The strength of targeted attacks requires more capabilities from incident response and digital forensic technologies.
Speaking to SC Magazine, Symantec's EMEA security CTO Greg Day said that as there are more and more targeted attacks now, there is a need for better threat intelligence and a ‘genealogy' of what is going on.
“There is a need for forensics and with Big Data we need more granular information on what is going on. This is an area that is hugely growing as we look for more cyber intelligence and correlation to use it,” he said.
Victor Limongelli, president and CEO of Guidance Software, said that this view is a turnaround from two and a half years ago, when targeted attacks did not get in the headlines, but following the Aurora attacks, people started talking about state sponsored hacking and incident response became an emerging area of interest.
He said: “We do subsequent analysis so you can understand the scope of the attack, rather than advanced malware on the server, Incident response is a multi-tool environment as we are not a malware identification company, but our technology finds out where the malware has gone.
“Any sizeable companies (10,000 employees or more) have incident response as they have to scan their data from different offices in multiple locations. Users use it in a proactive manner as it gives a better window into where an organisation's sense of the data is, we call it ‘authorised data in an unauthorised location'.
“We have seen incident response become an ongoing interest area as not everyone has it, but our business is more internal with a permanent focus on the endpoint and connect repositories.”
Security consultant Nik Barron said that these days, incident response is very often tied in with forensics (often bundled together as ‘DFIR – digital forensics and incidence response) and said his interest in forensics came about as a result of incident response, particularly tracing down infection routes for malware via browser histories.
He said: “With targeted attacks you really need something a bit more comprehensive than a traditional intrusion detection system (IDS) which, being largely signature based, is open to circumvention by clever attackers. In the same way you can repack malware to avoid anti-virus signatures, you can often do the same with network attacks to avoid IDS.
“What is becoming more common is what I'd loosely call ‘network surveillance', which will monitor everything that's going on at a suitable level of detail for subsequent analysis. This is also important so you can see a baseline of normal activity and then spot discrepancies that may show someone's up to no good.”
Limongelli said that its technology is not offered as a hosted service as it needs to be on the network and endpoint. Barron agreed, saying that such systems need intimate access to the internal workings of your business and that a hosted service isn't really an option in the traditional sense, as the kit needs to be internal.
“However there's no reason I suppose you couldn't have someone else provide the kit and monitor it remotely, subject to the usual constraints of security and privacy,” he said.