How attackers try to remain undetected and/or mask their actions
Vanessa Horton holds a degree in computer forensics, as well as a number of cyber security and forensics qualifications. She has worked for the police as a digital forensics officer, where she was involved in complex crime cases, and was awarded a Diamond Award and an Excellence in Service Delivery Award.
Vanessa is now part of GRCI Law’s cyber incident response team, helping clients with their cyber security requirements.
Last time we interviewed her, Vanessa mentioned that she tries to look at the cyber news every day, to keep up to date and to take the time to research things where possible. When I recently asked her what she’d been looking into lately, she responded with “anti-forensics”.
With my curiosity piqued, I asked for another interview to find out more. Vanessa kindly agreed.
What is anti-forensics?
In a cyber security context, it involves a range of techniques that threat actors use to try to remain undetected while they’re executing their attack.
These techniques also attempt to mask the attackers’ actions by, for example, concealing or manipulating system data to try to hinder forensic investigations.
Why have you been looking into such techniques recently?
While anti-forensics techniques aren’t new, active criminal gangs like LockBit and Lazarus are known to be using them. I see it as my job to keep up to date with the latest techniques so I can help clients identify and defend against them.
The cyber world is changing all the time, which means we’re playing a bit of a cat-and-mouse game. Basically, as one side improves, so does the other.
So, as our approach to detecting cyber security incidents and our forensics capabilities advance, threat actors are advancing too. I don’t want to give cyber criminals too much credit, but this does make the defender’s job more challenging.
As part of that advancement, we’re seeing signs of threat actors using anti-forensics techniques more. And whenever we see changes in the tools, techniques and procedures threat actors are using, cyber security and forensics professionals must keep up. We must improve our own capabilities so that we can stay ahead of the criminals.
Could you provide examples of anti-forensics techniques?
Of course! Though I must stress that there are a lot of different techniques used by threat actors – far too many for us to cover today.
However, some examples of specific techniques that I’ve been seeing include the following:
- VPNs (virtual private networks): These anonymise the user when they connect to web-based services – specifically, they conceal the user’s source IP address. Threat actors often use it to mask their identity, making it more challenging to attribute cyber attacks to a specific group or physical location.
- Timestomping: This changes the time and date of when a file or an application was created, accessed, modified and/or executed, disguising a user’s actions. For example, if a threat actor executed malware at a certain time and date, but then used timestomping, they could make it appear that the malware was executed earlier or later than it really was. This makes it harder to identify the timeline of a cyber incident.
- Disk wiping: This technique is used by threat actors to destroy all data on the hard drive, without the chance of data recovery. There are many tools available to achieve this, but one of the most common is KillDisk.
- Data encryption: Some threat actors encrypt files to help prevent access to critical evidence for an investigation. For example, if an organisation has implemented on-site virtual servers, a threat actor may encrypt the entire virtual machine to mask what actions they took within the environment. If the victim can’t obtain that information, this makes it very hard for them to take effective remedial action.
- Event logs: These are files that hold a wealth of information about actions that take place within an IT environment, such as user account logons, software applications executed, etc. Threat actors sometimes delete these event logs to make it harder to analyse exactly what happened.
How can organisations detect and defend against anti-forensics?
My best advice is to be proactive. So, put preventive measures in place, in accordance with your risk assessment and treatment plan, such as those stipulated by ISO 27001. Also, make sure that you can assess security events to determine whether they should be classified and dealt with as security incidents.
Irrespective of whether you follow ISO 27001 or any other good-practice standard, it’s important organisations have the fundamentals in place. Basic preventive measures like strong access control, secure configuration and patching can go a long way.
Good detection systems such as SIEM, EDR and SOC [security information and event management, endpoint detection and response, and security operations centre] tools are also invaluable for detecting anti-forensics techniques early. This is important because it dramatically increases your chances of detecting attacks at a very early stage, allowing you to take swift action before the damage snowballs.
What else can organisations do to protect themselves?
Making sure that staff are trained to identify and report suspected phishing emails is a big one. Phishing is a common technique that threat actors often use to gain initial access into the environment – people are often the weakest link in an organisation’s defences. It’s for good reason that the latest edition of the ISO 27001 standard, published in 2022, dedicates one of its four themes to ‘people’ controls.
Processes – another big security pillar – are also important. Processes guide staff, helping them take the right action swiftly, even when under pressure – which you would be when you’re under attack, of course.
CyberComply
This Cloud-based, end-to-end solution simplifies compliance with a range of security laws and standards, including ISO 27001:
- Accelerate certification and supercharge project effectiveness.
- Get immediate visibility of critical data and key performance indicators.
- Stay ahead of regulatory changes with our scalable compliance solution.
- Reduce errors and improve the completeness of your risk management processes.
- Identify and treat information security risks before they become critical concerns.
To find out more about this platform, read our interview with Sam McNicholls-Novoa, the product marketing manager for CyberComply, or try it yourself with our free 30-day trial.
We hope you enjoyed this week’s edition of our ‘Expert Insight’ series. We’ll be back next week, chatting to another expert within the Group.
In the meantime, if you missed it, check out last week’s blog, where the head of GRC consultancy at IT Governance Europe, Andrew Pattison, gave us his expert insights into how you can simplify DORA (Digital Operational Resilience Act) compliance by implementing ISO 27001.