Cybercrime Intelligence: 360-degree View of Data is a Foundation Stone of Security

Middle East organizations should devote more time and effort to gathering and using cybercrime intelligence, as it will give a good return on investment and assist in the establishment and review of IT security strategies and the creation of eCrime investigative measures.

The most important and obvious question surrounding this point is, “How do you get that type of specialized intelligence?” The answer is companies and organizations should ensure that they have a full 360-degreee view of their data, which includes data in motion, static data and volatile data.

To fully achieve this, organizations should consider the implementation of a network capture and monitoring capability. This functionality, particularly during a network attack, would provide and identify essential information contained within the network data packets. This can assist the forensic analyst in determining whether the data traffic is routine or alternatively assist in identifying an attacker who is sending malformed packets to crash important systems or to gain unauthorized and privileged access. Permanent capturing of all network traffic is not normally necessary, however having the capability to quickly employ such a capability can help to speed the analysis during an attack. 

Secondly, commissioning an endpoint investigative capability across the enterprise environment enables full visibility into the “data at rest.” This ensures swift and efficient investigations into suspect assets, provides remediation and the ability to gather additional intelligence.

Even with data packet capturing capabilities, difficulty remains in meeting an ever-increasing demand for resources to conduct intelligence assessments of the acquired intelligence. This is a genuine problem given the amount of data that a medium- to large-sized investigation may include. Therefore, organizations should develop an intelligence analysis and remediation team, supported by robust policies, procedures, processes and best practices.

The recent history of hacking incidents and exploits shows there are recurring themes of failing to keep pace with the rate and variety of exploits. The worry is whether the lessons are being learned or is the gap getting wider?

To reduce any such gap, organizations will need to understand the complex and dynamic developments of technical exploits and cyber security threats and how to make the most of available intelligence. They will need to invest in the skills necessary to enable them to gather intelligence in this ever-changing environment, otherwise, they will have to contend with playing ‘catch-up’ and being left with only a reactive posture.

There is a need for multidisciplinary partnerships between the public and private sectors to work on emerging problems with the abuse of technology by organized crime. This combined effort could produce a number of significant results, from developing research into technologies and tools, creating a repository for technical papers and improved intelligence. Some organizations are already encouraging their members, stakeholders and business partners to share knowledge, expertise and experience. This sharing of information and intelligence is giving companies the tools to put in place better defences to tackle the abuse of computers and IT systems. It is only through better understanding of the scale and the scope of the problem that they will be able to build effective strategies.

Organizations must realize that they cannot produce cybercrime intelligence in isolation. It will require them to establish internal and external partnerships that are supported by a framework of regulation and legislation.

When establishing such partnerships, there will be a need for organizations to transcend traditional boundaries in a cost-effective and efficient manner while maintaining control of their intellectual property and other critical assests. Any methodology needs to be broad to be adopted en masse, flexible to meet the needs of all and flexible to stand the test of time. 

Paul has extensive experience in the investigation of cybercrime, incident response and IT security. He is engaged on a daily basis delivering a dedicated and professional incident response to digital forensic investigations and providing specialist services to customers who have either been subject of a security breach or are seeking to prevent such an incident. He has published a number of practitioner papers, articles and a book on the topic of cybercrime.

Historically Paul has been the operational team leader for several specialist units within National Law Enforcement and was the head of a computer crime unit within the financial area of London. He was the driving force behind several outreach programmes strategically targeting the business environment, acting as the primary liaison to the business community, encouraging and promoting the exchange of digital intelligence.