It was in 1988 that the United States first developed an emergency cyber response team. This team was created at the direction of the Department of Defense in response to the Morris Worm. Identified by the FBI as the “first major attack on the Internet”, the Morris Worm was released by a Cornell University student. This was an attack that spread with a speed that had not been seen before. Experts attempted to identify what was causing the network latency and sluggish performance that was affecting computers at places like NASA, Johns Hopkins, and Stanford. The financial impact of the Morris worm climbed into the millions.
This attack was the first of what would become a global crisis. According to Dr. Michal McGuire, cybercrime generates $1.5 trillion in revenue annually. Attacks have evolved from the Morris Worm, into more complex attacks where hackers are leveraging multiple vulnerabilities to compromise systems and steal the data of unsuspecting civilians and organizations.
As technology has evolved, the concern over cybercrime has also grown. Not only do you have to worry about the information that you possess on your personal machines, but you have to also worry about the information that other organizations store for, and about, you. Over the past decade, it has become clear that companies, like Target and Facebook, do not take cybersecurity as seriously as they should. Talented cybersecurity professionals are in-demand as cyber-attacks become more complex and widespread.
Forbes estimates that, “there will be as many as 3.5 million unfilled positions in [cybersecurity] by 2021.” While high-demand may be lucrative for cybersecurity professionals, this job gap should be a huge concern. At this rate, there will not be enough cybersecurity professionals to provide the support and protection needed by the government, private organizations, and the general public.
In an attempt to aid the government, and private organizations, in their defense against cyber-attacks, the National Institute of Standards and Technology (NIST) was tasked with creating a cybersecurity framework. In 2013, President Barack Obama issued Executive Order 13636 outlining the creation of this framework.
The President’s goal was to “enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”
According to NIST, they were tasked with the responsibility of creating the framework because they are an “unbiased non-regulatory federal agency.” NIST collected information from past cyberattacks to determine what mistakes had been made and identify what lessons were learned. New revisions of the framework are released as the cyber landscape changes and more information is gathered by NIST.
The NIST framework establishes 5 functions that make up the framework core: Identify,
Protect, Detect, Respond, and Recover. The responsibilities of professionals in the cybersecurity field often fall under the umbrella of one, or several, of these framework functions. When building around the Identify function, organizations will analyze their assets to determine what requires protection and evaluate any vulnerabilities that may create an attack vector. This function often includes vulnerability analysis and risk assessments. The Protect function provides guidance for implementing security controls that will minimize the likelihood of an attack, and mitigate any vulnerabilities that were discovered during the vulnerability analysis.
The Detect function suggests solutions for identifying a cyber-attack/incident in a timely manner. This is an essential aspect of minimizing the devastating effects of an attack. This often includes, developing a baseline of normal behavior and monitoring for any deviations.
Once a threat is detected, it is important that an organization respond by following their incident response plan. This plan should have been documented, rehearsed, and maintained. The incident response plan will ensure that the proper personnel are notified and action is taken to contain the attack. As the company landscape changes, it is likely that the incident response plan changes as well.
In the Recover function, NIST addresses returning business operations to a normal level. The organization’s response to the incident should be evaluated. Any deficiencies in the incident response change should be corrected and the changes must be communicated to the necessary personnel. Vulnerabilities that had led to the incident/attack should be patched and, if needed, policies should be changed to minimize the chance of another attack.
As I work on my cybersecurity master’s degree, it’s important to consider what job, or role, I would like to have within the cybersecurity field. NIST 800-181 is a great resource when trying to determine the type of cybersecurity job I want. Within this document, NIST provides detailed breakdowns of several cyber jobs and the knowledge and skills required for each position. This allows me to assess what would be the best fit for my skill-set and interests.
When choosing a career, it is important to consider the following: my current skill set, past job experiences, my interests, and what skills I would like to develop. Some of my skills include attention to detail and persistence. I developed these skills through prior jobs which required me to work long hours, with intense focus, as I performed data analysis. In my current position, as a System Administrator in a classified environment, I have gained valuable experience in OS hardening, vulnerability analysis, network architecture, and packet analysis.
In my undergraduate cybersecurity program, I had the opportunity to explore different concentrations within the cybersecurity field. I found the digital forensics to be the most interesting. I gained experience performing investigations; I used Encase to explore a clone of a suspect’s hard drive, I created chain-of-custody documentation, observed data obfuscation techniques, and analyzed metadata and packet captures. I enjoyed the work and finesse required to collect, analyze, and preserve evidence.
With this in mind, the jobs in NIST 800-181 that appeal to me most, are Counterintelligence Forensics Analyst and Cyber Defense Forensics Analyst. These positions share a lot of the same required skills and knowledge. They require skills in evidence preservation, data extraction, and recognizing obfuscation techniques. I will be required to enhance my knowledge of forensic software and hardware, network architecture, and OS hardening techniques. These two positions allow me to leverage the skills I already have, as well as explore my areas of interests.
The digital forensics specialist would likely perform most of his job duties in the Respond and Recover core framework functions. A thorough forensic analysis will provide information about the attacker, what systems they infiltrated/altered, and the method by which they gained access. Information gathered during this investigation would be especially valuable in the Recover phase when an organization is discussing what mistakes were made and how to address them.
Forensic Analysts face their fair share of difficulties. The attackers who are skilled enough to perform advanced cyber-attacks, typically possess the skills to cover their tracks. Gathering evidence is often a very difficult and tedious jobs. The information you need is often very well hidden, or has been deleted all together. Careful handling of the evidence/data is very important. Inadvertently modifying the data could corrupt the analysis or lead to evidence being inadmissible in a criminal trial.
In the digital age, digital forensics has become increasingly valuable. It seems like it’s almost impossible to go somewhere, or do something, without leaving a digital footprint. Criminal investigations almost always involve some form of digital forensics.
In a span of 7 years, between 1974 and 1991, a serial killer murdered “10 people in, and around, the area of Wichita Kansas.” The killer would communicate with police through notes, revealing details only the killer would know. Police always seemed to be one step behind; for 30 years, the case went unsolved.
In the past, the killer had used notes and letters to communicate with the police, it wasn’t until 2004 that he sent his first digital message. He “sent [police] a Word document on a floppy disk that forensics experts immediately examined.” The forensic analysis revealed that there had been another document on the floppy that the killer had deleted. As we know, just because a file is deleted, it doesn’t mean that it is truly gone.
With the help of Encase, examiners were able to recover the deleted file. The file’s metadata revealed the name, and location, of the person who had last modified the file. The police traced the name and location back to Dennis Rader. He was tied to the crime by DNA evidence. Without the use of digital forensics, it is likely that this killer would still be a threat to many.
I will the use information in NIST 800-181 to guide me through my master’s program and my future career plans. As I plan my schedule, I will select classes that give me experience in the skills and knowledge detailed in the NIST document. When forensics related opportunities present themselves at work, I will embrace them and use them to work towards a career in digital forensics.