By Paul Wright, manager of AccessData’s Professional Services and Investigation Team, Middle East, India and Africa
To fully achieve this, organisations should consider the implementation of a network capture and monitoring capability. This functionality, particularly during a network attack, would provide and identify essential information contained within the network data packets.
This can assist the forensic analyst in determining whether the data traffic is routine or alternatively assist in identifying an attacker who is sending malformed packets to crash important systems or to gain unauthorised and privileged access.
Permanent capturing of all network traffic is not normally necessary, however, having the capability to quickly employ such a capability can help to speed the analysis during an attack.
Secondly, commissioning an endpoint investigative capability across the enterprise environment enables full visibility into the ‘data at rest’. This ensures swift and efficient investigations into suspect assets, provides remediation and the ability to gather additional intelligence.
Even with data packet capturing capabilities, difficulty remains in meeting an ever-increasing demand for resources to conduct assessments of the acquired intelligence.
This is a genuine problem given the amount of data that a medium- to large-sized investigation may include. Therefore organisations should develop an intelligence analysis and remediation team, supported by robust policies, procedures, processes and best practices.
The recent history of hacking incidents and exploits shows there are recurring themes of failing to keep pace with the rate and variety of exploits. The worry is whether the lessons are being learned or is the gap getting wider?
To reduce any such gap, organisations will need to understand the complex and dynamic developments of technical exploits and cyber security threats and how to make the most of available intelligence.
They will need to invest in the necessary skills to enable them to gather intelligence in this ever-changing environment, otherwise, they will have to contend with playing ‘catch-up’ and being left with only a reactive posture.
A call for public and private partnerships
There is a need for multidisciplinary partnerships between the public and private sectors to work on emerging problems with the abuse of technology by organised crime.
This combined effort could produce a number of significant results, from developing research into technologies and tools, creating a repository for technical papers and improved intelligence. Some organisations are already encouraging their members, stakeholders and business partners to share knowledge, expertise and experience.
This sharing of information and intelligence is giving companies the tools to put in place better defences to tackle the abuse of computers and IT systems. It is only through better understanding of the scale and the scope of the problem that they will be able to build effective strategies.
Organisations must realise that they cannot produce cybercrime intelligence in isolation. It will require them to establish internal and external partnerships that are supported by a framework of regulation and legislation.
When establishing such partnerships there will be a need for organisations to transcend traditional boundaries in a cost effective and efficient manner, while maintaining control of their intellectual property and other critical assets. Any methodology needs to be broad to be adopted en masse and flexible to meet the needs of all, and to stand the test of time.