Recently, I had the opportunity to attend a highly informative digital forensics talk hosted by i-FORCE. The event featured insights from Pieter Van der Hulst and Tjebbe Van Quickenborne, both experts in the field of IT security, investigations, and incident response. This blog post is a detailed overview of the key takeaways from the session.
What is digital forensics?
According to IBM’s definition, digital forensics is the process of collecting and analyzing digital evidence in a way that maintains its integrity and admissibility in court.
It is a field of forensic science, used to investigate cybercrimes but can also help with criminal and civil investigations. For instance, cybersecurity teams may use digital forensics to identify the cybercriminals behind a malware attack, while law enforcement agencies may use it to analyze data from the devices of a murder suspect.
Digital forensics is an ever-evolving field that demands continuous learning and upkeep. The speakers at this event emphasized the importance of working for an employer who supports ongoing education and staying current with the latest trends in cyber threats. The inherent nature of cyber threats means that forensics professionals must be proactive in their learning to effectively counteract these threats.
Ransomware
Ransomware remains a significant threat, with some ransomware families still very active. The talk made it clear that securing an organization is a constant race against cybercriminals. On top of that, the abysmally low arrest rates of cybercriminals also shows just how important robust cybersecurity measures are.
Securing networks
One of the critical points discussed was the role of Remote Desktop Protocol (RDP) in ransomware distribution, particularly in Belgium. For instance, the city of Antwerp experienced a breach, paid the ransom, and then got breached again due to negligence in deleting compromised files. This illustrates the importance of thorough post-infiltration cleanup. Firewalls are essential, but their deployment timing — whether before or after infiltration — significantly impacts their effectiveness.
Preventing breaches
Attackers often target the most critical and least protected parts of a network. Small businesses in particular are more vulnerable due to typically weaker defenses. The speakers recommended focusing on protecting these critical areas to mitigate potential breaches.
Lessons learned
Several significant incidents were mentioned, including the existence of ‘destroyware’ and the infamous Maersk hack, which was partly due to outdated bookkeeping practices.
If you’d like to learn more about the Maersk hack, as well as the resulting fallout and lessons learned, check out this blog post:
https://www.odexglobal.com/blog/maersk-cyber-attack-odex-analysis.php
The rise of ‘Ransomware as a Service’ (RaaS)
The concept of Ransomware as a Service (RaaS) was also explained in great detail during the talk. Here’s a more interesting statistic the speakers talked about: affiliates involved in the distribution of ransomware receive 80% of the proceeds, with the remaining 20% going to the malware developers. This business model has unfortunately contributed to the worldwide proliferation of ransomware attacks.
Security fundamentals
The speakers reiterated that in cybersecurity, you are only as strong as your weakest link. They talked about the 80/20 rule, suggesting that 80% of the security effort should focus on the most critical 20% of vulnerabilities.
Essential tools and techniques
A range of tools was recommended for various tasks:
- MX Lookup: nslookup.io
- Artifact Analysis: SANS Windows Artifact Analysis
- Firewalling: Emphasis on combining East-West and North-South firewalling strategies
Conclusion
The insights provided by Pieter and Tjebbe were quite valuable, and I found the talk to be very entertaining. It was, admittedly, one of the only times I’ve ever attended a guest speaker presentation without feeling like I was about to fall asleep. The points they brought up were vital: as cyber threats evolve, so must our strategies and tools to combat them. This means continuous learning and robust, proactive security practices.