The practice of digital forensics in cybersecurity focuses on recovering and investigating artifacts found on devices to determine the nature of an incident or cyberattack.
Forensic data collection and analysis has three primary functions:
It enables organizations to act rapidly when the presence of an attacker is detected or suspected
It establishes a complete picture of what occurred so that the attacker’s presence and any residual impact can be fully eradicated
It provides threat intelligence that can be used to strengthen cybersecurity in order to prevent future occurrences
I spoke recently with Ido Shoham, our Digital Forensic Lead here at Illusive, and who manages customer relations on issues related to digital forensics and incident response. We discussed attack intelligence and how it is changing. We began with some of the basics of what is typically collected following an incident.
Q. What kinds of "artifacts" or data does digital forensics look for during the incident response process?
Most commonly, forensics data is collected from cookies and caches, deleted files and fragments of files, metadata, logs, email headers, and even backup files. Assuming that a breach occurred, there will be a wealth of both volatile and nonvolatile data related to the attacker's activity on any system that has been compromised. Whether it’s logging in, booting up, using particular applications, virtually every process that is run on the system leaves some sort of trace that can be extracted.
Q. Can you explain the difference between volatile and non-volatile data?
Volatile data is data that lives in system registries, caches, and RAM or is in transit across the device. If the device is powered off, this type of data is lost. Nonvolatile—or persistent—data is data saved and stored on the device. That can be files, saved credentials, emails, and ‘deleted’ files. Both types of data are important to a security breach investigation—though it’s easy to imagine why capturing volatile data can be especially challenging. But it also needs to be done as fast as possible.
Q. Let's say an organization is breached—how does the team gather digital forensics?
Incident response and digital forensics are major challenges for security teams, primarily because of a lack expertise and experience. Even experienced in-house security teams are usually not equipped with the forensic expertise or proper tools needed to navigate the complexity involved in finding the root cause of the breach. This typically requires time-consuming search through the log files of many different security technologies to match and correlate various indicators of the tools and techniques used by the attacker. Even if they have the skills, the sheer volume of work involved in this process detracts from their essential day-to-day work of monitoring enterprise security controls and handling alerts.
So when a major incident occurs, many organizations hire third-party experts to perform deep analysis and handle the process that will lead to mitigation.
Once a third-party forensics team is engaged, they deploy a variety of sensors across the network to gain deeper visibility into anomalies and identify artifacts. They will interview stakeholders and question employees involved with the breached assets. Log collection and analysis comes next. Finally, the experts will generate a list of Indicators of Compromise (IOCs) to guide the process of searching for any remaining malicious presence—a crucial phase in the larger remediation effort, and one that often does not get the attention it deserves. Investigations usually take weeks or months before the root causes are found. I've even seen them take more than a year.
Q. So the enterprise is still vulnerable during the investigation?
Unfortunately, they're still vulnerable to the same kind of attack until the IOCs are identified, malicious code is fully removed, and vulnerabilities are plugged. Increasingly, we're also seeing attackers create smokescreens—in other words, causing a network failure or alarm in one part of the network to consume the attention of the IT and security teams while they carry out their primary objective elsewhere.
Q. How are digital forensics capabilities changing to deal with these issues?
In a number of ways. First, in order to meet the need for immediate capture of forensics, more vendors are offering integrated forensic collection, so that fewer resources have to be assigned to forensics as a separate process. We therefore also see less reliance on separate forensics suites. At Illusive, we’ve recently introduced the Attack Intelligence System to significantly speed up the forensics gathering process. While we’ve always captured the right data instantly and directly from compromised endpoints as an attack is occurring, this preserves important volatile data as well as event logs, running processes, registry activity, memory dumps, and other artifacts. Now we also haven extended this capability to decoys, capturing live attacker interaction with fake systems.
Next, resulting from the shortage of talent and expertise I mentioned earlier, there are more third-party forensics services offered. One advantage here is that these providers can synthesize what they’re seeing across multiple clients and turn this into more insightful threat intelligence to share across their customer community.
But on the product side, there is also a need for vendors to step up and provide forensic data in easier-to-use formats, and to enrich forensic data with more meaningful context. This is why we built our Forensics Timeline. It provides an end-to-end forensics picture from all available information in an easy-to-use, sortable, timestamped format. Also, by providing visibility on where the attacker is in relation to critical assets, Illusive provides valuable risk context that helps prioritize activity and shape the response strategy.
Timestamps make it easy to see flagged events and drill down into detailed forensic data, even command line code. An investigator can easily trace steps taken by an attacker before the incident actually occurred—providing insight into attack methods and where vulnerabilities were exploited. For example, the detail might show that Mimikatz was used, indicating a credential compromise, as well as which other suspicious files, processes and connections were created around the ‘needle in the haystack’ that was identified. In seconds, an investigator can gain a much bigger picture of how the attack unfolded.
Q. How is Illusive helping to change organizations' incident response capabilities?
For the first time, organizations have comprehensive, detailed forensic data on demand. A solution like our Attack Intelligence System significantly reduces the time required for triage and gathering forensic data—and therefore organizational risk. An organization can hand better data to a digital forensics third party to expedite investigation and delivery of IOCs, which also reduces investigation costs.
For serious response efforts, organizations will still need outside forensic experts. But for the first time, all security team members can also gain basic forensics understanding. The Illusive Attack Intelligence System gives them the tool to become even more proactive in identifying attacker activity and preventing compromise.
For more information on Illusive’s Attack Intelligence System, visit here.