In part 1 of this series I discussed the use of digital forensics as a legitimate science in court for expert witnesses. In this installment of the series I will introduce some research in this article to help drive positive change.
I believe using scientific methods, such as The Supreme Court of the United States (SCOTUS) decided was minimally required in the outcome of the Daubert case, can lead to statistical outcomes of fairer expert answers rather than just the typical three answers of "Yes", "No", or "That's just how computers work" as a conclusion. Introducing the scientific method and statistically based expert answers leaves room for weight between a probability of 0 and 1. A judge or layman jury can use that weight from the statistical outcome for a more informed decision when comparing it to other weights from other tests in the case. It is well known that other forensic sciences such as fingerprinting, drug testing, forensic pathology, DNA testing, and so on use probabilities, so it would not be a great leap to apply it to our newer sciences. Furthermore, in a number of instances other methodologies even use a rate of error which is discussed in the Daubert case. I have yet to personally see others introduce numerical statistics on the record for digital forensics, let alone a rate of error. That needs to change.
This example is a very common question I am asked by clients on nearly any project, especially data loss prevention scenarios and desperately needs to be researched using scientific methods. I wanted to know if I could detect if computer media was wiped. I would also like to know what program was used to wipe the data, if possible. Imagine a situation where an internal employee "went bad" and copied information to a USB memory stick and walked out with the company's crown jewels. The data could be worth billions of dollars and the victim company would most likely litigate. If the same USB memory stick was turned over for examination, would it be possible to detect data wiping? You cannot see what programs were installed on the computer(s) the memory stick was plugged into (because computer(s) were not produced); therefore you do not know if there was a wiping program present. There are many wiping tools available on the internet. It would be near impossible to download every one and try to write a signature for each. That is similar to writing static signatures for every piece of malware which is a nightmare.
It’s 4 AM and the alarm reminds me that I’ve been awake for an hour or more after grabbing a couple hours of shuteye sometime after midnight. The realization of a 45-minute drive, with a stop off at the office to pick up equipment, breaks my intense contemplation of what it was like to have regular hours. I meet my fellow investigator at the office and we head to the train station. Some eight hours prior, we learned that a company had been hit with a very nasty malware attack sometime in the previous few days. The story was familiar and both I and my compadre could relate the basic details without even hearing them.
A number of employees received a phishing email designed to look like benign financial communications. The emails contained attachments purporting to be financial documents and were designed to look like they arrived from an innocuous sender. The emails were sophisticated and convincing enough to pass a quick skeptical glance and several employees opened the attachments. As it turned out, executed was probably a better description of what was done with the attachments. One of the employees was using a workstation vulnerable to the malware attachments and the malware did its job which resulted in a large number of important documents being rendered inaccessible. Therefore, the client decided to bring in outside consultation which brought me to rolling out of the rack at 0400.
At 6:30 AM, the sun is finally up as the train rolls out of the station. My partner and I luck out and get a decent workspace at the front of a car. We decide to make the most of the ride by going over what we know about the incident. Luckily, my MiFi works relatively well on the train. The client’s description of the incident provides plenty of fodder for research. As we discuss the details, I have to keep the investigator in me at bay. My instinct is to drop into the client site and deep dive into technical details in an attempt to fully understand the malicious activity and associated malware. Instead, the more practical approach is to determine what questions to ask and prepare to listen to what the client describes, and perhaps more importantly, listen for the outcome the client desires. This preparation time is crucial as it is nigh on impossible for my team to anticipate every type of incident and have a checklist or process guide to follow in every case. This particular incident involved crimeware.
I have a friend who is an executive in a small to medium sized company that operates in the technology sector and has a great deal of intellectual property invested in their software. They are very good at what they do and have an international presence. We have spoken at length about their IT security posture and what precautions they have taken to safeguard their network and software. This company is now in the process of being acquired. While most of the work through this acquisition is likely to focus on employee retention and payouts, this is a perilous time for both companies. As soon as they issue the inevitable press release, threat actors will start probing their networks -if they are not already there- looking for vulnerabilities to get in.
We have seen time and again during mergers and acquisitions, little to no thought is given to network security. Things like connectivity, email servers, file shares, etc. are all given priority over installing the proper safeguards. Given the great number of unknowns when bringing two companies together, it is imperative to slow down and ask some basic questions:
Have both networks gone through a breach assessment?
Do both companies have documentation showing assets, approved software programs, network diagrams, change management processes and other policies?
Is there a detailed and organized plan to bring the different networks online together?
