Digital forensic teams are called to investigate a wide range of incidents that range from active security breaches committed by aggressive outsider attackers to passive, unintentional leaks brought about by mistakes and misconfiguration. In all of the cases, they need to assemble evidence to understand what happened, how much was lost and what might be done to prevent something similar from occurring in the future.
The number of possible security incidents has increased over the years as companies store more information in digital format and trust more of their business workflow to the computers. As the value of the data increases, so does the number of adversaries who discovered just how much they could profit.
How can the types be categorized?
The types of incidents can be divided in several ways:
- Unintentional versus Active – Sometimes data is lost because a legitimate user makes a mistake. Sometimes an attacker is probing the system, looking for weaknesses to exploit to reveal the information. While both may result in the release of information, the active attack is usually considered more dangerous because any data that’s released would be exploited immediately.
- Silent versus Interactive – Some attackers may probe only the APIs and computer-driven interfaces with no interactions with humans. Some attacks rely upon connecting with legitimate users and deceiving them into granting access or revealing information.
- Digital versus Non-digital – Many security incidents happen entirely in cyberspace as attackers operate in digital realms. Some, though, are using non-digital approaches like discovering paper copies of passwords. Some are using hybrid approaches like physically distributing thumb drives with hidden malware.
- Theft versus Control – Some attacks are designed to retrieve digital information that will be used outside of the enterprise. Others are designed to maintain the ability to access the internal system and control processes.
- External versus Internal – Many attackers come from outside the organization and have no formal connection with it. Some, though, may be employees, consultants or trusted visitors who exploit their access. There are also some hybrid attacks that come when trusted people are able to elevate their privileges and gain access to data that they might not normally see.
What are some broad classifications of incidents?
Data exfiltration: When unauthorized people access customer records, financial details or other sensitive information, they can take a copy to share with others. DFIR teams can determine the scope of the breach, identify the data that was compromised, and notify affected individuals when required by regulations.
Phishing attacks: Some incidents begin when an attacker sends a message with a malicious URL or attachments. When the user clicks on it or opens the document, it can infect their system giving the attacker partial or sometimes total access to the data on the computer and the data to which the user has access.
Social engineering attacks: When attackers exploit the trust and good nature of insiders, they can trick the employees to either give them access or maybe make copies of the crucial information.
Insider threats: When employees place their interests above the company’s, they may sell access, give copies of sensitive information, or help the unauthorized manipulate their internal systems. This is often for personal gain or revenge.
Malware attacks: Some forms of semi-autonomous or fully autonomous software packages can either steal information or manipulate internal systems. They have names like Trojans, worms, ransomware, adware, spyware, and viruses and achieve their goals differently, but all have the end goal of helping outsiders gain unauthorized access. DFIR teams can help to identify the type of malware that has infected a system, how it was introduced, and what damage it has caused.
Network intrusions: Some breaches don’t access the servers themselves, but just the network communications which can sometimes reveal just as much information. DFIR teams can help to identify the methods used by the attackers to gain access, track their movements within the network, and determine what data they accessed.
Account compromises: When users fail to protect their passwords or fall prey to surveillance attacks like keyloggers, outsiders can masquerade as insiders using their login credentials. DFIR teams can help to identify the accounts that have been compromised, determine how the attackers gained access, and reset passwords and other security measures.
What are some specific examples of security breaches?
Here’s a short list of possible types of security breaches organized into general categories.
- Unauthorized access attacks:
- Phishing – These can fool users into sharing their access credentials by delivering a seemingly real message from a real, trusted partner. For instance, a message for a bank about a new deposit or other matter that requires them to log in.
- Brute-force attacks – These use a large number of computers to overcome the often high threshold to defeat a security measure. For instance, an attacker may use many machines to test all possible passwords, searching for the legitimate one.
