Oct 24, 2008 (08:10 PM EDT)
Forensic Teams Take On Hackers
Read the Original Article at InformationWeek
When it comes to securing data, ignorance is not bliss. Attackers increasingly are installing back doors that enable them to capture transactions as they're transmitted over the network. Consider the TJX attack: Credit card data was stolen for months, with no one the wiser. The sophistication of today's cybercriminals is evidenced by the 2008 CSI Computer Crime & Security Survey's results indicating that stealthy, highly targeted attacks have gone from hypothetical a few years ago to a significant problem today. Forget glory, it's now all about the money.
Because attackers are primarily motivated by financial gain, as soon as they have your data, it's being converted into profit by selling identities and corporate secrets and draining bank accounts. Speed is vital, so the time may be right to assemble a forensic SWAT team trained to locate high-risk threats, armed with the latest investigative software, and empowered to work directly with legal counsel to report breaches in accordance with policy.
METHOD IN THE MADNESS
STEM THE TIDE
The caveat to these enterprise incident-response and forensic tools is that they can cost tens to hundreds of thousands of dollars to fully implement throughout an enterprise, and the majority of the investigator's actions must be done through the product's interface, limiting use of other forensic tools. This isn't the case for one of the newest companies entering this market, Agile Risk Management.
The area of forensics that's received the most vendor attention and research over the past two years is Windows memory analysis. Every enterprise forensic tool has added memory imaging capabilities in the past 12 to 18 months, with varying capabilities for in-depth analysis of acquired images. The Volatility Framework is an open source tool leading the way with its ability to list running processes, open network ports, and files opened and DLLs loaded by each process; it can also extract executables from memory for further analysis.
HBGary is a leader in the commercial Windows memory analysis field. Its Responder can image Windows physical memory, analyze memory images from other tools, perform analysis of memory to determine details such as those found by the Volatility Framework, and automatically reverse-engineer malware.
(click image for larger view)