Organizations can take steps in advance to help ensure that forensic investigations into data breaches and cyberattacks are successful, says security expert John "Drew" Hamilton, a professor at Mississippi State University.
One critical step, he says, is "having a very strong understanding of your underlying system architecture - because if you're trying to figure out how things connect after-the-fact, that's problematic," he says in an interview with Information Security Media Group.
"You also want to have good configuration management because one of the problems with infestation - whether it's ransomware or something else - is that once malicious software has root or administrative rights on a machine, it can make the machine lie to you," he says. "So, if you have a machine whose system commands have been altered, not only does it make it hard to find out what happened on the machine, but that can also frustrate a forensic analysis because now essentially your machine is lying to you."
For instance, evidence such as time stamps on systems can get destroyed in the malware attack, "and so it's hard to trust some of the forensic information you're going to get from that machine."
In the interview (see audio link below photo), Hamilton also discusses:
- Important lessons emerging from the recent WannaCry attacks;
- Tips for preventing and responding to incidents involving malware;
- Security considerations for medical devices.
Hamilton is director of the Center for Cyber Innovation at Mississippi State University. The center researches and develops solutions that support global national security, homeland security and peacekeeping operations. Hamilton's research areas include computer security, digital forensics and software architecture.