Performing threat hunting and incident response on live hosts, collectively referred to here as live analysis, can be a complicated task. When performed properly, they can detect and preserve volatile artifacts, such as network connections, running processes, hooks and open files, which may be the only evidence of today’s advanced attacks. Live analysis may also be the only option when taking a host offline for traditional disk forensics is not an option, such as with business-critical application servers or domain controllers. However, if performed improperly, they can alert attackers to your presence, destroy critical information or render any evidence gathered inadmissible in legal proceedings.
Live forensics and live threat hunting
Live forensics and live threat hunting begin as two different processes. When performing live forensics, we typically start with a pivot point; something has already been detected as anomalous which has prompted us to examine the host. During live threat hunting, we are seeking that anomaly, that indicator of potential malicious activity, to use as a pivot point for further investigation. Once that initial indicator has been discovered, the traditional incident response process, often involving further live forensics begins.
Performing live analysis poses several unique challenges when compared to traditional offline disk forensics. Although any forensic process must be documented and repeatable, these attributes are especially important when performing live analysis. Unlike offline disk forensics, where the original evidence should theoretically remain static and unchanged, live evidence is constantly changing. In fact, we are changing the live evidence by performing live forensics. Although the live analysis process is repeatable, it cannot be repeated while achieving exactly the same results; processes start and end, network connections are terminated, and memory is re-allocated. This means that our live analysis processes must be able to stand up to increased scrutiny.
Because live analysis involves executing commands on a running host, it is crucial that the process is also performed in a secure manner. Only trusted tools should be executed. Each tool and the commands used to execute them should be tested prior to being executed during a live analysis to ensure that the results are known and only the intended actions occur. It is also important to ensure that the tools and commands you tested are the same ones being executed during each live analysis situation.
On Friday, September 7th, I will be speaking at the SANS Threat Hunting and IR Summit in New Orleans regarding some of the challenges and best practices when performing threat hunting and incident response on live hosts. I will also be demoing DFLabs free tool, the No-Script Automation Tool (NAT), which can be used to assist in the live data acquisition process. If you have not had a chance to see NAT, please check out our blog post here, and our demo video here.
Also, find out which top cyber security events DFLabs will attend this fall.
I hope to see you all at the SANS Threat Hunting and IR Summit soon. Safe travels and avoid the storm!
In the context of cyber security, two of the most pressing concerns facing many organizations are the ever-rising number of cyber attacks and figuring out how to keep them at bay without having to increase manpower. The recent Cyber attacks are now more sophisticated and noticeably more common than they were even just a few years ago. Faced with this increased volume, private entities and government agencies are struggling to figure out how to help their security teams respond to cyber events in an effective and timely manner, while finding that most potential solutions require either substantial financial expense, or rely on the addition of specialized human resources.
Hiring skilled staff is a real challenge for most organizations amid an acute and global cyber security skills shortage. Unmet demand has led professionals in this field to command disproportionately high salaries and made it that much more difficult for businesses and governments to attract cyber security talent. Consequently, organizations are now also forced to seek out technical solutions that might actually help decrease their reliance on specialized and expensive human resources. This is where cyber security incident response platforms come in as arguably the most convenient, practical and cost-effective solution to the growing cyber security threat issue and specialized resource shortage.
Ease the Strain on Security Teams by Automating Time Consuming Incident Response Tasks
A security automation and orchestration platform is the economical solution to enable an organization to respond to cyber threats and eradicate them in the most effective and fastest way possible. It is also the best way to ease the strain on security teams which, in many organizations, are already overwhelmed with an uninterrupted incident response workload.
Analyzing and assessing the legitimacy, impact and scope of a cyber incident are some of the most time-consuming tasks undertaken by cyber security professionals today. It is exactly within those tasks that an orchestration and automation platform can be of most service. From an incident identification and analysis perspective, these platforms are force multipliers which greatly accelerate the incident triage process. They provide an organization with the ability to analyze the cause and effect of each incident and to assess the scope and impact to an organization from any number of incidents at any given time. From a response perspective, and beyond their ability to automate response activity on existing security infrastructure, they can generate automated incident reports for distribution to in-house security teams, providing response and recovery resources with key insights into the scope and severity of an incident, thereby often dramatically reducing reaction times.
In short, the dual challenge of addressing a growing number of cyber attacks while maintaining an ability to mount an effective response within an existing cyber security team, is best tackled by employing an automation and orchestration platform. Deploying this tool as a force multiplier for both existing security infrastructure and human resources, allows security teams to offload the most intensive tasks and frees these professionals to focus on the more high-value areas of a cyber security threat response.
As part of its efforts to improve the country’s cybersecurity, the U.S.Department of Homeland Security has issued an updated National Cyber Incident Response Plan, specifically highlighting three key aspects:
• Responsibilities of government agencies and private sector organizations during a cyber incident
• Core capabilities required to respond to a significant cyber incident
• Coordinating structures and integration between the federal government and affected entities
The requirements in this plan apply to various types of cyber incidents, but are especially centered around significant cyber incidents that “are likely to result in demonstrable harm to the national security interests, foreign relations or economy, or to the public confidence, civil liberties or public health and safety of the American people.”
Responsibilities and Capabilities
The plan includes a list of responsibilities and capabilities all affected entities are required with regard to with incident response. The ultimate responsibility that affected entities have during a cyber incident is to take appropriate actions to manage the impact of the incident. This includes, but is not limited to: ensuring continuation of business or operational functions, disclosure and notification of the incident in accordance with legal and regulatory requirements, protecting privacy, and managing liability risk.
As far as capabilities are concerned, they encompass the following areas: forensics and attribution, infrastructure systems, intelligence and information sharing, public information and warning, screening search and detection, as well as cybersecurity, to name a few.
How to Respond and Comply with Requirements
In order to be able to comply with the above-mentioned requirements, the best thing that covered entities could do is adopt an incident response platform that can take care of all those tasks. As an example, an organization can obtain a platform that is able to predict, detect and respond to breaches automatically, allowing them to resume operations as quickly as possible.
They can track, predict, and visualize cybersecurity incidents, accelerating the process of resolving an incident. Importantly, utilizing an incident response platform assist in reducing legal and regulatory risks, on top of managing cybersecurity events. A platform like this can provide automated incident reports, which can be beneficial when required to disclose an incident andnotify authorities of it.
Another key capability of an incident response platform is that it allows controlled intelligence sharing with an organization or a community of your own choosing, which aligns with requirements in the National Cyber Incident Response Plan.
In summary; tracking digital evidence and forensic investigation are some of the critical capabilities provided by incident response platforms, which makes them an ideal solution for any entity that is required to comply with the updated National Cyber Incident Response Plan.