Tuesday, July 22, 2008

The Future of IR

Many readers like to hear what others think is "the future" of something...what changes are coming down the road, how a certain segment of society or "community" will/should react to those changes, etc. Based on some of my own experiences, I thought I'd focus not so much on where I think things are going in the world of incident response (IR) and computer forensic (CF) analysis, but more on where IMHO I think things should be going.

For the most part, many of the changes that affect what we do as incident/first responders and forensic analysts are driven by outside forces. For example, storage media continues to increase in capacity, as well as complexity. Not only is the storage media itself (hard drives, thumb drives, etc.) increasing in capacity, but so is the complexity of how these are used (ie, multi-terabyte NASs and SANs, boot-from-SAN servers, etc.). Add to that increased sources (iPods, cell phones...let's not even discuss cell phones and PDAs...) of data (I'm refraining from the use of the term "evidence", but in many cases, it's synonymous with 'data'), as well as changes in operating systems and applications themselves, and the level of complexity is quickly surging out of control.

Our world is changing...so what do we do about it? Well, for one, we can adapt and change how we do things in order to keep up, with the goal being to try to get one step ahead of the "bad guys". Rather than looking only at an acquired image of the physical drive, start conducting more live response and going into memory for data. Folks like ManTech and Volatility Systems make this sort of thing possible.

As incident responders, our needs are changing...sometimes even when we're not aware that they are. Folks like Matt Shannon have recognized this, and as a result have produced tools such as F-Response. Matt has separated the presentation and collection phase of IR/CF from the analysis phase, making even collection of data vendor-agnostic. What this means is that using F-Response, you end up with a drive icon on your forensic platform that you can then acquire, read-only, regardless of what you've got on the other end (RAID, SCSI, SAS, etc.). You can then use any tool to acquire your image, and any forensic analysis application to perform your analysis.

The thing is, Matt comes from the managed forensic services world...which is something that itself should be growing as corporate IT goes green. With the corporate IT perimeter continuing to disappear and cybercrime increasing, there is a growing need for quicker response times - that is, less time between discovery of an incident (or breach) and someone actually taking action to address it. Many organizations do not seem to be interested in training their own staff to perform first response and containment, so there needs to be a way to get data collected and analyzed and initiate response activities in a timely, efficient, and correct manner. Managed security monitoring services aid greatly in the detection (and prevention) of incidents, and managed forensic/IR services using tools such as F-Response (Enterprise Edition) would greatly decrease response time. However, managed forensic services require a great deal of trust between the customer and vendor, and that trust takes time to develop.

IMHO, innovations such as F-Response and the Volatility Systems tools are not taking us to the cutting edge of IR capabilities...rather, the people behind these innovations are creating the absolute bleeding edge of incident response.

We need to take a look at what we do and how we do it, examining and adapting our procedures and processes, based on what makes sense to us...not what makes sense to an application vendor.