By Harsh Behl, Director of Product Management, Exterro
Responding to Today’s Threat Environment
Headlines cannot be ignored. From healthcare services in Ireland to the Missouri state teacher pension system, we’ve seen that any organization can be subjected to a cybersecurity attack at any time, resulting in a catastrophic data breach. And IT pros know that even the most sophisticated defenses can be shattered by human error or malicious internal work.
In the past year, organizations have witnessed more (more aggressive) data breaches than ever before. The fear and the possibility that it will only be a matter of time before their own networks are under attack increases pressure on IT and cybersecurity professionals. In addition to the endpoint security, firewalls, and other protection mechanisms you’ve already established, you need to find additional ways to strengthen your network’s defenses.
An important component of recovering from a cybersecurity incident is having a coordinated process in place to analyze, report, and remediate as soon as possible after an attack. However, manual investigations require too much time and variables to construct an appropriate post-breach strategy. For a large organization, imagine the number of investigators needed, the assets to be reviewed, the geographic location, and the remote workers in the way of getting results in a timely manner.
These factors, along with the need to collect data in a way that courts can defend, have rapidly increased the demand for robust post-breach response tools. And that’s where digital forensics tools come in.
A set of digital forensics tools automates the time-consuming investigation process, providing IT professionals, compliance and legal teams with facts, evidence, and a rapid path to remediation after incidents are discovered. Investigators can quickly retrieve vast amounts of data from their systems or software, even deleted data.
Enhanced platforms on the market today can scale to include tens of thousands of endpoints throughout the ingestion process, including whenever data has changed, a powerful feature that protects innocent people. And forensic tools can run network scans to identify anomalous activity that could indicate a breach and immediately initiate an automated, network-wide investigation.
In short, forensic tools are important not only in their ability to classify attacks and find their source, but also in their ability to defend against litigation. A company that can prove that it complies with privacy and other regulations when under attack has a much stronger legal basis.
Threat classification
Post-breach forensics allows organizations to identify how an attack occurred and implement the most effective response strategy in much less time than human action alone. The first step in responding is classification. Rescue organizations from threats as quickly as possible, keep endpoints secure, and shut down or quarantine compromised endpoints.
A top priority in the triage process is to eradicate indicators of compromise (IoCs) by rapidly scanning the entire network for anomalous activity. One of these scenarios could be a threat if, for example, a single computer is constantly being attacked by IPs from an unusual location, or if a user account is accessing data using an unauthorized, unknown or higher-than-normal privilege level. can indicate that it can. . This allows response teams to make key decisions about where to direct defense and remediation efforts.
Another function of the Forensic Toolkit is to perform analysis and retention of user and system data to collect user details from hard drives, RAM, peripherals, etc. System data collection may include network shares or connection types. The number of times the program was run or accessed, who, when, and the files downloaded from the browser. The permutations are almost infinite. Of course, these capabilities are beyond the scope of endpoint detection and response (EDR) solutions, which have very limited forensic capabilities.
if…
Take a recent cyber incident from Solar Wind Hack a lot of aviation-related attacksWe provide examples of how the right set of digital forensics tools could help mitigate damage.
Automation and scalability features allowed for rapid scans and generated alerts, allowing affected organizations to immediately start collecting data from endpoints, even during an attack. This allowed us to block the attack and close all endpoints. Cyberattack targets can preserve defensible forensic evidence, review data, and analyze outbreak reactions. This allows organizations to take remedial action to prevent such incidents from happening again.
Although it is possible to manually classify a ransomware or malware attack, industry experts advise businesses to consider the right toolkits and data analysis platforms that can tune all these moving parts on their own.
Key Digital Forensics Technology Features What does ‘the right toolkit’ mean?
Many factors come into play, but customization and flexibility are key. The toolkit has built-in capabilities to automatically run custom scripts, triggering data collection when certain scenarios occur on endpoints, disconnecting suspected endpoints from the network, and stopping unauthorized transfers. data? Also, does an attack trigger data processing to determine how it originated from? If such a function existed, the following attack would be Palo Alto Networks Other results may have been obtained.
defense
Data defense is one of the most important elements of forensic investigations. This indicates that the organization’s IT investigators will be referred to the legal team, who will use this digital evidence in court. To have value in a legal context, investigative data must be able to defend itself. The team must be able to prove that the data it started during the investigation exactly matched the data it ended up with. Otherwise it is absolutely not allowed under the law.
