Tuesday Nov 26, 2024
Tuesday, 29 October 2019 00:00 - - {{hitsCtrl.values.hits}}
By Hiyal Biyagamage
During the final session of the Daily FT-CICRA 7th Annual Cyber Security Forum, cyber security experts discussed how emerging technologies like Machine Learning (ML) and Artificial Intelligence (AI) were bringing dynamic changes to digital forensic investigations.
Digital forensics is ripe for disruption by AI or ML technologies. Investigators have an increasingly large and complicated pool of data to sift through, from e-communication and social media to video footage and smart sensors, and they have less time and smaller budgets to handle these increased demands. Digital forensics is an area that is becoming increasingly important in computing and often requires the intelligent analysis of large amounts of complex data. AI is undoubtedly an ideal approach to deal with many of the problems that currently exist in digital forensics.
AI or ML technologies have already made their way into digital forensics, even if they were not marketed as such. Sophisticated algorithms are used today for DNA sequence matching, e-discovery document review and cyber-crime detection, and more uses are in the works. Some researchers are exploring how AI and ML can facilitate improved collaboration when it comes to the analysis of cybercrime around the world.
Managing a modern SOC
Delivering the first keynote, Technical Solutions Architect – Cyber Security at Cisco, Ashraf Ali, spoke on how and why an organisation needed to activate its Security Operations Centre (SOC) and transform it into a modern entity. He opined that every decision that a cyber security practitioner made today influenced how threats were detected, managed and prevented.
“At the end of the day, what matters is how you manage a SOC and how the SOC can cater to your incident response plans or your digital investigations plans. If you look at the cyber security landscape today, many things are changing. If you analyse the IT landscape itself, a number of enterprises are interconnected. There is a huge number of IoT devices; users are not just within the enterprise today, but they are all over and they are mobile.
“There are more IT workloads in the cloud than on-premise. Things have moved out from your compromised data centres. We use hybrid infrastructure today, which are IoT devices. These infrastructures are also forming a part of new ecosystem that we are trying to protect in the end quest,” said Ali.
Ali also spoke about the changes that were taking place within the applications landscape and with microservices.
“Then we have the applications landscape. Modern applications need different kinds of protection and they have to be built to run on the cloud, virtual machines or on-premise. That is the shift we are seeing right now and it will change constantly. We also talk about elements like microservices which are being used where the application has to have security built into the design. It is not the way we use infrastructure to protect, but it has to be part of the application. These different landscapes bring numerous challenges. On one hand, we have threats evolving and on the other, businesses are driving IT transformation to adopt new changes so that the enterprises can grow.”
Ali added: “With all this, we see greater trust being put in systems than in the past. We used to have corporate-approved devices and environments with approved perimeters where applications were zoned and kept inside a data centre. Today, everything is changing, and with these changes, the attack surface is changing threateningly.”
If you look at the other side, the threat landscape is also evolving. Attackers are innovating and they are changing their tactics. The world keeps hearing about ransomware, crypto mining, crypto-jacking and so many attack types which we have not even heard of a few years back. Things are getting tough for organisations when it comes to defending their systems.
Citing Emotet as an example, Ali mentioned how the massive shift in this particular botnet’s prevalence and classification highlights just how quickly cybercriminals are adopting new tools and techniques across attack types. According to research carried out by Proofpoint, Emotet, a form of malware previously classified as a banking Trojan but now considered a botnet, made up 61% of all payloads in the first quarter of 2019. Researchers who have been tracking Emotet’s evolution say its popularity is reflected in the growth of attacks using malicious URLs. In the first quarter of 2019, emailed cyberattacks using bad links outnumbered those packing malicious attachments by five to one, up 180% from the first quarter of 2019, they report.
“Emotet creators are collaborating with other malware creators. Emotet is a new entrant to the cyber world and has already affected many endpoints. Emotet creators have started selling this particular footprint to other malware creators. Furthermore, Emotet’s operators added more capabilities earlier this year as they continued to build Emotet from a Trojan meant to lift banking data to a threat delivering data-stealing payloads,” said Ali.
From a SOC perspective, Ali asserted that there was a massive talent shortage and a number of alerts detected by these SOCs could not be handled sometimes due to a lack of skilled personnel.