- Exploit kits – When a backdoor or security weakness is found in an operating system or some common software, some attackers will write special code to exploit it and sometimes share it with others. These can often be known as “root kits” because they help someone gain root-level access to a computer.
- Social engineering – Attackers may try to telephone or otherwise connect with humans to get them to either grant extra privileges or share their own access to machines. This generally refers to any non-technical way of infiltrating a computer system by directly interacting with a human.
- Privilege escalation attacks:
- Zero-day vulnerabilities – These gain their name because some attacks unfold over days or weeks. Zero-days can offer access immediately with no significant wait.
- Misconfigurations – Sometimes administrators mistakenly leave access open by using the wrong parameters in a configuration file.
- Software vulnerabilities – While programmers try hard to prevent outside access, they may make mistakes and only one small one can be enough to open up access.
- Malicious insiders – If trusted employees want to share data or access, they can do it. Good systems can at least detect uncharacteristic access or unusual exfiltration patterns.
- Negligent insiders – Not all breaches are caused on purpose. When insiders make mistakes, the data losses can be just as large.
- Accidental insiders – Even when the authorized users do everything appropriately, accidental releases of information have been known to occur.
- Malware attacks:
- Viruses – These programs can attach themselves to legitimate software and use the legitimate software’s access. They rely upon the host program running. They can also replicate themselves, sometimes through removable media and sometimes through the Internet.
- Trojans – These disguise themselves as legitimate programs to gain access. They are often designed to look like software that needs installation and this is how they gain the best access.
- Worms – These are able to replicate themselves, often without interaction or inadvertent help from users. They can travel from machine to machine, exploiting software backdoors until they find the information they want.
- Ransomware – This may take any form of malware, but its end goal is to lock up enough of a target’s computer so that the target will be willing to pay a ransom, usually in cash. It may be a virus, a trojan, a worm or another form of malware.
- Spyware – This malware’s goal is not to demand ransom, but to extract data, often over a long period of time. Some spyware programs may keep a copy of all keyboard presses in order to get a copy of passwords.
- Distributed denial-of-service (DDoS) attacks:
- Volumetric attacks – These deliberately engage a wide number of attacking bots to direct a large number of requests on the target in order to overwhelm their software and prevent them from conducting normal business.
- Protocol attacks – These may exploit some weakness in the protocol or bug in the implementation to prevent the target from conducting their normal workflow.
- Application-layer attacks – These target applications running on the target instead of the lower-level operating systems. The end goal is the same: overwhelm the machines with requests to jam up the workflow.
- Man-in-the-middle (MitM) attacks:
- Eavesdropping – Some
- ARP poisoning
- Password attacks:
- Brute-force attacks – When passwords are short enough, it can be possible to test all possible combinations of characters until the correct one is found.
- Dictionary attacks – When users choose a known word from a dictionary, it’s even easier to test passwords because the list of known words is much shorter than the number of possible combinations of characters.
Rainbow table attacks – Some attackers store encrypted copies of all possible combinations and then use this list to quickly find the encrypted password.
- Web application attacks:
- SQL injection – When software does not check the input parameters, it may be possible to slip in more elaborate instructions in the parameters. One common way this is done is when the input parameters are passed directly to the database as part of an SQL query.
Session hijacking – Each time a user logins into a website, the user is given a session ID. If this value is somehow leaked to or guessed by an attacker, that attacker can masquerade as the legitimate user with this session ID.
Broken authentication and session management – When the software layer in charge of controlling access makes a mistake, malicious users can gain access to data.
What are the Key Takeaways for Team Leaders?
- Security incidents can take many different forms making it impossible to secure an enterprise’s systems with just a few approaches. Response teams must maintain a wide range of skills and constantly try to understand the latest techniques and technologies deployed by attackers.
- Threats can come from both inside and outside the organization. Sometimes the attackers create hybrid assaults that manipulate the access of insiders to serve the needs of outsiders.
- Long-term planning requires an investment in core technologies like encryption and operating system design.