Cybercrime evolves quickly, so it is logical that our techniques and tools to respond should evolve with it. Threats can come from many angles – whether it be lapses in employee behaviour (such as the Uber hack) or the recent accidental leak of iPhone source code from Apple. There have also been more targeted hacks such as the recent rise of hackers hijacking machines to mine cryptocurrencies, or attacks like NotPetya or WannaCry which targeted specific vulnerabilities in Windows systems. In all of these cases, establishing the facts is an enormous challenge. This is because the wealth of digital evidence in the wake of a breach or hack is growing all the time – across different file types. For instance, evidence may comprise of anything from emails, logs, system files, video, images and network data to name just a few. In complex investigations, evidence can amount to terabytes worth of documentation. Consequently, in the case of malicious hacks, prosecutions for cybercrime remain woefully low.
The solution is to work smarter rather than harder. Simply increasing the number of investigators is not sufficient to tackle the rising tide. Instead, true progress is being made by empowering investigators with powerful tools which augment human intelligence.
Managing data better
The increasing complexity of company servers, security systems and other vital internal infrastructure means that it is commonplace for businesses to be unaware they have been hacked until months after the fact. For example, the Yahoo 2016 hack originated from a breach that occurred in late 2014, and was only discovered when the data was posted for sale on the darknet. In order to build up a post-breach understanding of what has occurred, authorities are required to achieve superior visibility of all the breached subject’s data. With such a huge amount of information involved when analysing a breach, establishing responsibility and gaining enough evidence to remediate, get back to the business and then prosecute is a daunting prospect.
With the right tools and workflows, these post-breach investigations are simpler. The right technologies mean that vast quantities of data can be managed and more efficiently analysed, leading to greater insights. Previously, investigators and cyber risk teams often had to manually review huge numbers of files and correlate their findings, sometimes across different investigation teams. Today, this data can be analysed at once through a single investigative window with a variety of visualisations, enabling investigators to categorise items of interest such as log entries, device access records, notable operating system events and newly created files. Rather than looking at a large list of communication data extracted such as email, instant message or network data, investigators can now display this information as a visual network so, at a glance, they can see what is primarily responsible for the communication traffic and how often these communications occurred. They can build a web of understanding and intelligence that links the nuanced narrative strands of seemingly unconnected data. This streamlining ultimately leads to more focussed lines of inquiry.
Having the freedom to explore the logs and evidence gathered is vital in building timely criminal prosecutions, or determining preventive measures. Furthermore, for those using outdated systems, technical hinderances lead to evidence backlogs, and backlogs jeopardise the chances of a prosecution or effective learning. Creating efficiencies using sophistication technologies and techniques allows investigators and teams to overcome backlogs. The importance of this was pointed out in a recent report which highlighted the dire state of digital forensic work in the public sector, observing that many criminal trials are failing because of evidence issues.
More insight Investigative tools and AI (artificial intelligence) can never replace the work of human investigators. Investigative work and weighing up leads and context requires a degree of human judgement which a machine cannot replicate at this time. However, they can augment intelligence so that we are able to make smarter, strategic choices from a better knowledge base and allow us to focus on the evidence that matters. Historically, data breach investigators have been hamstrung by human limitations preventing them from linking connections from even a small number of digital data sources. With the gradual evolution of our investigative tools, we increase our chances of learning from hacks and being able to apply this new knowledge in the future.
Human intelligence, augmented
Like the hacks and cyberthreats they seek to investigate and contain, data analysis tools are always evolving. In the present, the tools can help sift through vast quantities of data, help teams make better decisions, and optimise future strategies by highlighting flaws in previous business structures. By implementing the best tools available, and evolving to keep up with the threat landscape, investigators will be empowered to do more with large data sets and bring clarity to crimes in a complex digital world.
Stuart Clarke is chief technology officer for security & intelligence at Nuix
This post first appeared in the February Orange Rag