Christa: What is forensic readiness, and what does it mean for enterprise forensics? How can incident responders find the right balance between speed and effectiveness as well as what’s required at each stage of an incident response? To help us understand and answer those questions today on the Forensic Focus podcast, we’re joined by Emre Tinaztepe, founder and CEO of Binalyze, and Tom Blumenthal, Binalyze’s lead solutions expert. I’m your host, Christa Miller, and welcome Emre and Tom.
Emre & Tom: Hi, Christa.
Christa: It’s good to have you.
Emre & Tom: Thank you very much. It’s good to be here.
Christa: All right. Emre, I’d like to start with you. In your interview with us from June, you linked to a fascinating short video — and I say fascinating because I’m a little bit of an epidemiology nerd — a short video on the evolution of bacteria as they mutate to become antibiotic resistant. It seems to me that both attackers and incident responders could, by turns, “be” the bacteria and the antibiotics. Please tell us more about how this video informed your vision for Binalyze and its products.
Emre: Thank you, Christa. The evolution of work there was literally the Eureka moment I had four years ago. At that time I was working as the director of development in my previous company, and I was managing a team of highly skilled senior developers, and we were working around the clock for developing anti-malware solutions. And even though it’s not the case now, at that time every week, there was another banking Trojan, like 10 years ago. That was a popular thing because cyber criminals were easily making money out of stealing people’s credit cards, selling them on [the] dark web, and then it moved into rootkits because the malware as a service was getting popular at that time. And then I had a chance to observe the very first versions of ransomware.
So they were not using that novel approach at that time. They were just encrypting stuff and then asking for ransom, and at the same time in parallel, we were reverse engineering their methods for creating detections, developing signatures, and then releasing updates. So all in all, 10 years of catch-22, adding security layers, raising the bar for attackers. And actually I believe we were making them stronger, because every new protection layer we added was making them more competitive so they could bypass the layer.
And that was the moment I was sent that video. And the comment was, “You should see this.” I just clicked on it. And I just watched it, and then leaning back, watched it again. And I remember it, watching at least four or five times, because it was the quick summary of what I had spent my time in the last 10 years. And even if it’s not malware, even it could be an insider threat. So as you know what APT groups are, they’re even trying to find insiders to pay for breaching into a company.
And then when I saw the last screen of that video, I just stopped and then leaned back again. I said, that’s what we should do, because we’ve been doing the same thing, adding layers of protection, and those layers are being bypassed. We are adding another layer and those are bypassed as well. And then that was the moment I realized whatever we do, there will be a breach. And the important thing, the thing that will get popular, the thing that will be needed in the upcoming five to 10 years is having a cyber picture that quickly lets you identify how it happened, when it happened. And that was the moment we started to think about developing Binalyze Tactical. And here we are.
Christa: And I have to apologize. It seems as if I’ve been mispronouncing your company name, it’s Bye-nalyze, not Bin-alyze.
Emre: That’s correct.
Christa: Okay. I’m sorry about that. Tom, over to you. I’m interested in your perspective as an emergency medical technician — as well as your background in mobile security research and product ownership — which must make you very familiar with the need to balance speed and effectiveness in any response. As lead solutions expert at Binalyze, what do you find customers struggle with the most in this regard, and how do you address their challenges?
Tom: So, if you put speed and effectiveness together, what you get is efficiency. The two are not mutually exclusive and this is exactly what Binalyze is here to deliver. As an emergency medical first responder, I’ve learned that time is key. In these types of situations, a few minutes could cost a life of a person. In cybersecurity it’s not always this dramatic, but a few minutes could indeed mean a lot of money for an organization. So any response, in either scenario, has to be quick and it has to be effective.
Traditional digital forensics investigators are trained to be thorough. They are trained to collect as much data as they can and to dig as deep as they can into that data to find any piece of evidence that may or may not be in that data. This is a valid approach when you have just a few devices that you need to focus on, but in today’s digital world, the challenges that large organizations and enterprises are facing, it’s just not possible to deep dive into each and every piece of evidence. And when facing situations and cases that involve anything from a dozen to thousands of devices, as I said, it’s just not an option.
