Forensics Techniques Made Obsolete by Hacker Sophistication

Kevin Mandia, president of Mandiant, an Alexandria, Va.-based security consultancy, has addressed the issue of the perpetual evolution in complexity of online attack methods in relation to forensics stagnant reactions. Mandia stated that hacker sophistication is outpacing forensics investigation methodology and related tools. In this context he disclosed the fact that response teams on network investigation sites spend an estimated 5 to 8 days to identify malicious code. "Malware analysis can be time consuming, and most firms don't want to spend the money to fully analyze the malicious code, which could cause further damage to the network," stated Mandia.

Consequently, this inability to keep up with hacker evolution translates into a negative impact on the investigators' performance while spawning potential scenarios of kernel level rootkits. Mandia also commented that although the majority of security related incidents involve Windows breaches, Linux had shown a predisposition to kernel level rootkits as this was the breed of software associated to the open source OS by the researcher: "We're not seeing any kernel level rootkits for Windows, but the user space stuff is working well enough that it doesn't matter. The number one way people detect network compromise is when their system crashes," he explained.

He identified additional security breach indicators like the inability to execute save as commands,
the Windows Task Manager immediate closing following pressing ctrl-alt-delete and inoperable antiviral software. Mandia advised immediate shutdown of a compromised machine in order to preserve RAM data intact for the following forensic investigation. He also warned of the increase in the usage of Rogue Active Server Pages (ASP) malicious Webpages to generate attacks and compromise a server.