Focus on Forensics

Opinion: Researchers confirm that very little attention has been paid and resources spent on improving the ability to track the infection and activities of modern stealth malware that doesn't act in ways that a system would find unusual.

There are bugs, malware and evildoers out there trying to take over your systems and steal your vital corporate data. Its your job to keep these systems healthy and protected against these threats that are trying to bring them down.

To fight against these problems, you employ the most cutting-edge security tools and products, such as intrusion prevention systems, patch management tools and system-hardening scripts.

The bad guys should quiver in fear about taking on you and your state-of-the-art security infrastructure.

Well, actually, they probably arent. And even worse, that security infrastructure that youre so proud of probably isnt quite as cutting-edge as you think.

In fact, in one key area youre basically like an old-fashioned doctor who doesnt have access to modern technologies such as scans and blood tests and must instead rely on stethoscopes, tongue depressors and outward physical evaluations.

This area is attack forensics. When your pricey security systems are subverted (and they probably will be) and you have systems that have been taken over by a new and innovative rootkit or other stealth malware, how are you going to find out whats been affected? How will you know if other systems have been touched by infected systems? Will you even be able to find the rootkits and malware?

When I wrote the "response" section of our recent update to the Five Steps to Security, I was surprised at how little had changed in the system forensics arena in the five years since the first article.

While there have been plenty of new tools built around the specific task of detecting rootkits and other types of malware, the arena of broad system analysis doesnt seem to have changed much from the old-school tripwire style of system change comparison.

Of course, my first thought was that maybe I was just missing something. But at the recent Ziff Davis Security Summit, security researcher Joanna Rutkowska basically confirmed that forensics is a field that is falling behind.

/zimages/6/28571.gifRead more here about Rutkowskas research on anti-virus software.

During a panel with fellow security researchers HD Moore, Johnny Cache and David Maynor; Rutkowska spoke on how lots of attention is paid to finding exploits and creating defenses while very little attention has been paid and resources spent on improving the ability to track the infection and activities of modern stealth malware that doesnt act in ways that a system would find unusual.

Since that panel, Ive been reading some of Rutkowskas past presentations and papers, and its clear that this has been a key area of focus for her during the last couple of years.

As a rootkit expert, she has demonstrated over and over the ability of rootkits to hide and act within standard system processes and to not make system changes except in areas where Windows expects applications to make changes (instead of the more obvious and non-permissible changes that more classic rootkits tend to enact).

Part of this problem is that Windows allows (one could also say forces) software developers to do things in Windows that they shouldnt have to do, such as hide processes and files.

For regular takes on the state of technology, read Jim Rapozas blog Comment Here.

There isnt really a legitimate reason for applications to be doing this, and the fact that they do makes it easier for malware to look like a normal application.

The current state of system forensics is so bad that some of the panel joked (or maybe they werent joking) that people should basically just assume hidden infections that even a system reimage wont remove and they should just throw away their laptops every few months.

Im hoping the situation doesnt remain that dire. Rutkowska has outlined several steps and proposals that would improve attack forensics, such as focusing on network activities of malware rather than system changes.

She has also argued convincingly that Microsoft needs to make changes to Windows that would make it harder for malware to hide and easier for good guys to track.

Of course, Microsoft and other vendors wont focus on forensics until we, the customers, force them to.

Businesses need to put a higher premium on the ability to track malware intrusions when they speak to vendors about security.

Come to think of it, maybe its the word. Forensics is kind of dry and technical.

Given the popularity of all the TV shows, lets call it Technology CSI. I mean, who wouldnt want to be the Gil Grissom of his IT department.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.