Future of IT: When a company is under attack, how to find the computer records of officials? In cyberspace as in the physical world, the survey is based on evidence gathered on the ground and on a good knowledge of the criminal environment.
Why is it important to you?
To understand how investigators do to track down criminals who use digital tools.
During an IT attack, in parallel with backup operations to protect its information system, its data and its ecosystem (customers, suppliers, partners, employees can be impacted), can a company find who is behind this Attack? Alone, the answer is no.
With even help, Laurence Dine, head of Verizon's EMEA team for incident response, warned at the outset: "It is very difficult to attribute a specific attack to a specific actor or group . Like the clues left on a classic crime scene, look at the tools that were used, the shape taken by the attack and its time scale. "
For him, the first step is to remain calm and describe precisely what has happened, not only to their internal security teams and private actors who will manage the crisis, but also "to the police and local institutions that Can help them, but also, even on condition of anonymity, to other members of their industry. Sharing information can stop criminal attacks, as cybercriminals also share their information. "
From the index ...
Like any police investigation, the stalking begins by securing the scene of the crime and finding the clues. "The person who gets attacked must be able to collect different information, by going his network equipment. And retrieving information from the activity logs of its servers, "explains Laurent Péquore, technical manager of F5. "In some cases, customers have probes listening to what is happening on their networks, and can record on the fly a number of information: how the attack was made, how the application was used, The server, which vulnerabilities have been exploited. From these elements, we will go up the chain. Even if it is not 100% reliable, information remains crucial: the IP addresses used.
"It is used to identify the attacker. With it, one can ask the operators where the attack comes from. On the contrary, for Carl Herberger, vice president for security at Radware, do not rely on the IP address: "I can easily falsify an IP address, and give it the appearance I want. The IP address itself is not very revealing. He prefers to attach himself to the imprints left by the attack and which make it its unique character. "It is necessary to identify the devices used by the attacker not only by their IP address, but by their attributes (type of device, version of installed software, etc.).
There are unique identifiers to be found on compromised devices (a software signature, or the way the devices communicate with the outside world and the client) which makes it possible to find the programs used. From this information you can determine what type of botnets was used, and in some cases go back to who is at the origin of the attack. "
... to the identification of the suspects.
The technical part does not do everything, it also requires a good knowledge of the environment. As Carl Herberger explains: "The human side is a very important part of computer post-attack investigation work. There are many intelligence services, both private (including those belonging to one's own company) and the public, who will look for what might be the motives: a group of hacktivists uses such types of tools, such criminal cartels Specialized in this type of attack, etc. "Matthew Webster, security researcher at Secure Works, explains:" We spend a lot of time listening to the malicious groups, to know which tool is used by which criminals.
More advanced attacks may have specific tools, or even developed only for that purpose, but criminals motivated by financial profit will couple ready-made tools such as ransomware or banking Trojans. We use a behavioral approach to detect criminal activity. And if the same suspicious behavior is reused in another attack, it is possible to find out who is hiding behind by analyzing his mistakes. "
As in a classic police investigation. With one difference, computerized attacks deal with legal boundaries, and police and judicial cooperation from one state to another is not always possible or quick to implement.
Aucun commentaire:
Enregistrer un commentaire