Much like with traditional crimes, cybercrimes leave a trail of breadcrumbs that, if assembled correctly, can create a reliable understanding of what occurred and can even lead investigators to the perpetrators. With cybercrime expected to cost society some $2 trillion by 2019, the field of digital forensic investigations will be vital in creating criminal deterrence and mitigating risk for all kinds of organizations. The Cipher Brief sat down with Jim Kent, the Head of Security & Intelligence at Nuix, to discuss the process of digital forensics and how the field is anticipated to change over the next few years.
The Cipher Brief: What is digital forensics, and what is it used for?
Jim Kent: It’s looking at the method of introducing common or normal crimes with digital media. In the old days when I would investigate a mobile phone, for example, I would get the print-out from the service provider of all the phone numbers and use a highlighter to go through it and highlight the numbers of interest. What we do now is the equivalent of that, but digitally. It’s nothing more than that.
So, now I collect the data in a forensically sound manner that can be repeated and defensible, and then analyze it in a way to get repeatable results. Therefore, the evidence that comes out the back—which could still be phone numbers—come out now in a digital format, and I can incorporate that into the story being investigated.
TCB: What are some of the applications of that methodology towards improving incident response for cybersecurity professionals?
JK: What you do with any investigation—whether it’s an incident response or looking at a log file—you are always investigating the data. It does not matter what the data is; it’s how do we take the data, apply our knowledge to it, and make it relevant to the end user. So, what is necessary is the ability to really scale magnitudes of data, very fast, normalize the data, label it to drag out entities—whether it be IP addresses, people’s names, or credit card numbers—and bring that to the end user so you can start working out what happened. That’s very relevant for incident response.
So when investigating someone taking data with a USB drive—an insider threat—where do you start? Well you start by investigating their machine, their hard drive, and working out what they have taken. What’s the depth of my risk in this incident? Who else have they been talking to? That’s when you start moving into the broader arena of security. I need to be able to put an enterprise technology out there to start doing digital behavior recording, monitor activity, and feed that back into the investigation to see if they’re sending information out.
When you start working at scale by looking at a 300,000-node network or recovering a deleted file off of a web server, you start securing the network. Whether the investigation starts from the outside coming in or the inside going out, it doesn’t matter. It’s all about the investigative response while using technology for a graphical interface to see the large scale elastic search backed by petabytes of data for deep dive forensic investigations and incident response on security matters.
TCB: What are some of the challenges to this kind of approach?
JK: There is always the human element to overcome with people opening Pandora’s Box and looking inside. The minute you step into an investigation, organizations should determine whether they’ve lost a file or somebody deleted files, stole pictures, or injected malware. There are just different depths to inquiring the machine compared to a normal investigation.
Having people get over the mental hurdle of allowing you to do an investigation. Ten years ago, twenty years ago, it was very difficult. Now, people are more accepting. People understand that breaches happen, that you need to get to the bottom of the risk. So it’s not as much of an issue anymore.
The biggest issue is probably the volumes of data that we deal with, especially with endpoint devices. That’s where adaptive security from an endpoint perspective makes logical sense. Instead of trying to force all of the data back, it only sends the most relevant data. When doing investigations now, you can include multiple hard drives, laptops, mobile phones, satellite navigation devices into the forensic platform, and then apply intelligence so that it investigates the most relevant information first. Much like you do not have to go through a million lines of search hits, the platform worked out the most relevant information beforehand. It streamlines the process of investigation to overcome large quantities of data.
TCB: You came from a traditional law enforcement forensics background into the cybersecurity space, how important do you think that dynamic is to the future of cybersecurity?
JK: What I found most beneficial in my career was that I can take an investigative mentality and apply it to technology. The two together are going to give the best results. We’re moving from a generation of investigators to a generation of people asking questions about the data. They don’t really care what’s going on on the back end, they just want more of an analytical mind as opposed to a hardcore investigative mind, because they get the same answers and get them faster. That’s the generation we’ve moved towards.
For me, having both of those disciplines and the ability to adapt is a real benefit, because you start to look at things differently. Is it having the data or getting your mind around data that is hard when fighting an enemy you cannot see. You need to understand and appreciate the data from different angles to get the best outcome.
TCB: How do you see the field of digital forensics progressing in the future?
JK: A move to technology that solves the problems technology has made. Big data analytics is crucial, and it will be instrumental in the future. However, there are different ways of looking at that. We’re doing big data analytics predominantly at the moment but maybe, for example, on bits of metadata within a log file. It’s not fully enriched data, so we are starting with a tainted view of the data before it comes out into the analytics field. We need to get down to the ones and zeroes for enriched data to feed the analytics.
Visualizing to make the data relevant to the human eye is also important. Humanizing the data to make it look like a USB on the screen, and go “Oh, it’s a USB” rather than have to go through all these wonderful technical searches to say, “Oh yes it was a USB drive.” That’s the future. We should be helping guide people and drive them.
Where else will we go? Machine learning and artificial intelligence will be crucial to where we all end up because of the large big data sums and refining that with analytics. But once again, it must be enriched, refined data that we’re starting with. So making sure that we know everything about the dataset before we start applying our intelligence. That’s where I can see digital forensics going: where we’re bringing old autopsy data, streaming it, applying intelligence, and starting to preempt. The goal of preempting is where artificial intelligence and machine learning come in. But they have to be on the right foundation to make it truly work.
