Friday, July 10, 2009

SANS Forensic Summit 2009 - Report

SANS Forensic Summit 2009 Report

Kudos to Rob Lee for putting on the best Forensic Summit I have ever attended or been a part of! Being able to hear speakers like Harlan Carvey, Oive Carroll, Richard Bejtlich (pronounced BAIT-LICK), Jesse Kornblum, Jamie Butler, Troy Larson, and Eoghan (pronounced OWEN) Casey all in one event is pretty impressive. Now throw into the mix representatives from the FBI, Secret Service, DoD, Georgia Tech, and various local, state, and federal agencies and you have something pretty special. The quality of the speakers at this year’s summit made this THE conference to be at in 2009! Again, great work Rob!

So, with all of these great forensic minds in one place, what were the hilights? Was there a pervasive theme, or many scattered ones? Are we all as forensic investigators and incident responders seeing the same things, or does each agency face unique challenges? To answer those questions, “Yes, yes, and yes”.

Obviously the various agencies represented face challenges that are unique to their organization. Most interesting to me are the challenges faced by the US Department of Prisons! Inmates are extremely clever in acquiring, hiding, and using cellular phones…much more so that I ever imagined. In some cases phones are being inserted into FROGS, which are subsequently launched over the prison walls/fences. While that seems funny this is a huge problem faced by the prison systems. With cellular phone, inmates can still conduct much of their criminal activities from within the prison walls – kind of defeats the intent of putting them behind bars in the first place.

Most law enforcement agencies shared the common challenge of funding and personnel. Money is tight which affects every aspect of their jobs. Let’s face it, forensic hardware, software, training and education, and books are expensive…not to mention what you have to PAY someone who is experienced enough to perform comprehensive forensic investigations. The agencies represented indicated that they are making due with less and getting things done, albeit slowly. Many cases are pushing several months and in the most extreme examples, several years! Compare this to my average case that doesn’t last much longer than 3 – 4 weeks (max), you have a drastic disparity.

I had a good conversation with Ovie Carroll, Director of the Department of Justice Cyber-Crime lab, one afternoon in which we talked about the merit of having Law Enforcement agencies outsource some of their casework to external organizations. I think this is a fantastic idea that would leverage the expertise in the private sector (a HUGE percentage of which are either prior service military, former Law Enforcement, or both and have held or current hold high level security clearances) to accomplish casework more quickly and efficiently. Additionally, these relationships could be used to provide low cost (and in some cases FREE) training and education to our cash strapped brethren. I cannot stress enough how much I feel like this concept could provide much needed assistance in an area where it’s desperately needed. If you have not already done so, reach out to your local Law Enforcement agency and find out if there is anyway you can assist!

The Law Enforcement agencies also shared that they are all facing the same central issues of identity theft and carding (credit card theft). Among other crimes, these two are surfacing to the top of the list nationwide. Working for Trustwave, the majority of my cases involve carding and I can assure you that this is a multi-billion (that’s right I said BILLION…with a “B”) business for hackers and is not going anywhere, anytime soon.

I also noticed a couple of central themes that emerged from the various forensic and incident response panels – getting back to basics, and information sharing.

By getting back to the basics, I mean approaching your casework with a solid foundation of forensic theory, methodology, and technical understanding. Planning your work – working your plan! Knowing what data you are going to look for, and then surgically going after and interpreting that data – allowing the DATA to develop your theory, not cramming the data into your preexisting theory. Knowing your tools…what do they do, why, and how. Then carefully, and methodically documenting what you did, how you did it, and what the results were.

The other theme that surfaced was the need to share information. It seems that both the private sector and the various Law Enforcement agencies are suffering from a “stove pipe” mentality and intel is not being shared – which is a crime in and of itself! Now obviously I am not talking about information that would violate a Non-Disclosure Agreement (NDA) or compromise a case, BUT we can be sharing information like emerging threats, trends, malware data (hashes and/or artifacts), and the sources of certain attacks (at least IP addresses). Again, I spoke at length with Ovie Carroll, Harlan Carvey about this, but our conversation also included; Special Agent Jennifer Kolde of the FBI San Diego office, Special Agent Andrew Bonillo of the USSS DC office, and Chris Kelly of the Office of the Attorney General for the Commonwealth of Massachusetts. The same feelings were shared by all parties…share what you can, when you can. Doing so will only help everyone! At the end of the day, aren’t we all after the same thing – catching the bad guy? If that’s the case, then as a body of professionals, let’s really strive to cast aside the departmentalism that has prevented the flow of information to this point, and focus on frequent and directed intel sharing.

I could spend the next several pages going over the great talks and the takeaways from the conference, but that would probably make my fingers hurt, and you would probably get tired of reading. Suffice it to say that if you missed out on the conference this year, DON’T DO IT NEXT YEAR! I will echo the statement of Rick VanLuvender from First Data Corp who said, “If you can only make one conference this year, THIS is the one to make”! I could not agree more! This was a fantastic event!

In the next couple of weeks I will be writing about the lessons learned from the conference. If there is something you would like to see covered in more detail, or if you attended the conference, and I am not blogging about something you would like to see me cover, please let me know! My email address is in my profile, or if you were at the conference you likely have my business card. I hope you are looking forward to the next few posts as much as I am about writing them!

I will leave you with one final thought. In the handbook of the top 20 computer security jobs, Incident Responder/Forensic Investigator was #1! Yes, if you are reading this blog, you are either related to me (my wife and mother follow my blog for morale support…I love them but they usually have NO idea what I am talking about) or you are in the same field I am. That being the case, you have the coolest, sexiest, most sought after job in the computer security world. If that doesn’t excite you…well…then you are either brain dead, you have no pulse (which would make you physically dead), or you really just don’t get it and you should probably find another line of work.