Performing threat hunting and incident response on live hosts, collectively referred to here as live analysis, can be a complicated task. When performed properly, they can detect and preserve volatile artifacts, such as network connections, running processes, hooks and open files, which may be the only evidence of today’s advanced attacks. Live analysis may also be the only option when taking a host offline for traditional disk forensics is not an option, such as with business-critical application servers or domain controllers. However, if performed improperly, they can alert attackers to your presence, destroy critical information or render any evidence gathered inadmissible in legal proceedings.
Live forensics and live threat hunting
Live forensics and live threat hunting begin as two different processes. When performing live forensics, we typically start with a pivot point; something has already been detected as anomalous which has prompted us to examine the host. During live threat hunting, we are seeking that anomaly, that indicator of potential malicious activity, to use as a pivot point for further investigation. Once that initial indicator has been discovered, the traditional incident response process, often involving further live forensics begins.
Performing live analysis poses several unique challenges when compared to traditional offline disk forensics. Although any forensic process must be documented and repeatable, these attributes are especially important when performing live analysis. Unlike offline disk forensics, where the original evidence should theoretically remain static and unchanged, live evidence is constantly changing. In fact, we are changing the live evidence by performing live forensics. Although the live analysis process is repeatable, it cannot be repeated while achieving exactly the same results; processes start and end, network connections are terminated, and memory is re-allocated. This means that our live analysis processes must be able to stand up to increased scrutiny.
Because live analysis involves executing commands on a running host, it is crucial that the process is also performed in a secure manner. Only trusted tools should be executed. Each tool and the commands used to execute them should be tested prior to being executed during a live analysis to ensure that the results are known and only the intended actions occur. It is also important to ensure that the tools and commands you tested are the same ones being executed during each live analysis situation.
On Friday, September 7th, I will be speaking at the SANS Threat Hunting and IR Summit in New Orleans regarding some of the challenges and best practices when performing threat hunting and incident response on live hosts. I will also be demoing DFLabs free tool, the No-Script Automation Tool (NAT), which can be used to assist in the live data acquisition process. If you have not had a chance to see NAT, please check out our blog post here, and our demo video here.
Also, find out which top cyber security events DFLabs will attend this fall.
I hope to see you all at the SANS Threat Hunting and IR Summit soon. Safe travels and avoid the storm!