to hold up in court, proper procedure needs to be observed and careful processes followed. At a very basic level an investigator needs to know what they are looking for and what certain types of activity mean. An amateur investigation by an inexperienced IT department could have quite the opposite effect of responsible network forensics. At best, the resultant evidence will be deemed inadmissible to a court of law and at worst the investigation could be December 2006
FORENSICS construed to be a breach of standing company procedure and relevant privacy laws. This could result in an organization getting into serious trouble for inappropriate investigatory practices. IT forensics investigation veers too close to too many different legal requirements to be approached unprofessionally. ISPs are an obvious candidate for using network forensics themselves as pressure increases on them to take responsibility for what passes over their networks. Network forensics could in fact protect them from some of the more ethically difficult questions about how they monitor their networks by demonstrating a capability to investigate an incident when it occurs without having to constantly monitor traffic or impinge on the privacy of the vast majority of ‘good’ users. In addition, those large organizations that currently have inhouse computer
forensics teams will no doubt adopt network forensics into their repertoire since they already have the expertise and resources. For the rest, network forensics will probably be adopted as a managed service from specialist and trusted service providers. We are already starting to see organizations with correct investigatory expertise and capabilities offering these kinds of services and we are also seeing interest in these services from companies eager to stop fraud being a cost of doing business.
Conclusion All of the reasons stated here are driving the growth of network forensics and I anticipate that we will see a great deal of activity in this area. Large security vendors are starting to look for network forensics solutions to add to their portfolios and I expect the small niche vendors that currently own much of the technology will be
swallowed up quite quickly. User demand will drive this harder, particularly if some of the breach disclosure proposals become law. For the first time I believe we will actually see a security technology related to the more significant internal threat overtake external threats to stake the claim as the next big thing in IT security.
About the author Simon Perry is Vice President of Security Strategy for CA EMEA. He works with CA customers to develop policies, processes and systems to better manage security as part of the overall IT environment. He was recently appointed to the Permanent Stakeholder Group of the European Network and Information Security Agency (ENISA), a European Union agency. The mission of the agency is to assist the Community to achieve high levels of network and information security.
KEY MANAGEMENT
Cryptographic key management for the masses Bruce Potter Keeping track of cryptographic keys has usually been considered something of a ‘no-brainer’ – simpler, in fact, than keeping tabs on what office keys users have. This must change, though, if a jangling result is to be avoided. As we have adopted more security not often compromised or rotated. products for our enterprises, we have Administration keys, such as those used also had to accept the fact that all of in SSH, are usually managed directly these products need to be managed. by the users and administrators. The Management consoles for IDSs and largest and most complicated use of firewalls, policy management servers cryptographic keys is often a public for AV, and many audit trails need to key infrastructure. However, many PKI be kept track of. As useful as firewalls, systems are self contained; they have IDS, and AV programs are, they would their own management, issuance, and be impossible to operate at a large scale revocation processes. PKI systems are without these sophisticated managethe 800lbs gorilla that stands on its ment interfaces. own without interacting with any other Cryptographic key management, key material in your network. however, has not been an area of But as more and more IT systems concern. Historically keys have taken have security features embedded in several forms. SSL keys on webservthem, the need to manage the issuance, ers tend to only number in the tens management, revocation, and auditing or hundreds in an enterprise and are of keys is increasing dramatically. December 2006
Without preparing for this problem now, especially in the budget and architectural planning processes, you may end up with a tangled mess of encrypted data, confused users and administrators, and lost information that can never be recovered.
“The need to manage the issuance, management, revocation, and auditing of keys is increasing dramatically.”
Keys that need to be managed One of the largest sources of key material that will need to be managed comes from the Trusted Platform Module (TPM) that is being integrated into many new business PCs such as those available from Dell and IBM. In the next several years this means that millions of PCs throughout Network Security
13