Post-breach forensics: Building the trail of evidence

New approaches to user monitoring and behavioural analytics enable firms to analyse all user activity, allowing tracking and visualising of user activity in real-time to understand what is really happening on the network says Balázs Scheidler.

Balázs Scheidler, co-founder and CTO, Balabit
Balázs Scheidler, co-founder and CTO, Balabit

it's said that, at the scene of a crime, every contact leaves a trace. However in the world of cyber-crime, tracing the equivalent of the ‘smoking gun' can be a big challenge and, in the event of a security incident, answering the question “who accessed our IT systems and what did they do?” is tough.   Moreover, what happens when an incident stems from those with the highest privilege rights or the very person who is supposed to be watching the network for attacks? Many companies still face considerable challenges during a forensic investigation simply because they don't have a structured audit trail of evidence that can be accessed quickly and which would be watertight in a legal proceeding.

In either case – whether the incident is the result of insider activity, human error or an external breach - if you don't have all the information you need, you might miss a crucial piece of evidence which makes getting to the truth more time consuming and costly. So how can organisations get to the root cause of an incident most effectively?

Challenges of forensics investigations

In any investigation where time is of the essence, it is much easier, more accurate and usually cheaper to conduct forensics immediately rather than after weeks or months have passed. The starting point for this is typically examining the logs. Once a breach has happened, you're reliant on logs generated by network devices and applications to determine the initial cause and piece together exactly what happened. However, this can be like finding a needle in a haystack and sifting through reams of information can take days.

The way in which data is collected and presented can also present hurdles and it's not only the time taken in an investigation which can be hampered. The integrity of the log data itself may also be called into question in a legal process if it has been changed from its original format. Logs need to meet the legal standard for evidence (stored in a tamper-proof manner) and any that have been changed or have not been securely stored may not be accepted as evidence in a court of law.

Even for organisations that have implemented proper log collection and management, crucial information can be missing that would enable organisations to reconstruct the details of a breach and unveil the root cause of the problem. Forensics investigation is especially important in incidents where privileged accounts are affected as those accounts have the key to the kingdom.

Building the trail of evidence is now a significant issue for organisations as cyber-attackers are increasingly hijacking insider accounts to gain privileged access to the IT assets. By targeting system administrators and other 'super users' who have very high or even unrestricted access rights on operating systems, databases and application layers, they have the power to destroy, manipulate or steal the company's sensitive information, such as financial or CRM data, personnel records or credit card numbers.

Removing the blindspot 

Pinpointing exactly what happened, and by whom, in a forensic investigation can, therefore, be hindered by challenges. Issues with speed of response as well as the scope, quality and integrity of evidential information can prevent investigators - whether they're internal professionals, or external agencies - in getting to the root cause and the responsible person. 

New approaches to user monitoring and behavioural analytics are enabling firms to analyse all user activity, including malicious events, throughout IT systems. This allows enterprises to track and visualise user activity in real-time to understand what is really happening on the network. If there has been an unexpected shutdown, data leakage, or database manipulation, the circumstances of the event are readily available in audit trails so the cause of the incident can be quickly identified. These recorded, tamper-proof audit trails can be played back like a movie, recreating all actions of the user. The audit trails are invaluable for both real time and post breach investigations, and also enabling automatic user behaviour analytics.

Companies can be hit with hacks, denial of service, fraud attempts or the theft of sensitive data. An audit trail of user actions that is time stamped, encrypted and signed not only provides critical evidence in the case of legal proceedings but also gives you the assurance that you can pinpoint the cause of an incident beyond what's tracked through log data. When it is complemented with behavioural analytics, organisations can accelerate the time and lower the cost of forensics investigations and, at the same time, proactively respond to the latest threats in real-time.

Contributed by Balázs Scheidler, co-founder and CTO, Balabit


Next Article in Opinion