Dr. Edmond Locard (13 December 1877 – 4 April 1966) was a French criminologist and a pioneer in forensic science. It is from him that investigators and forensic practitioners around the world derive this often-used axiom.
During my early days in training with the police the phrase “every contact leaves a trace” was drilled into me as both an opportunity and a warning. These opportunities are relatively obvious of course. A criminal commits a heinous crime and traces of their actions can be found on the items that they have come into contact with and thus they can be identified and caught. It is the warning side that made the greater impact upon me.
Nobody likes being summoned to the Superintendent
It was a Tuesday morning when the “orange docket” arrived. (Orange dockets were for a long time the means of “secure-ish” internal communication within my specific police service.) The thing was that the contents of this particular docket took me entirely by surprise. I opened the file and found myself thinking, “why are there a set of my fingerprints in this file and why have I been invited for coffee with the Detective Superintendent?” The answer to this question came quickly flooding back in the rote learning fashion in which I had been drilled in training school, “every contact leaves a trace.”
Just to be clear I was not the perpetrator of that particular crime; however, I had been present during its initial investigation. I must have, at one point, put an “ungloved” hand somewhere I shouldn’t and made a ‘contact’ that inevitably left a ‘trace.’ A trace of me! The telling off was short and efficient (not unlike the senior officer delivering said telling off actually) and through which was reminded of this valuable lesson.
So why the “war-story” when we all work in cyber now?
When we look to respond to a breach there is a strong temptation to charge in, lock everything down, shut down every suspicious process and network connection in an attempt to establish some notion of a perimeter. All the while watching, that “bolting horse” disappearing over the horizon.
It is through this approach of “knee-jerk, express assessment and remediation” that I have seen the most evidence lost. It is the cyber equivalent of mopping up crime scene blood prior to forensics services arriving or putting “Magnum Classic” boot prints all over the garden through which the suspect may have fled. These erroneous contacts and traces serve to eliminate those relevant traces that will help in the true response and remediation process.
This is, however, not the only factor that challenges we threat hunters in the area of information gathering, investigation and remediation.
Anti-forensics (or cleaning up after yourself)
Attackers have also been seen to alter logs and replace system files in order to enable the compromised system to “lie to the investigators!”
Witnesses have always been a tricky thing when conducting investigations. Their motivations and preconceptions can significantly affect the quality of the information they provide. Not all witnesses can accurately convey what happened. Some can even be very evasive with the truth. In addition, there is always the possibility that one of your witnesses may indeed turn out to be the suspect! The same is true in a cyber investigation or threat hunt. How can we truly be sure that the logs we are receiving are an accurate account of what is happening in our environment?
I once encountered a file server which assured me that it only spoke (served files) to hosts within the company domain. When I took a closer look, I determined that it was in fact chatting (serving lots of files) to other computers in various different countries across the globe. An unrequested shadow back-up function if you will.
The wonder of the independent witnesses
Back in my policing days there were a number of things that assisted me greatly in the initial phase of an investigation. One of my favorites was the “local busybody!”
They were regularly a goldmine of information and brought context to any and all investigations. They had often been watching silently for years (sometimes even decades) over the areas that may later become crime scenes. They knew the “comings and goings” of the whole community. They knew what was normal for the area and what was not.
For the price of having to share a (sometimes drinkable) cup of tea, I had unparalleled visibility and situational awareness of the whole area.
Visibility and integrity
I was recently reminded of neighborhood busybodies, “every contact leaves a trace” and my old life in Law Enforcement. It got me to thinking about my more recent work in threat hunting. More specifically the notions of ‘visibility’ and ‘integrity.’
For those who don’t know, I work aggressively finding evil and threats for companies who wish to “protect what really matters!” and I love it!
Having been involved in this kind of work for number of years in both the public and private sectors, two factors have been central in my perennial hunt for evil! Visibility and integrity.
Visibility and integrity of information are two of the most important factors in any investigation, be it physical or digital. Up until quite recently I had been reliant on aggregating multiple sources of potentially compromised information with which to draw investigative inferences. This was time consuming but at the same time made me feel very clever. Which is what it’s all about surely??
I recently began using a platform that harvests its own data “at the kernel level.” For those of you who are not really into ‘kernels’ or ‘levels’, think of this as organic ethically harvested system data with a providence guarantee of CPU to Cyber-Investigator. To be perfectly honest this was something of a culture shock for me. I was used to having to work really very hard for inferences and this platform made it much easier. Now let’s be clear here, it did not provide the illusive “FIND EVIL BUTTON.” This is something that frankly does not exist yet, anywhere. What it did give me was the ability to have great visibility of everything happening and the confidence to know that all the data was real.
Now those who know me, know that I am somewhat cynical when it comes to the tools I use and I genuinely wanted to be cynical of this, after all I was using a “Kernel Level Agent on a platform supported by machine learning!” I find it hard to be cynical about this. Frankly, it’s a little annoying.
Well, as we have seen, Locard’s axiom of “every contact leaves a trace” transcends both the physical and digital worlds of evidence. We have also highlighted the value of ensuring the visibility and integrity of that evidence to create a better opportunity for defense, response and investigation.
I have this (sometimes annoying) desire to tell anybody who will listen about the things I have discovered in information security which actually work! This is one of those things and these few words are me exercising that desire.
I have genuinely enjoyed threat hunting using this platform and would recommend it to anyone who wants to move beyond simple log aggregation in their efforts to protect what really matters.
As they say, seeing is believing so I urge you to make contact and try this technology for yourselves. You will, like me, have some of your preconceptions pleasantly challenged.