Every company, regardless of its size or industry, handles and stores personal, confidential, and proprietary data, and cyber thieves want it all. That is why every business that has a computer network must take steps to harden it against the scourge of malicious activity plaguing the business community today and be ready to react when the attacker strikes. But despite the headlines, too many businesses still feel they are not a target, and many more are unprepared for when they become one.
Digital Forensics & Incident Response (“DFIR”) is a multi-disciplinary approach to addressing and managing both the preparations for, and aftermath of, an information technology security incident. It often includes in-house IT staff, representatives from management (C-suite, HR), outside cybersecurity consultants, public relations, and legal counsel.
From a technical perspective, the primary goals of a DFIR plan are to (A) rapidly mitigate any ongoing (i) data loss, theft, corruption, and/or unauthorized access, and (ii) damage to software and/or hardware, (B) preserve evidence for future analysis/investigation, and (C) reduce recovery time and costs.
Three reasons why you need to have a DFIR team on retainer NOW
1. In the Fog of War, your situational awareness is impaired and when faced with an unfamiliar situation, you will often make mistakes that are fatal to the perseveration of the evidence you will need later and fatal to you safely recovering from the attack.
2. Your IT systems are too complex to learn “on the fly.” By the time you learn you are under attack, your attacker has likely had a 260-day head start. To determine what the attacker has already done and what has already been accessed, Incident Responders need to analyze the access logs, system configurations, file metadata records, and virtual memory for evidence. Time spent learning how your systems are connected, who has access and who should not, where your data is stored, and determining what log information is even available is time that could be better spent containing the threat and collecting and preserving known forensic artifacts.
3. Time is of the essence, and your reputation is on the line. Breach notification laws in 48 states require rapid responses. Encrypted servers require time to triage and/or be replaced. Viruses and malware are now self-replicating, further infecting your systems and those connected to yours. Assembling a DFIR team after your servers are encrypted, or when clients are calling asking why their information is on the Web is not the time to build your team.
Three Solutions to Address the Problem:
Traditional IR – A reactive, cost effective approach where the Incident Responders (who have already been retained and have familiarized themselves with the client’s systems) are notified about an incident, briefed on its details, and work backwards to reconstruct the events leading to the incident. Using digital forensics tools and investigative techniques, the team seeks to determine the root cause of an incident and its aftermath. Response time can begin within 24 hours.
Threat Hunting – A proactive approach that involves the installation of sensors on the client’s workstations and servers before an attack occurs. Routinely searching the data generated by the sensors to detect, isolate, and remove advanced threats that manage to bypass existing traditional anti-virus software and other security measures keeps the dwell time to a minimum. And even if an attacker manages to burrow deep into the system, the threat hunting software records all file modifications, network connections, registry modifications, file executions, processes, and system services on a 24/7/365 basis. In short, the technology provides visibility into the activity taking place on the client’s workstations and servers. This often results in the Incident Response team notifying a client of an incident before it is detected by the client, and provides an audit trail for the investigators.
Hybrid IR – This is a cost savings approach which blends the forensic investigation techniques of Traditional IR with the “hindsight” use of the Threat Hunting technology. If there is an incident, once notified, the DFIR team can use the historical data from the system surveillance software to help resolve the incident and identify the root cause. The difference is that the data collected from the monitoring software is not being actively reviewed and analyzed for threats.
For more information about building your DFIR plan, contact Jeff Brenner at jbrenner@maragell.com or 856 429 0325 x223