Digital Forensics & Incident Response: why do firemen always come too late?
Why is time management so important in Digital Forensics & Incident Response?
Digital Forensics and Incident Response (DFIR) is a very specific domain of cybersecurity where time is the enemy. Each lost minute or hour during the crisis could either imply incident escalation or lead to lose another set of logs due to bad retention and time rolling. Of course, analysis takes time, but it often happens for companies to have days, weeks…even sometimes months between initial incident detection and DFIR teams’ intervention.
The following article intend to give basic advices on how to speed up the beginning of an investigation, between the first detection and the start of the analysis.
First step – Confirm the incident
Usually, detecting a Russian popup on a Domain Controller in the middle of the night is kind of bad news. Especially on work-off hours or during weekends, context switching will cost you time, not to mention going over the fright and surprise. We call it the “stupefaction phase”. As soon as the incident is confirmed, the goal is to not lose too much time trying to over-identify it. Keep in mind that, at this time, it is more critical to be able to start the DFIR process as soon as possible than to dispose of more information on what’s precisely happening. After all, it is the DFIR team role to bring you a diagnosis about what is happening and help you mitigate.
Second step – Who you gonna call?
To launch an attack, attackers usually don’t wait for all your teams to be available, ready and fully operational. As Sun Tzu said “the enemy does not care that your sysadmin was on vacation”. It is not that rare for an incident to be analyzed several days after initial discovery due to a CISO or technical teams’ unavailability. Be assured, at all times, that there is a dedicated interlocutor for each subject: collection and analysis, crisis management, internal and external communication (at least). Define who’s in charge of what, and who’s going to second who in case of unavailability. Don’t hesitate to organize dedicated workshops before incidents to talk about this with your teams.
Third step – Divide and conquer
Being ready to start on the DFIR side does not mean being authorized to do so. Usually (and especially if you intend to call external providers), they will need an administrative and financial cover to be authorized to start the analysis. Ergo: their contract will need to be signed. And the first hours of the crisis are not the moment when you want to lose time in negotiation through emails, calls and meetings. Ideally, split your teams between commercial and technical-dedicated people, so that negotiation process won’t interfere with the analysis process. Most of the DFIR providers will have type-contracts dedicated to these types of interventions, so don’t hesitate to ask for it.
Fourth step – Don’t wait for the corpse to freeze
Qualifying an incident and preparing DFIR analysis takes time. The problem is that this time creates a period during which logs could be lost, machines can be rebooted and incident can escalate. And a 4 hour delay can represent the difference between “One stranger put a RDP foothold on a workstation” and “Global infrastructure-spread ransomware”. As a preparation, proceed as soon as possible to the following tasks:
- Isolate completely from all networks all potentially compromised assets.
- Don’t reboot the machines. Rebooting can induce losing traces crucial for the analysis (RAM memory is fully wiped out during a reboot, for example).
- Anticipate collection. Collecting artifacts and traces and transferring them to DFIR teams will allow them to start analyzing the assets. These collects can either be raw (by extracting and copying a hard drive for example) or ran through dedicated collecting tools (such as DFIR-ORC). Depending on the asset, processing a collection can take hours to days. Moreover, the logs and traces can potentially be targeted by attackers to perform anti-forensics techniques. As a result, the sooner the collection starts, the better. When the DFIR teams will ask for them, they will be ready.
Fifth step – You can tell a good workman by his tools
Last but not least, you will require dedicated tools to communicate and exchange resources with your teams. Ideally, these tools has to able to work independently from your usual infrastructure, in the case where your usual solutions won’t be available or reliable due to potential compromises. You will need to, at least, determine tools for each of the following needs:
- Communicate textually
- Communicate orally
- Exchange small resources (docs, images, …)
- Exchange large files (collection results)
The point is to have these tools ready and configured. Knowing the process of how to add external users, manage permissions, start instances. Be assured that it is usable and reachable externally. You don’t want to lose two hours just because the analysts can’t connect to the qualification meeting or because the collection traces can’t be sent to them.
So, what is the best way to prepare for a cyber incident?
Crisis situation is not the moment where you want to loe. Also, this is the phase where all organization flaws will pop out all at once, delaying intervention and investigation. React, transfer clear directives, determine actors, dispatch roles, prepare collection processes and specify crisis-dedicated tools, and your potential incidents will be taken into account quickly, and efficiently. And as Miguel Gutierrez said “If you suffer an attack your best ally is to keep calm.”