Many of the best practices around detecting malware on corporate networks can be adapted from conventional forensic analysis techniques used by police investigators during criminal investigations, according to AccessData international sales director Simon Whitburn.
Since 1987, AccessData has worked with law enforcement and government agencies around the world – it has over 130,000 users – to help enforce legal discovery orders on systems with data that might be encrypted or otherwise obscured.
And while ‘white-hat’ hackers have long found ways of infiltrating secure systems to extract evidence – “to find the smoking gun”, Whitburn says – the size of the data sets they’re analysing had proven to be increasingly challenging.
“A couple of years ago a large data set might have been 200GB,” he explains, “but now there are a few terabytes per person. It’s a massive challenge, especially when you’re talking about [catching] paedophiles and terrorists.”
Paedophiles and terrorists are likely to be much less of a problem for the average business, but applying some of the same data-harvesting techniques – and backing them with a comprehensive systems-logging infrastructure – is allowing AccessData to extend its capabilities into the fight against modern security threats.
The company’s recently released Summation 5.0 tool has been architected for interoperability with its back-end FTK forensics tool, simplifying facilitating the process. Network traffic and executable files are scanned for a range of characteristics, with potential threats sandboxed, scored and ranked according to their analysed behaviour.
“We’re looking for its different types of characteristics,” Whitburn says. “Does it call out to the Internet, does it encrypt itself, does it replicate? If you execute something like this it will change state – so we just put it in a sandbox and run through what it will do.”
Such real-time detection is increasingly being integrated with security intelligence and event management (SIEM) systems such as HP ArcSight – for which AccessData’s tools were recently certified – to inform the overall threat response.
Complementing that is a forensic audit trail of network and user activity, which makes it easier to pinpoint activities that may compromise a company’s security posture.
This surveillance can and should be extended to removable devices such as USB drives, Whitburn adds: “Because we record everything, we can replay the communication protocols and look back to see that a particular code was added via USB last Thursday, from this IP address.”
“Our whole ethos is to get visibility of the data, pull it back, process it so it’s usable, and then serve it up. Whether it’s a forensic investigator, someone in litigation and compliance, or a security responder – they’re all different workflows, but it’s all about getting data and doing different things with it. By monitoring activity, we can help those people make those decisions.”