“According to a study by Cisco, legitimate incidents, which require proper investigation, are not being attended to most of the time. One of the other critical factors for any SOC is the time that you are allowing the adversary to be a part of your environment. The quicker you detect, the quicker you eliminate the adversary from the infrastructure. Gone are the days where you defend your environment from an attack and eliminate it. We have come to a point where attacks can infiltrate any environment but we need to have proper solutions in place which can detect things faster.”
Today›s modern SOCs are beginning to focus on threat detection and security alert management in response to current-day threats. Gartner, in one of its research reports (2019 Emerging Security and Risk Management Trends), said that SOCs were now, in ever-increasing numbers, shifting investment, resources and time from threat prevention to threat detection and proactive response. The research agency predicts that by 2022, 50% of all SOCs will encompass incident response, threat intelligence and threat-finding capabilities, up from an estimated 10% in 2015.
“As a SOC, we have seen many organisations starting administrative functions like a firewall policy management, antivirus management or vulnerability management system but the real SOC is the one which focuses on incident response or incident handling. In most cases, organisations are focusing on security administration rather than incident response. In those environments, there are limited resources to focus on handling critical incidents. There has to be a focused team and relevant systems for incident management.”
Talking about different tools, Ali spoke about two aspects — security information management (SIM) systems and log management systems.
“When talking about tools, most SOCs focus on using security information management (SIM) systems. SIM systems collect logs from different data sources including endpoints, servers and applications, and they correlate them and come out with observations that have to be investigated by security analysts. If you look at it closely, most of the rules written to detect threats are by humans. One has to find logic to eliminate a threat; this logic is written as correlation rules into SIMs. As we evolve, the threat intelligence landscape evolves as well. It also cross-correlates what is happening in an environment versus what is happening globally so that we can identify a threat before it hits us. However, the focus here is you write the rules and use threat intelligence to compare. Beyond this, SOCs used to have log management solutions; what we want to log and what we want to store for forensic analysis at a later point in time is also collected and stored in a system for a certain period based on the compliance needs we have.”
Emerging technologies improving security analysis
Even with these systems in place, Ali said that Cisco had seen breaches and situations where a threat was undetected. He discussed the reason behind this.
“If you take any attack, you can put them into four compartments—unknown threat actors, unknown attacks, known threat actors and known attacks. When you have a known threat actor, you have the traces of the actor acting somewhere else. The threat feed tells you what tools and tactics this threat actor must be using. You have the threat intelligence to understand the context. When you know the attacks, you can define rules to tackle these threats. But when it comes to unknown threat actors and attacks, you don’t know the attackers or the type of attacks that are going to happen. These are the zero-days; these are the advanced attacks we are seeing in the industry today.”
Speaking about how to handle these different types of attacks, Ali said: “The industry has come to know about Machine Learning and AI-based algorithms when it comes to threat detection. There is a humongous amount of data out there due to millions of transactions happening between applications and end-users. If you were to build systems that could scan through all these logs and find out threats, it could not be achieved with human-written roles. With the capabilities of AI and ML, we can model a threat and use these models to detect threats. We can also use behavioural algorithms that could intelligently detect what devices are sitting on what ports or what devices are talking to each other within the network. You don’t need to rely on a database of static excel sheets which tells you a specific IP address belongs to a specific node. We also need to have threat hunting.”
Speaking further about threat-handling, Ali said: “Threat handling strengthens the security posture of an organisation because you are going beyond what your systems and tools are telling you and it kind of acts like a red team exercise, continuously filtering your responses and SOC processes.”
“Why are we speaking about ML today in cyber security? It has become more affordable today with the rise of cloud computing and it helps us to eliminate irrelevant data from a humongous database and come up with the 1% of the information we need to carry out investigations,” Ali concluded.
Thoughts from panellists
ICTA Former Senior Consultant Indika De Zoysa, Special Task Force Commandant Senior Deputy Inspector General M.R. Latif and Sri Lanka Computer Emergency Readiness Team (SLCERT) Chief Executive Officer Lal Dias joined the final session as panel members.