And this is what Binalyze is coming to to tackle with this innovative approach to forensics. What the finalized solutions do is, it allows you to collect evidence from thousands of endpoints and get insights into those endpoints, into the data and into potential threats and potential indications of compromise, all within just a few minutes. This is something that is not possible with the traditional forensics approach. And this sits very well with my view of forensics. And as you said, the need to balance speed and effectiveness, and this is why I chose to join Binalyze. And I think it’s a great balance about efficiency.
Emre: And I wanted, Christa, in addition to what Tom said, as you already know, this is an emerging industry. We are, it requires a mindset change. That’s why we see it as one of the biggest challenges, because as vendors in this industry, we’re not only required to develop and innovate methods or create solutions, but we’re also required to educate the customers on how to handle modern security issues. So I see one of the biggest problems as educating the industry, as well as like letting them perform digital forensics at scale and teaching them how to do that.
Christa: So that’s a lead into my next question, actually, Emre. In June, you wrote, “The invented methods to take incident cases to court 99% of the time are not required for enterprise digital forensics cases,” as we’re talking about. But I know many incident response experts argue that there is still need for root cause analysis during a post-mortem investigation. Arguably even more so since the enactment of legislation like the General Data Protection Requirement and its equivalents. What do you both see as the appropriate hand-off from rapid response to those deeper digital forensic analyses and how can responders tell when to contain and remediate versus when to go deeper?
Emre: Great question, actually we had a chance to be in this transition process. When we first started, we had deep dive forensic experts as our advisors. And when I talk about digital forensics, even though my background is more analysis and operating system internals, I call myself as someone who “grew up” in digital forensics because I was spending all my time in the labs or [inaudible]. And I had a chance to see the transition. When we first started developing Binalyze, the first solution, most of the cases they had were the cases that need to be taken to the court. And then it quickly started to decrease. And most of the cases started to become like ransomware cases or some of the time, insider threats.
So of course, we never say “Digital forensics is completely changed now, you don’t need the old methods.” You still need them, but even for deciding when you need them, even for understanding the line, “Okay, now we need to deep dive, have a better, longer investigation on this case. You still need to have a rapid response. The line, in my opinion, is: if you want to take things to court — which is not, unfortunately, possible in most of the cases, because in order to take something to court, you need to have someone to be the, I mean, the opposite side, so you need to have someone to put the blame on, right? But in 99% of the time, you don’t have anyone to —
Tom: Be responsible.
Emre: Yeah. I mean, it’s almost impossible. So that’s why, if you have a suspicion of an internal affair, if there is an IP theft, if there is a suspicion of some employee misconduct, then it’s time to deep dive, but if that’s not the case it’s just spending more and more time going nowhere.
Christa: Okay. That makes sense.
Tom: But that’s exactly the point of that, again, that efficiency we discussed earlier and forensics at scale, as we mentioned. That post-mortem analysis, as you call it, doesn’t disappear. We’re not saying you don’t need to do it. It’s just in a large organization, you could say the organism is bigger than one endpoint, one computer. It’s the entire environment. And that video that Emre talked about earlier, it’s exactly that. It’s that big picture of anything, everything that was going on on the entire state, on all of the endpoints. So you do need to do that analysis, but it’s not necessarily at the level of one machine. It’s at the level of the entire system. And how do you do that if you need to acquire full disk images from each and every one of the machines? You will never have enough time for that. And that’s, that’s the other side of the scale, because —
Emre: And you need the full dataset. So for thousands of endpoints, you’ll need a full data center for saving that image.
