Security Teams Urged to Adapt as Attack Methods Outpace Forensics

Attackers are using increasingly sophisticated methods to stay ahead of security incident response teams, says Kevin Mandia, security consultancy. In the never-ending cat-and-mouse game between hackers and those charged with stopping them, it's pretty clear who's winning--and it's not the cat. Speaking at the Black Hat conference in Las Vegas last week, Kevin Mandia, president of Mandiant, an Alexandria, Va.-based security consultancy, said attackers are using increasingly sophisticated methods to evade detection and make life difficult for security incident response teams.

The sophistication of hackers' tools is outpacing that of investigators' forensic tools, and one of the consequences is that incident response teams charged with investigating attacks on networks are taking between 5 and 8 days to find malicious code, Mandia said. "Malware analysis can be time consuming, and most firms don't want to spend the money to fully analyze the malicious code, which could cause further damage [to the network]," said Mandia. And because it can take days to find malicious code, Mandia said rumors of a kernel level rootkits always arise within the company that's being analyzed. Rootkits are software tools designed to hide running processes, files or system data and enable attackers to maintain control over a system without the user's knowledge. A kernel level rootkit takes this cloak of invisibility a step further by adding or modifying part of the kernel code.

The link for this article located at Dr. Dobbs Journal is no longer available.