Traditionally, computer forensic investigations are seen as reacting to historic incidents and understanding what went wrong retrospectively. But in the cyber world, forensic investigation is a critical weapon which allows us to look forward as well as back.
Cyberspace is a contested environment in which effective situational awareness is vital if we are to gain and maintain control of a particular environment (such as our corporate networks). In this respect the cyber environment is like any traditional warfighting or security environment.
Cyber is, however, characterised by one significant difference; those senses that humans have evolved to make them so successful (and possibly dangerous) from an evolutionary point of view, don’t work in the cyber environment. We can’t see, taste, feel or hear what is going on in the cyber environment unaided. This sensory dislocation is one of the reasons why we often make (or see) so many of the silly mistakes and decisions which provide the basis for most of the successful attacks on our systems.
Cyber operations do have parallels with the kinetic battlespace; ranging from set piece offensive operations to covert, surveillance and persistent insurgency operations. There are significant differences, however, not least with respect to Geographical Boundaries, Tempo and the way that we can apply force. Whilst this post is not the place for a detailed analysis of these differences, an awareness of these areas can provide practical insights into how we operate more safely in the cyber environment.
Stripped to its basics, the purpose of the computer forensics (now a multi threaded discipline) is to gain information and understanding about a particular situation in a particular context. This makes it a valuable proactive tool in delivering the situational awareness which can be so elusive. Sun Tsu (506BC) advised “Know your enemy and know yourself”. I would argue that this principal is as relevant now as ever. Forensic Tools and techniques can form the basis of proactive preparation and architecture hardening within a system often conducted as part of forensics readiness planning.
The environment can be designed, from the outset, to favour the defender. In the past, this might have been advantageous – now it is a fundamental requirement for system designers. Elegantly designed architectures, based on a sound knowledge of the operational environment will make it harder for an attacker to gain the initiative. Similarly, if accessing the system compels the attacker to leave footprints, it is not only a deterrent but also a helpful tool for later investigation.
In the eleventh chapter Sun Tzu states that a leader must be capable of comprehending “unfathomable plans”. At SRM we have many years’ experience in dealing with cyber criminals so can more readily see patterns in behaviour and predict future actions. We see all forensic investigations as part of the preventative process through which organisations gain visibility of their own, as well as their attacker’s capability.