Tom: Yeah, exactly. The attackers are not slowing down, and you can’t take six months or 18 months to analyze all your computers to try and understand exactly what happened. You need to do it quickly, and you need to understand where’s the vulnerability and perhaps to mitigate. And I think, again as Emre said, in most cases, what companies are looking to do when they engage in digital forensics in cybersecurity cases, is they try to minimize the damage. And it’s not the same as taking evidence to court. You don’t need the same level of deep dive.
Christa: Well, I guess that’s what I was wondering though, in terms of, especially the GDPR and similar regulations, because if you’re trying to prove, for instance, that you didn’t violate those terms, or your company didn’t, rather, then where’s that appropriate balance, right? It seems like there’s a little bit of a complication there potentially, or…?
Emre: There is a competition. And, again, companies are are in the process of learning when to perform those types of investigations, because unfortunately, the current tool set most of the companies have are designed around finding malicious files, like checking for hashes and other stuff. Even the latest edition of keyword search into Binalyze DRONE, and now in AIR, is actually — we see it as a stitching point of e-discovery and cyber investigations. So not only digital forensics is becoming mainstream, but also e-discovery methods are becoming mainstream as well. So again, this is a process, and we are doing our best to evolve our solution into a more capable platform that can also let, that will also let our customers perform those types of investigations, not only cyber investigations, but also GDPR, employee misconduct, IP theft.
Tom: I think, I think that example that you gave is maybe a little bit more e-discovery rather than digital forensics, and maybe that’s the differentiation. As Emre said, it might be something that we will be covering in the future as well. We do part of that with the new DRONE solution. But we are more focused on the, again, digital forensics for cyber security investigations.
Christa: Okay. So on that note, and we’ve been talking about sort of the complications of investigations overall — incident response investigations — but going to the first response itself, the taking pictures of the cyber crime scene, could also get complicated; taking into account lateral movement across accounts and companies. I’m thinking of the Target breach of 2013. How does Binalyze’s approach help to address those types of issues?
Tom: First, I think first thing we need to define what is that cyber crime scene picture. A few years ago, it used to be having to manually collect a full disk image from each and every device that’s involved in the incident in the case. But how do you even know which devices are actually involved? Today, you might say that it’s collecting a triage image from the relevant devices, but still you would most probably need physical access to that machine and multiple tools in order to collect that triage image.
If we’re talking about a large scale case with you know, devices scattered globally, yeah, that does get complicated. But what Binalyze allows you to do is to remotely collect all that relevant evidence, all that triage evidence, if you will. And it doesn’t matter if it’s from five devices or 50 devices or 50,000 devices, it will still take you just a few minutes to collect that. So that’s not so complicated after all.
Binalyze obviously haven’t existed in 2013, but if Target would have had Binalyze, hypothetically, back then, that could potentially have helped them collect the digital evidence across their entire state very quickly and give them highlights for, or highlight for them, potentially harmful activity that might be going on across their network on different endpoints. That, in turn, could have helped them identify where is the threat and where are the attackers focusing in real time, and perhaps isolate those endpoints and cut the attackers off, even during the attack in real-time, and so minimize or at least reduce the impact to the organization.
Not to mention that with the Binalyze solutions, you could proactively take forensic scans of the key endpoints — key entry points perhaps — and get insights into those and into whether anything has changed or anything suspicious arises in these endpoints, and perhaps identify the indications of compromise that the attackers may already be in their network and preparing even months before the actual assault and could potentially prevent that. This is proactive digital forensics, and it’s definitely not something that we see in traditional forensics when you need to collect masses of data.
Emre: Well, one thing I want to add, Christa: previously, I had a chance — unfortunately I had a chance — to see this five years ago. When you had an incident, when you apply the traditional forensics, you take an image, you take it [to] the lab and those labs [have] huge, powerful machines that are processing those images. And when you see a trace of another endpoint that is involved in that cyber crime, you had to follow the exact same steps, go back to the enterprise, take the image, and then take it to the lab. So it was days.
