Forensics techniques offer promise when adapted to malware hunt: AccessData

Many of the best practices around detecting malware on corporate networks can be adapted from conventional forensic analysis techniques used by police investigators during criminal investigations, according to AccessData international sales director Simon Whitburn.

Since 1987, AccessData has worked with law enforcement and government agencies around the world – it has over 130,000 users – to help enforce legal discovery orders on systems with data that might be encrypted or otherwise obscured.

And while ‘white-hat’ hackers have long found ways of infiltrating secure systems to extract evidence – “to find the smoking gun”, Whitburn says – the size of the data sets they’re analysing had proven to be increasingly challenging.

“A couple of years ago a large data set might have been 200GB,” he explains, “but now there are a few terabytes per person. It’s a massive challenge, especially when you’re talking about [catching] paedophiles and terrorists.”

Paedophiles and terrorists are likely to be much less of a problem for the average business, but applying some of the same data-harvesting techniques – and backing them with a comprehensive systems-logging infrastructure – is allowing AccessData to extend its capabilities into the fight against modern security threats.

The company’s recently released Summation 5.0 tool has been architected for interoperability with its back-end FTK forensics tool, simplifying facilitating the process. Network traffic and executable files are scanned for a range of characteristics, with potential threats sandboxed, scored and ranked according to their analysed behaviour.

“We’re looking for its different types of characteristics,” Whitburn says. “Does it call out to the Internet, does it encrypt itself, does it replicate? If you execute something like this it will change state – so we just put it in a sandbox and run through what it will do.”

Such real-time detection is increasingly being integrated with security intelligence and event management (SIEM) systems such as HP ArcSight – for which AccessData’s tools were recently certified – to inform the overall threat response.

Complementing that is a forensic audit trail of network and user activity, which makes it easier to pinpoint activities that may compromise a company’s security posture.

This surveillance can and should be extended to removable devices such as USB drives, Whitburn adds: “Because we record everything, we can replay the communication protocols and look back to see that a particular code was added via USB last Thursday, from this IP address.”

“Our whole ethos is to get visibility of the data, pull it back, process it so it’s usable, and then serve it up. Whether it’s a forensic investigator, someone in litigation and compliance, or a security responder – they’re all different workflows, but it’s all about getting data and doing different things with it. By monitoring activity, we can help those people make those decisions.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags AccessDatamalware

More about AccessDataArcSightCSOHP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts