An increasing volume of attacks using file-less malware and other anti-forensic measures is leading a greater-than-ever skill gap in the cybersecurity bizz. These tehniques leave little to no trace on physical disks, and unfortunately the good guys aren’t keeping up: There’s a shortage of skilled digital forensics practitioners who are able to efficiently investigate these types of offensives.
Image via welnet-tech
“Attackers know how forensics investigators work and they are becoming increasingly more sophisticated at using methods that leave few traces behind—we are in an arms race where the key difference is training,” says Alissa Torres, founder of Sibertor Forensics and former member of the Mandiant Computer Incident Response Team (MCIRT).
Torres reports that in the last year, there has been a rise in file-less malware, programs that avoid installation on the target’s file system and operates only in it’s .
“Five years ago, to see sophisticated anti-analysis and acquisition techniques in the wild was like seeing a unicorn but that is no longer the case,” she said. “As techniques for detecting trace artefacts on a compromised system have improved, the more sophisticated attackers have adapted quickly.”
The SANS Institute estimates that possibly one in four digital forensics and incident response (DFIR) professionals has the level of training to successfully analyze the new types of self-defense techniques that include more sophisticated rootkit and anti-memory analysis mechanisms.
“The memory forensics field exploded around 2005 when a lot of the parsing tools started to become available and its use in forensics has been growing ever since,” explained Torres. “An incredible advantage this analysis method has is speed—a skilled expert in memory forensics can discover insights a lot quicker and pick up on information that is missed in traditional disk imaging.”
Although the tools at our disposal have improved, Torres pointed out that “owning a hammer and saw doesn’t make you a carpenter—a deeper understanding of the operating system internals to include memory management allows the examiner to access target data specific to the needs of the case at hand.”