Processing alerts is not enough for solid cybersecurity. After a successful attack, learning as much as possible about the cause, the attacker, the attack vector and the sustained damage is crucial for preventing similar incidents in the future and minimizing the fallout. This is exactly what Digital forensics & Incident Response (DFIR) professionals do.
What is DFIR?
DFIR is a large profession in cybersecurity that deals with the management and investigation of cyber attacks. DFIR specialists work in one of two fields — IR and DF. IR, or incident response is a methodology that consists of several predefined steps, designed to help react to data breaches and mitigate infrastructure and financial damage.
DF or Digital Forensics focuses on the investigation and collection of attack indicators. The idea behind Digital Forensics lies in the premise that every attack leaves evidence in the form of modified files or processes. Finding that evidence helps understand the attack better and develop a response system to prevent it from happening again.
While both fields are equally important, in this article we are going to focus on Incident Response.
Why Incident Response is a Crucial Part of Cybersecurity?
The goal of Incident response is to react to cyberattacks more efficiently by creating a framework, allowing to minimize the damage from an attack. If left unchecked, data breaches can cause huge financial losses, as well as damage reputation. That’s why a process that focuses on preventing fallout is important.
Who is in Charge of Incident Response?
Usually, an independent team is created to react to cyberattack incidents. The team is made up of upper-level management, IT specialists, and information security professionals. Auditors, HR, Legal, and Public Relations departments should work in conjunction with Incident Response professionals to create an effective response strategy.
How does Incident Response Work?
The framework usually consists of 6 predefined steps. Work is done in 4 stages:
- Preparation: developing a process and a playbook that will help to react to cyber threats in case an attack takes place.
- Detection: developing measures that will help analyze and collect information about the attack, figure out the attack vector, monitor logs, and so on.
- Identification: evaluating the event to determine if it can be considered an attack incident. Sometimes you will encounter instances of spam or even detection anomalies.
- Analysis: collecting IoCs, figuring out the extent of the damage, and starting digital forensics.
- Containment: preventing information from exiting the company network and restricting malware from spreading to new systems or networks.
- Eradication: getting rid of malware from the network and fixing backdoors.
- Recovery: backing up systems to their original operational state, dealing with the consequences of the attack, and improving security measures to prevent the same attack from happening again.
- Evaluation: going over the actions that were taken during previous steps and evaluation of their success. After this step, IR professionals return to the planning stage and modify the framework based on the experience from the attack.
The 5 steps of Incident Response
The work done within the IR framework can be roughly divided into the 5 following steps.
1. Source identification
The first step in the frameworks should focus on the identification of the cyberthreat. There are a variety of indicators that can signal a potential breach. Some of them are:
- Reports of suspicious activity from administrative personnel;
- Signals from SIEMs or other automatic response systems:
- Antivirus alerts;
- Planned review of system and network logs.
Figuring out the nature of the attack will help with the next step, which is containment.
Once the danger is known, the next step is to limit the damage and make sure the malware can’t spread. To achieve this, infected machines are usually disconnected from the network, infected files are collected for analysis and deleted from systems, and systems are backed up to their original state. Another important step is to reset the passwords for all infected users to make sure that the malware won’t have access to information.
However, before restoring the system it is important to create a backup in the infected state so that DIgital Forensics specialists can analyze it and search for clues.
Once that’s done, it is time to restore or systems. It is crucial to test that performed actions were enough to make the system secure and fully operational.
Once the operability is confirmed, the last part of the containment step is to delete user accounts that granted access to the infection and fixing known vulnerabilities to ensure that the attack does not happen again.
3. Damage and threat level assessment
Once the infection is contained it’s safe to move to the next step, which is damage assessment. This step entails figuring out how serious the attack was and whether critical systems were at risk. For example, was there a possibility that the credit card data of customers could have been stolen? Could the attack damage vital systems and freeze business, for example, stop order processing?
In addition, the attack source should be thoroughly examined during this step. Did the attack come from the outside or was it an insider threat? Collecting this information will help to develop preventive measures for the future.
Some countries require to notify affected parties if private client data was stolen. If a data breach took place and there is a suspicion that sensitive information, such as personal details, account details, or payment details of the users could fall into the hands of the attacker, the organization must contact its users with a warning.
5. Future proofing
When the danger has blown over it is time to review the incident. The goal of this step is to collect information that will enable analysts to avoid the same attack from happening again. To do this, the security team needs to patch vulnerabilities and possibly educate the company staff about proper internet hygiene. Quite often attacks happen because an employee doesn’t take precautions and opens a suspicious email, or downloads a file from an untrustworthy source.
Additionally, during this step, it’s important to go over all the actions that were taken by the Incident Response team while taking care of the infection. The experience gained during the incident can help improve the framework to react more efficiently in the future, should the business be attacked again.
ANY.RUN for Incident Investigation
ANY.RUN is an online interactive malware analysis sandbox. It allows users to upload and launch samples, enabling them to quickly collect important data, such as network connections, loaded modules, affected processes, and other malware behavior. ANY.RUN displays attack indicators in real-time and allows the user to influence the execution. Thanks to this, even advanced threats like APTs can be easily analyzed, and there is no need to wait for information — data become available in real-time, as the execution is happening.
What’s more, ANY.RUN can be used to collect information from other attacks, using our large malware database. ANY.RUN users complete over 6000 tasks every day, generating tons of useful data.
Users can search for samples using hashes, tags, malware names, Suricata SID, and more. Or you can upload your own sample and see what URLs it tries to connect, or what files it tries to upload and install.
As far as digital forensics goes, ANY.RUN is just as useful. While investigating a compromised system or network, you will come across files created by the infiltrating malware. When studying the event logs of compromised operating systems, routers, and firewalls, you will stumble upon domain names, IP addresses, registry entries, and other traces of malware activity.
Using ANY.RUN functionality, you can search public submissions by file hashes of the malicious program itself or by hashes of files created by the malware. You can also search by domain or IP addresses.
What’s more, you can conduct a behavioral analysis. Meaning that you can see how the malicious program behaves in the infected system and use this knowledge while investigating the incident to get additional evidence.
Incident Response is a crucial part of cybersecurity. In a world, where attack frequency is growing month-by-month and cyber threats are constantly becoming more sophisticated it’s not enough to just react to attacks. A comprehensive approach that uses a flexible framework like Incident Response and Digital Forensics helps in developing more well-rounded defenses as well as mitigating the damages caused by the attack.
IR is a collection of processes that should be developed internally by a responsible team. Exactly what to do during each stage will vary on a company-by-company basis. There is no easy way to create an Incident Response framework.
However, modern tools like ANY.RUN malware analysis service can greatly speed up and simplify parts of this process, allowing to work more efficiently and reducing the chance of a devastating attack.