Investigators must therefore demonstrate a clear governance framework that demonstrates that the data provided has not been altered in transit, either by human error or by reviewer bias or malicious interference. The forensic toolset should take this into account, including inspections throughout the process (down to the low-level imaging of the endpoints), to demonstrate that nothing has changed. This avoids the possibility of challenging the evidence.
scalability
Scalability is another key attribute. Without high-capacity tools, there is no way to manually manage threat vectors at a scale large enough to cover all endpoints in medium or large organizations. To be effective, you will need to expand your toolset to analyze all potentially affected endpoints with a single click.
accuracy
All of these capabilities are meaningless unless organizations trust the results of their forensic investigations. There is no doubt about the accuracy of the data. IT pros need to make sure they’re looking at the right information when time is tight. So, when looking for a digital forensics tool, choose one that has demonstrated minimal false positives for a significant period of time.
Proving the Value of Digital Forensics
As we all know, there is no silver bullet that blocks cyberattacks, and no one has come up with a mythical crystal ball that provides insight into the minds of hackers. Attackers can find their way through almost any organization. It’s just a question of how and when an attack occurs and what the team can do to mitigate the damage.
Therefore, digital forensics will always be in demand as it provides in-depth, verifiable analysis of what is missing from cybersecurity solutions: how, where, and why. In the recent case where 15 servers within a large insurance company were hacked by a ransomware attack, the company took action.
- To understand how that happened, the company used: External FTK® Relive attack timelines, extract critical system information that revealed specific IoCs, and identify the exact cause of an attack’s success.
- The company discovered that it came from a phishing email sent to an employee. Malware was installed due to human error. We then found a remote desktop connection that was established and tested a few days before the attack, which allowed us to create a clear picture of how long the attackers had been active in that environment.
- This information allowed the company to identify what the hackers were able to steal. They devised a much more thorough breach response strategy, properly classified the damage, and maintained the data integrity of any evidence they found to aid later during litigation if needed.
- All of this would have been discovered in hours through an automated, integrated system, rather than days or weeks without digital forensics tools.
What professionals need to know
Siled workflows in breach response will ultimately lead to chaos and inefficiencies, but integrated tools will provide all the automation, accuracy, and speed you need. It provides a holistic approach that increases your chances of success when technologies complement each other.
Organizations that believe they already have the best defenses in place must remain vigilant. The attack landscape changes every day, and hackers are waiting for the right opportunity. Organizations under attack must continually strive to strengthen their security protocols and response posture by implementing the right policies, educating employees on cyber safety skills, and deploying best-in-class forensic investigation techniques.
*This content was first published in Toolbox, a SWZD publication in January 2022.
About the author
Harsh Behl is Director of Product Management at Exterro. Harsh Behl is responsible for overseeing the entire product lifecycle of AccessData legacy products, which are currently Exterro Forensic products, including the FTK® product family. As an air traffic controller for product launches, Harsh has partnered with customers and potential customers in the market to talk to them about their needs and challenges, and develop in-depth knowledge of what the market wants from digital forensics tools. Prior to joining AccessData, now Exterro, Harsh worked at the forefront as an evidence analyst and forensic investigator, forensic consultant and technical engineer. His hands-on experience and expertise provide a unique perspective on developing products that are easy to use, intuitive and practical. In severe cases, it can be done online. Rough.behl@exterro.com and our website https://exterro.com/.
Fair Use Notice: “Fair use” laws allow other authors to make limited use of the original author’s work without permission. Under 17 US Code § 107, “It is not copyright infringement to use copyrighted material for purposes such as criticism, commentary, news reporting, education (including multiple copies for classroom use), scholarship, or research.” As a matter of policy, fair use is based on the belief that the public is free to use portions of copyrighted material for the purposes of comment and criticism. Fair use privileges are perhaps the most important restrictions on the exclusive rights of copyright owners. Cyber Defense Media Group is a news reporting company that reports cyber news, events, information and more free of charge on its website Cyber Defense Magazine. All images and reporting are conducted exclusively in accordance with the fair use of US copyright laws.