Speaking during the panel discussion, De Zoysa said: “We have more than two million health records of Sri Lankans in the Government cloud which is a relatively significant amount. Most people use credit and debit cards to renew their revenue licence or pay property taxes online, which means their data is getting stored with us. Even in the education space, Sri Lankan students access the cloud to use Cloud Smart Classrooms to read educational content. Looking at what is happening around us as well as in the world, it is very critical that we have all the necessary measures to protect the data of end-users.”
Using the education sector as an example, De Zoysa underscored that ICTA had created an education sector CERT.
“In June 2016, we established EDUCSIRT — the Computer Security Incident Response Team for Education sector— to handle cyber security-related incidents in the education sector. We also provide comprehensive training for teachers and educate them on different topics including identifying safe and unsafe websites, using anti-virus software and spotting phishing attempts or other scams,” said De Zoysa.
When asked about how he would rate the security aspect of the Government’s digital journey, De Zoysa revealed: “With the availability of the Data Protection Act, necessary regulatory frameworks are being filled in, alongside the journey towards digitisation. We are not isolating innovation or security; both are happening at the same time. The real question is are we on par with the rest of the world or matured markets in terms of our digitisation efforts. I believe we are not far behind. I cannot rate and give it a specific number but we are doing a great deal of work to make all our digital platforms better and more secure.”
Looking at digital forensics from a Sri Lankan perspective, Senior DIG Latiff said: “We categorised three types of cyberthreats through our Digital Forensic Investigation Unit from 2015 to 2018 which are cyber-cheating, cyberbullying and online sexual harassment. However, by 2019, the complaints around cyberbullying and hacking have gone up while charges around sexual harassment and cyber-cheating have gone down.”
Recalling some history around Sri Lanka’s efforts to strengthen digital forensics, Latiff related: “In 1997, the United States wanted to bring cyber-terror laws when the LTTE launched an electronic bombing in 13 Sri Lankan Missions, coinciding with their Black Tiger Day, ranging from Washington to Jakarta. It was the first time that the US reported a cyber-terrorist attack on a government institution.
“Investigations were launched because the servers were based in Washington DC and London. When it was reported to the US authorities, a lot of tension was created. That is why in 1997, the US enacted new laws to tackle cyberattacks. Sri Lanka at that time was not technologically savvy, but we wanted to fortify our defence perimeters. As a result of that, the Criminal Investigation Department (CID) of the Sri Lanka Police launched the Cybercrime Unit which initially started as a Computer Crimes Unit.”
He further asserted: “In 2016, CID officers had a Digital Forensic Lab thanks to the South Korean Government. Right now, it offers a Diploma in Digital Forensic Investigation which is recognised by the South Korean Police University. We have conducted a number of awareness sessions and trained over 140 police officers to become technologically and digitally savvy about cyber threats.”
Concentrating his thoughts on critical infrastructure and SOCs, Dias said: “Today, most of the SOCs try to analyse millions of logs; unfortunately, the whole effort ends up being a waste of time. SOCs need to focus on analysing only the malware without going into large-scale analysis of logs. That is very relevant in today’s context because the amount of time that analysts waste in the typical traditional SOC has to be reduced at some point or the other. Also, a number of security information management systems are not serving their purpose; people spend a huge sum of money to install these solutions, but they are not getting the right benefits out of them.”
Dias went on to add that what Sri Lanka required was a proper institutional framework to manage cyber security.
“The new cyber security Bill that has been approved by Parliament was based on the national cyber security strategy that was adopted by the Cabinet in October last year. That enables all stakeholders to play a role. Sri Lanka CERT is not the only entity in the country that is responsible for cyber security. A national SOC is also a part of the institutional framework that is incorporated into the cyber security Bill. The national SOC will cover critical infrastructure, commercial establishments and other essential services such as immigration and customs. The process is underway.”
The strategic partners of 2019 Cyber Security Summit were Cisco and Visa, and the Co-Sponsor was Cellebrite. Other partners included official payment network, LankaPay; insurance partner Sri Lanka Insurance; official printing partner, Lake House Printers and Publishers; hospitality partner, Cinnamon Grand; creative partner, Triad; and electronic media partner, TV Derana.
Pix by Upul Abayasekara and Ruwan Walpola