Network forensics can help you recover
from a security breach and potentially catch the culprit.
By Paul Desmond
Network World, 09/11/00
You've got a sound security setup, with firewalls, intrusion detection, authentication and authorization - the gamut. Still, one day you find that valuable data is missing from a corporate server. You have no idea whether it's in the hands of an external hacker or a malicious insider. Now what do you do?
Research aims to unmask intruders
A sampling of forensics-related products
If you've tuned in to the latest security buzz, you'll have heard that finding the culprit may well require the expertise of a network forensics specialist. Network forensics involves finding the extent of a security breach and recovering lost data. Forensics experts also try to determine how the intruder got past your security mechanisms and, potentially, who the person is.
It seems there's good reason for the growing buzz. In its annual computer crime study released in March, the Computer Security Institute (CSI) found that 90% of 643 companies and government agencies it surveyed detected a computer security breach within the previous year and 74% acknowledged financial losses. The total loss for the 273 respondents that were able to quantify it was more than $265 million, an average of nearly $1 million each. That's more than twice the loss of about $120 million reported in the 1999 CSI study.
Each of the Big 5 accounting firms has forensics practices, as do consulting outfits such as METASeS, a Meta Group spinoff in Atlanta.
In addition, many vendors sell products that help with forensics, from log analyzers to programs that make an image of computer hard drives. You should use some of these, such as logging tools, to gather data regularly. Others, including the imaging products, are meant for use only by experts as part of their forensics process.
Forensics feeds off data collected by intrusion-detection systems, firewalls, switches, routers, servers and various other devices. Forensics evidence exists in three main places: on the perpetrator's computer, on the "victim" computer and on the network devices in between the two, notes Mark Pollitt, unit chief of the Computer Analysis Response Team for the FBI Laboratory in Washington, D.C. The key to finding the culprit is to be dogged about collecting log data from each device in the chain.
"Logs are the key to everything," agrees John Frazier, chief information security officer at i2 Technologies, a vendor of supply-chain management tools. "When there are no logs, there is no way to evaluate the extent to which you've been compromised."
It's important to store copies of logs from any given device on a separate server. Doing so will reduce the chance of an intruder compromising the log to cover his tracks, says Steph Marr, vice president of information security for Predictive Systems, a New York network consulting firm. For devices such as routers and switches that pump out system log records, Marr recommends keeping a copy of those logs on the same subnet as the device and periodically forwarding copies to a centralized server. That could help forensics experts find a series of seemingly innocuous events that, taken together, indicate an attack.
Hold the line
Understanding the forensics buzz means knowing what to do if you ever have to call in those forces. Should your company be the victim of an attack, the first order of business is to take the victim computer offline. Secure it as a crime scene until forensics experts can take an image of it, Pollitt says.
You must forbid access to the area to preserve fingerprints, and isolate any phone lines that could dial in to the attacked computers, says Paul Raines, vice president of electronic security for The Federal Reserve Bank of New York, which has its own forensics unit. If the computer is off, don't turn it on, as that could launch viruses and change timestamps and other important evidence, he advises. Photograph the scene, including connections to any peripheral, so you can refer to them should the machine need to be disassembled for examination.
Reducing your risk
A critical precaution is to create what Predictive Systems' Marr calls "interior zone boundaries," which establish security parameters around groups within an organization. Such boundaries make it difficult for internal personnel to access systems where they don't belong and for outside intruders to get deep into the corporate network.
"If there are no zone boundaries, then the scope of a forensics investigation increases vastly," Marr says. "There is almost no organization of any appreciable size where one zone is appropriate."
Experts also recommend companies establish a computer emergency response team (CERT) and give each member specific duties to perform in response to a security incident. A typical CERT includes a chief information officer-level executive with decision-making authority, a corporate security professional, perhaps legal counsel, a human resources representative and a public relations specialist, says K.J. Kuchta, national director of computer forensics services for METASeS.
It's a good idea to schedule an attack drill and see how the CERT responds. "Frankly, the first time a team is called to action, they generally don't perform to the level you'd expect," Kuchta says.
Another good precaution is to install software that checks on key databases, server systems and applications, says Ulf Munkedal, CEO and president of VIGILANTe.com, a Melville, N.Y., company that offers a security assessment service over the Internet. If you suspect tampering, you can run new checks and compare them against the old to find out if anything has changed.
Paying the tab
Such precautions can drastically cut the time it takes for a forensics investigation, and that can help keep costs down. Predictive Systems performs two to three large-scale forensics efforts per quarter, meaning a team of at least four people working for at least six weeks. That can cost $500,000, Marr says.
Kuchta confirms rates run from $250 to $300 per hour for forensics work.
Whether you want to spend that kind of money to get to the bottom of a security incident will depend on how much you stand to lose financially. One client Marr worked with had a joint development agreement with another firm whereby each was contractually liable to maintain the integrity of a development database. If either company lost containment, it would have to pay the other $100 million.
When one of the companies suspected an employee of compromising the database, it called in Marr's firm to assess the damage. Predictive Systems deconstructed the development environment and verified that the employee had not subverted the source code control system. It then used audit records from the control system to verify the source code was intact, thus avoiding a full-scale code review, Marr says. "It made sense for the company to spend $1.5 million to guarantee its total liability wouldn't be anything close to $100 million."
Desmond is vice president of King Content, a strategic publishing company in Framingham, Mass. He can be reached at paul_desmond@king-content.com.