That was what was called [the] “cyber picture” at that time. But now, from our perspective, the cyber picture is just one click and five minutes. And that’s the first piece of that picture. If you want to enrich that picture, you can easily add another picture on top of that picture and have a better enriched view of the cyber crime scene. So when you take into account that this is just one click, now it’s not complicated anymore.
Tom: One of the things that you can do in Binalyze AIR, as Emre described, is take all that evidence from all the different endpoints, put them on one timeline, and understand everything that’s been happening across all of the endpoints at a certain time. You see it across all of the endpoints, rather than looking at each one in silo.
Christa: I actually was going to ask, I’m reminded, I reminded of a conversation I had with an acquaintance a few years ago, who was conducting an incident response with multiple attackers. And that turned into a very interesting investigation for him. So it sounds like this is the sort of solution that you’re talking about that potentially could could get around that. So you’re not looking for indicators of compromise necessarily from a specific attacker, or trying to look for signatures from a particular group perhaps, but rather taking into account all indicators of compromise, yes?
Emre: In the previous method you had to take the image, take it to the lab. And if you find something interesting, then the digital forensics methodology is — the products at that time, they didn’t have methods of running, sweeping all the environments, finding for IOCs. That’s one of the game-changers of Binalyze, because you’re combining the incident response, the digital forensics, and now even e-discovery methodology into one single platform. So you don’t need to jump from product to product, site to site, to perform an investigation. It’s becoming more and more combined every day.
Tom: And you do it all from one console. You don’t need to travel around the world to collect those images and all the costs involved with that.
Christa: Which which got limited by the pandemic anyway, so the more remote collection is definitely a benefit in that regard. I also wanted to ask, so obviously Binalyze is coming into a very saturated market. There’s a lot of buzzwords and puff claims, including automation and triage. How is Binalyze cutting through that hype? What makes your company different?
Emre: Great question. Actually, compared to cybersecurity, digital forensics has much less, I mean, much, much less buzzwords, because if you take a look at the endpoint security industry, you will see that the products are changing names every two or three years. I mean, we started with — I was there for 10 years, so we started with AVs, and then heuristic AV, cloud AVs. It quickly became endpoint protection. And then we had DLPs, EDRs, XDRs, MDR. So every two years it’s changing, but digital forensics is still the same. That’s what I love.
But still, I agree. There are a lot of buzzwords. What makes Binalyze different is we don’t have a baggage. I mean, when we started four years ago, we didn’t have any product that was designed to work on the previous problems of the industry. What we see right now is most of the most of the products in the digital forensics industry, they’re trying to patch their solutions. I mean, most vendors are trying to add additional features that will somehow enable them to remotely perform this, but still what you have in your hand is a desktop product that can only run on a single machine. And when you want to collaborate in your security operations center, it becomes really hard because it’s not something you can access remotely.
So what makes Binalyze different is we don’t have a baggage. We don’t have a heavy backlog. When we started, we jumped right into the problem. And we didn’t start with any financial motivation. The first version of Binalyze Tactical was created for solving our problems because we were involved in high profile cases. And each and every time, I was personally tired of asking: did we have memory? Do we have event logs? Do you have this log file? And then at some point I asked myself, isn’t there a tool to do all of these together with just one click? And the answer was, you need to run 20 different scripts for collecting the information I need personally, for understanding what may have gone wrong on that machine. And that’s, that’s how Binalyze started. So I mean, we don’t have a baggage. We jumped right into the problem and we started solving it.
Christa: And your focus is very, very practical solutions, it sounds like.
Emre: Exactly. Exactly.
Christa: Well, Emre and Tom, thank you again for joining us on the Forensic Focus podcast. It’s good to have you.
Emre & Tom: Thanks a lot, Christa. Thank you very much.
Christa: Thanks also to our listeners. You’ll be able to find this recording and transcription along with more articles, information and forums at www.forensicfocus.com. If there are any topics you’d like us to cover, or you’d like to suggest someone for us to interview, please let us know.