Because attackers are primarily motivated by financial gain, as soon as they have your data, it's being converted into profit by selling identities and corporate secrets and draining bank accounts. Speed is vital, so the time may be right to assemble a forensic SWAT team trained to locate high-risk threats, armed with the latest investigative software, and empowered to work directly with legal counsel to report breaches in accordance with policy.
METHOD IN THE MADNESS
Acquiring evidence in a forensically sound manner isn't difficult with the proper tools and training, but policies and procedures must be put in place that ensure the repeatability, accuracy, completeness, and verifiability of evidence as proscribed by the Federal Rules of Evidence. The same protocol should be used to handle every breach, whether it's a targeted attack or a malware infection. That means the first job for your new forensic team is to put policies in place and develop investigative methodologies. Policies must explicitly give investigators the authority to perform digital forensics on corporate assets. In addition to clearly written policies, there must be a forensic methodology that's followed for acquiring, handling, and analyzing evidence. The methodology must be repeatable and defensible, whether it be in front of the human resources department or a judge and jury. The key is being able to explain what forensic actions were done and why.
STEM THE TIDE
AccessData, Guidance Software, and Mandiant are at the forefront of producing enterprise versions of robust, collaborative incident-response and forensic tools. Both AccessData's and Guidance Software's suites allow for remote access to computers so investigators can retrieve details from running systems. Mandiant's Intelligent Response has comparable capabilities but is more focused on incident response.
The caveat to these enterprise incident-response and forensic tools is that they can cost tens to hundreds of thousands of dollars to fully implement throughout an enterprise, and the majority of the investigator's actions must be done through the product's interface, limiting use of other forensic tools. This isn't the case for one of the newest companies entering this market, Agile Risk Management.
The area of forensics that's received the most vendor attention and research over the past two years is Windows memory analysis. Every enterprise forensic tool has added memory imaging capabilities in the past 12 to 18 months, with varying capabilities for in-depth analysis of acquired images. The Volatility Framework is an open source tool leading the way with its ability to list running processes, open network ports, and files opened and DLLs loaded by each process; it can also extract executables from memory for further analysis.
HBGary is a leader in the commercial Windows memory analysis field. Its Responder can image Windows physical memory, analyze memory images from other tools, perform analysis of memory to determine details such as those found by the Volatility Framework, and automatically reverse-engineer malware.
(click image for larger view)
To Data Breach? Who Ya Gonna Call?