With that in mind Thursday, General Dynamics execs gave me a tour of a digital forensics lab in Annapolis Junction, Md., near NSA headquarters, where it carries out cyber forensics for commercial clients, and shined some light on the process by which cyber investigators track down the bad guys in preparation for a potential trial.
"It really is a science," says Michael Buratowski, General Dynamics' senior program manager for the Department of Defense's Cyber Crime Center (DC3), which sets standards for and assists in cybercrime investigations being carried out by DoD (General Dynamics is prime contractor on three of DC3's five subgroups). "Sure, there is a certain art to it, but in many ways it's a science, and sometimes I think that gets lost."
To demonstrate, he walks me through a mock-up scenario of a spearphishing attack where an attacker sends a targeted email to an employee, masking the attacker's true identity as a friend or colleague, but when an image in the e-mail is loaded, malware hidden in the image executes and infects the employee's machine.
Once the attack grows, General Dynamics might be called in to stop the bleeding and figure out just what's going on. Swinging into motion, General Dynamics acts in many ways like an investigative police unit one might see on television, arriving with cases -- Buratowski calls them "fly-away kits" -- full of laptops, imaging machines, interface cards, write blockers (which allow access to a drive without allowing any code to be written to the drive), and other gadgets designed to assist in the investigation.
That said, it's not CSI/Miami. "You don't need some $40 million lab to do this work," says Nadia Short, VP and GM of the cyber systems division at General Dynamics Advanced Information Systems. "You need the right systems, the right people and a decent environment."
The point, therefore, is largely the process and the execution, not shiny new toys. That means, for example, that when it brings hard drives, CDs, computers and documents back to the lab, General Dynamics follows very specific chain of custody requirements to ensure the evidence will remain valid in a court case, if the investigation gets that far. An evidence room down the hall from a bank of computers where much of the actual investigation is done is under 24-7 alarms and is under coded entry, the codes for which not even Short or Buratowski have.
Once called in after (or during) an attack, General Dynamics decides to take one of two tacks for analyzing the attack: dead box analysis, where the company brings that offending hardware into the lab and does things like look at the directory structure and analyze the drive; or live network analysis, where the company will observe a machine that may be currently being attacked without shutting that machine down (often because of the criticality of the system under attack to the vitality of the organization).
In some ways, here's where the art comes in, as forensic analysts' experiences shape their understanding of and ability to spot anomalous behavior or files on the machines in question, but there's also a science to it, as General Dynamics employs tools like Microsoft's SysInternals Troubleshooting Utilities to observe processes taking place in the background of an attack, particularly in sandboxed machines where General Dynamics might have recreated the attack after first isolating the malware involved. Other tools in the chest might include determining when files were created and checking MAC times (file system metadata recording when certain events occurred).
This science of cybersecurity isn't learned overnight, and though General Dynamics doesn't have problems with bringing in talent, the government sometimes does. Next week I'll have a feature article detailing the work government's doing to bolster its cyber workforce so that it can do more of the things that General Dynamics does for it today.
Amid many cybersecurity threats, the feds are shorthanded. Here's how they're acquiring hard-to-find skills. Download the latest issue of InformationWeek Government here (registration required).