This past week, hundreds of digital investigators from government and corporate teams headed to Myrtle Beach for this year's Techno Security & Forensics Investigations conference (#TSFIC). Here are the highlights of what we learned and what Rapid7 shared at the event.
No Matter Your Role, Analyzing Behavior Matters
Behavior was an important, recurring theme over the conference. Whether talking about phishing awareness training, optimizing investigative mindsets, or attacker methodology, our human behavior tendencies were brought into the spotlight.
Thinking Fast and Slow, written by Nobel-Prize winning psychologist Daniel Kahneman, was referenced in two sessions: Mental Maps & Investigative Traps and the Humanity of Phishing Attack & Defense. For those unfamiliar with the book, Daniel proposes that we have two modes of thinking: System 1 and System 2.
Our default, System 1, takes a lot less energy to operate. Given that our brains are efficient machines, we'll revert to System 1 whenever possible - our relaxed, lazier side. Want to feel the difference? In your head, try the following:
1+3 4+8 1 X 6
85 x 34
Unless you're a math wizard, starting that calculation activates System 2. It's no longer automatic - solving 85 times 34 requires rational, concerted effort.
The challenge is that our brains aren't perfect in determining how much brainpower to apply to our daily problems. We have a finite amount of focus to allocate each day, so our brains conserve whenever possible. Take for example, multitasking. Every time we juggle another task, our focus divides further. However, the brain doesn't warn us when it's dangerous. When we text and drive, the brain still thinks it's concentrating on driving, even when it's...not. System 1 is running smoothly, and it's filling in the blanks.
Professor Katherine Ramsland, program director for the DeSales University Criminal Justice program, analogized it as such, “Imagine each task as a light bulb. When multitasking, you might think each one is burning bright, but in reality they might be all dim bulbs!”
Ramsland further highlighted that each and every person has a different tolerance towards ambiguity, our own “need for closure." Investigators as a profession tend to have a higher need for closure (HNC), which means faster answers at the cost of less second-guessing. Under the standard heavy multitasking caseload and tight deadlines, this stressful combination can allow mistakes to creep in and impair judgement. Ramsland's great article on need for closure.
Yes, humans make mistakes - this happens to us regularly when assessing if an email is a phishing attack. Aaron Higbee, Chief Technology Officer at PhishMe, shared a cool calculation about our everyday inboxes:
~71 legitimate emails received
41 emails sent
13 emails mentally discarded
Assuming two hours of meetings and one hour lunch break, we perform 33 email related tasks per hour! In order to save focus for our key tasks, we're often in System 1 - and end up slipping our credentials to a phishing attack like the below.
Higbee notes that Phishing Awareness is not the problem. Over 90% of surveyed employees understand the inherent danger. The challenge is while we're in System 1, multitasking away at mail, it's difficult to identify the red flags that warrant a deliberate, System 2 analysis. We agree - the best way to mitigate user susceptibility is through simulated, repeated phishing campaigns. That way end users get real-world practice in both identifying phishing and reporting it to the security team.
During our Rapid7 session, Joel Cardella, Senior Security Consultant, shared our findings on attacker behavior from our Project Heisenberg research. For over the past year, we laid out a network of passive honeypots that entities have opportunistically scanned and attempted unauthorized access. Joel shared how we setup the project, our findings on attacker behavior, and our best practices for securing RDP endpoints. To learn more, get your free copy of the Attacker's Dictionary: Auditing Criminal Credential attacks here.
The Passoff Between Information Security and Forensics
Over the course of the conference, infosec staff and forensics investigators stopped by our booth to chat about Metasploit, our Rapid7 services, and see our latest Incident Detection and Response technology, InsightIDR.
Much like the security industry, investigators are overloaded. Beyond merely staying at the forefront of mobile technology and live/dead box analysis, encryption and cloud service data has now come into play. During corporate investigations, two challenging hand off points come into play: (1) identifying which machines need further analysis, and (2) the need for physical access to those endpoints to start interrogation. For example, if there's malicious lateral movement on the network, the investigations team needs to find the IP addresses involved, retrace them to the appropriate assets and users, perform analysis and remediation on those machines, and validate the scope of the investigation (did we get everything?).
By integrating with your existing network and security stack and running user behavior analytics on that dataset, InsightIDR detects the top attack vectors behind breaches and directly shows the users and assets involved. As a result of coordinating design hand-in-hand with Incident Response teams, we've taken it a step further with visual investigations that combine log file search, real-time detection, and forensic artifacts into a single super timeline.
Hanging out with forensics, investigations, and infosec professionals was a blast! I learned a ton of interesting tactics and got to peek into forensics workflows and innovations. What's your take on the convergence of incident investigations and forensics? Share your thoughts in a comment below.