One session that caught my eye at this week's RSA conference in London was a talk by Christopher Novak of Verizon on the growing capability of hackers to disguise their traces. The ease of applying anti-forensics to cover tracks seems to be advancing very rapidly. It demands a step change in our approach to detecting and establishing evidence of criminal activities.
Almost nine out of ten cases are now believed to involve anti-forensics. And the software tools are developing rapidly. Techniques in everyday use involve data wiping; clock manipulation; overwriting or modification of audit logs; laying false trails; using foreign alphabet substitutions to disguise file names; encryption and steganography (data hiding).
Where is this leading? Well, it's already becoming almost impossible to detect the direct signs of a professional attack. Today's forensic expert needs to be much more of a Sherlock Holmes: looking for signs indicating a possible attack, rather than traces of the attack itself, spotting things like the dog that didn't bark in the night. We can also expect to see an escalating arms race between criminals and law enforcement. Future advances in techniques to hide data are likely to be pioneered by hackers, rather than governments or business. It's a fascinating, but scary, thought.
Comments (1)
Although you do not specifically mention it this time, this post is another example of the need for integrity control, whether it be to create tamper-proof audit logs, prevention of code ransom, etc.
And additional point to consider is that your post hints that possibly that only trusted systems (mandatory access controls to prevent privilege escalation) may offer the only real protection against counter-forensic tools.
Posted by Rob Lewis | November 1, 2008 11:51 PM
Posted on November 1, 2008 23:51