Have the CISO and the CRO/CRMO talked about the specific cyber risks involved?
This is not a simple, get our IT guys together and figure it out exercise. There are likely two different sets of policies and organizational cultures coming together. It will take time to sort out these differences and unify the organizations. This is the perfect time for both IT teams to identify security gaps in their networks.
In part 1 of this series I focused on the use of the scientific method in computer forensic expert testimony. Now I would like to use a real life example of it in action. I have successfully used an example similar to this in court as an expert witness in digital forensics (the details have been changed to protect the parties involved). Theory is great, but seeing real results come alive before your very eyes is much more useful and persuasive so I hope it helps convince you that this is a really important topic that we; the industry’s practitioners, voice, and leaders, must embrace and use with confidence.
When choosing a controversial subject in computer forensics where this type of analysis could help, I believe determining the true time of events in a case is an aspect that is usually disagreed upon vigorously by opposing parties and the perfect choice for this article. If your expert opinion is that a document was signed at noon on a certain day, but the opposing party says you do not have enough information to present that opinion – it may be the right time to think about the problem scientifically, using a scientific methodology, statistics, and reproducible results as the Daubert decision requires.
In our example, imagine the scenario happened many years prior so key computers no longer exist and other computers exist but have been heavily upgraded – losing all of your “smoking gun” information. Luckily, anticipating litigation, some key logs were saved along with the documents to be physically signed by a human being. Of course a full forensic duplication was not acquired because that would make our job too easy, but the relevant files were instead moved to a different piece of media which destroyed the important file system metadata associated with the files while still keeping the internal file content intact.
Since becoming part of the Fidelis Network Defense & Forensics Team a year ago, I’ve had the opportunity to have some great discussions with our customers. We’ve talked about their pain points and how the various vendors offer to help them increase their cybersecurity posture. One of the main buzz words that I kept hearing was “industry best practices.” This sounds so professional and exactly like the thing that would interest anyone looking for help in defending their network. What amazed me though is that when I asked what standard the vendor was using for their security assessment I would often get the response “I don’t know.”
We all know that each customer will have a unique environment based on infrastructure architecture, various equipment, legacy systems that must be maintained, and many other variables. However, there are some baselines that everyone should be following in order to ensure they are defending themselves. Having worked at an International Organization for Standardization (ISO) accredited laboratory, I’ve had the opportunity to see the value of working from a community wide accepted standard. While it does take some work to meet those standards, using a standards tool as the basis for an assessment is invaluable. Standards allow you to methodically and efficiently help your customer assess where they stand in defending their network. They also allow you to branch off to additional lines of questions when coming across those unique environments.
There are many organizations that have published standards on cybersecurity such as NIST, ISO, ANSI, IASME, and IETF. Here at Fidelis we use the Consensus Audit Guidelines (CAG 20) (PDF), also known as the “Twenty Critical Security Controls for Effective Cyber Defense” for those who prefer the proper name. The twenty critical security controls is a bit misleading though as there are 184 sub-controls in the current standard. We use this standard as the basis for the proactive assessments that we do for our customers as well as keeping it in mind as we help customers remediate from a breach.
The CAG 20 is a subset of the very in-depth NIST SP 800-53 (PDF) document and is intended to be immediate high-value actions that an entity can accomplish to increase their security posture. It was developed by a consensus of government and commercial entities. Some of the agencies that were involved in the initial development of the CAG 20 are US-CERT, DC3, Department of Energy, the banking industry as well as the various ISACs. It is now maintained by the Council on Cybersecurity which is an international non-profit organization.
I would be remiss without including the CAG 20 as a point of reference for everyone.
1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4: Continuous Vulnerability Assessment and Remediation
5: Malware Defenses
6: Application Software Security
7: Wireless Access Control
8: Data Recovery Capability
9: Security Skills Assessment and Appropriate Training to Fill Gaps
10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11: Limitation and Control of Network Ports, Protocols, and Services
12: Controlled Use of Administrative Privileges
13: Boundary Defense
14: Maintenance, Monitoring, and Analysis of Audit Logs
15: Controlled Access Based on the Need to Know
16: Account Monitoring and Control
17: Data Protection
18: Incident Response and Management
19: Secure Network Engineering
20: Penetration Tests and Red Team Exercises
If you get a proposal from a vendor offering to use “industry best practices” make sure that you ask questions so you know what you are getting. If they don’t have an answer or seem to be uncomfortable with discussing the details, you should start to wonder…they may be talking the talk but can they walk the walk?