PLI Podcast: NetWitness’ Alex Cox on Cyber Investigations and Forensics

Posted on 18 May 2011 by


This week on the Police-Led Intelligence Podcast, we’re joined by Alex Cox, principal analyst at NetWitness, now a part of RSA, the security Division of EMC.

A former police officer and forensics investigator, Alex’s team currently looks for similarities between cyber attacks. NetWitness produces a monitoring platform that focuses on network forensics: it’s easiest to think of it as a TiVo for networks, where companies can monitor and search for malicious traffic that has occurred to determine how an attack was launched. Alex’s team works mainly with businesses and investigators.

Download the podcast here | Download on iTunes

Dave asked about the frequency of these kind of cyber attacks – many cops, still, don’t believe that these things happen outside James Bond or Mission:Impossible movies. Cox says that cyber attacks are underway against companies 24 hours a day, seven days a week. So we ask Alex, as we’ve asked other guests, how criminals make money with cyber crime.

The criminal underground basically focuses on two specific objectives. First is just making money. Second is building their infrastructure – building bigger botnets, finding and co-opting servers to act as command and control, etc.

From a traditional crime analysis, a crime scene is fairly contained: the murder happened here, skidmarks are here and I can measure them. In cybercrimes, it’s not that cut-and-dry: little crime scenes are everywhere. There’s a host machine infected? That’s a mini crime scene. So is the email server used; so is the command and control server in Romania.

From an investigative perspective, the more information the better. We’re following the maze, taking one step to the next, hit dead ends, and go back and forth.

How Criminals Make Money With Cybercrime
There is a number of ways to make money. Typically criminals are attacking small business, because their money management and accounting processes are less sophisticated than those of their larger brothers. So bad guys will compromise a small- or mid-sized business administrator, get access to a wire transfer system and transfer money.

Also they will hit consumers – the grandmother whose account credentials have been sniffed is a good example – then have criminals transfer money from her account.

Then they would buy, for example, equipment on eBay and then sell it on eBay to monetize and launder the proceeds. Cybercriminals innovate: how can I monetize this? Stealing ones and zeros is easy, but it takes creativity to monetize them.

Dave asked about the labor intensity of the activity, and asked when forensic investigators look at crimes, what kind of evidence is left behind and what cops can do with the evidence?

A Multi-Stage Process
Investigating cybercrime is a multi-staged process, requiring visibility from a number of places. Home users infected with malware, for example, would require looking at the computer’s behavior: was there something flashing on the screen, or emails from “anti virus” or photo viewing sites, etc. If malware is suspected, the machine itself may become evidence. But lots of times, determining whether something was computer crime or fraud, or whether the card was stolen in a restaurant is the determining factor as to whether cyber forensics is required.

Outside that, if you can deal for example with a bank fraud, they’ll have fraud teams to help out: Joe Smith said he lost money, and it sounds like something was up with his computer, so we might establish relationships with the fraud guys at the bank.

But what does evidence look like on a computer? What form does it take?
Log data is a great example of forensic evidence in cyber investigations (for more on this, have a look at this presentation, which I gave at the IACA Spring Symposium).

Fingerprinting Since the banking industry looks at, for example, fingerprinting browsers when people log into online banking – this can be evidence in a subsequent investigation.

For example, if Alex logs into his bank account ten times, and nine times he is using Internet Explorer and a language setting of English, and the tenth time he logs in using Google’s Chrome browser and the language setting of Russian, this is a clue that something happened and those log records may be part of a forensic evidence record.

Browsing History From a computer side, a person’s Internet browsing history is often interesting, as it will often contain the record of redirects to known malicious websites. It depends on the circumstances, but most of it is fairly obvious if you know what to look for. Log files, browser history, access logs from the bank’s side, etc.

Dave asked about resources for crime victims: Alex says the first step is the bank. This is a tough job for the bank, as it is very involved, and as in the private sector they have a triage level, so if the crime is lower than a certain amount, the bank will just send the person packing (and make their account good).

A lot of cross community-cooperation in the information security world among researchers and security people, sharing information and intelligence about attacks in progress in the community. Dave asked about local law enforcement resources to prepare cases by themselves.

Alex said that Infragard is a great regional intelligence sharing group, and we’ve spoken about it before. Alex says join it and go to the meetings because, as we have said, it’s a great networking group. Nick said it’s less about the organized programs of Infragard’s outreach, but more about the Rolodex building, giving private citizens and law enforcement folks numbers of people to call, and faces to match the names. Alex said that other networking among local law enforcement investigators by connecting to like-minded people in local, county and state law enforcement cyber units is invaluable.

Dave agreed that communication is often the biggest problem, but how can security analysts within a company that has been hacked better prepare to talk to the cops – without this communication, neither side is happy. Alex said that the legal team at the victim company is the best place to start. Asking the company lawyer what to do, whom to call, what the security team can tell police and what they can’t is perhaps the most important step a security person can take before calling the police.

Another important thing for corporate security teams to understand are the laws of evidence. Maintaining a forensically acceptable chain of custody is key – Cox recommends that corporate security teams understand and communicate the concepts of computer of forensics throughout the company – so when the help desk guy finds evidence of a cyber attack, they know at least to call someone.

And Dave asks what questions cops can ask – what questions are reasonable – to ask when investigating a cyber crime. Alex said that the Who, What, When, Where Why and how much of investigations still apply, but cops should also first ask “How long do your logs go back?” Even if he doesn’t know what he can do with the log files themselves, he understands a timeframe in which evidence will be available.

Most of the crimes occurring today occur with the help of the Internet, so if security teams can document which machines are infected, then the first place to look would be the Internet history of those machines. Their Netflow data – the summary record of conversations between machines – and if they have a network forensics system such as NetWitness, or competitive systems such as Solera Networks, Niksun and others.

Get Certified
Alex recommends that any police officer working on computer crimes should go to SANS and do a course in forensics; get a CISSP certification; attend forensics certification courses from AccessData – because the more perspective you have on the technical aspects the better you will be as a cop. While you’ll need to stay up to date, the basic concepts you’ll learn will last for years.