Digital Forensics & Incident Response: why does help sometimes arrive too late?

Why is time management so important in Digital Forensics & Incident Response? 

Digital Forensics and Incident Response (DFIR) is a very specific domain of cybersecurity where time is the enemy. Each minute or hour lost during the crisis could imply either incident escalation or lead to lose another set of logs due to bad retention and time rolling. Of course, analysis takes time, but it often happens for companies to have days, weeks…even sometimes months between initial incident detection and DFIR teams’ intervention. 

The following article intends to give basic advices on how to speed up the beginning of an investigation, between the first detection and the start of the analysis.

First step – Confirm the incident

Usually, detecting a popup originating from a foreign country on a Domain Controller in the middle of the night is kind of bad news. Especially on work-off hours or during weekends, context switching will cost you time, not to mention going over the fright and surprise. We call it the “stupefaction phase”. As soon as the incident is confirmed, the goal is to avoid losing too much time trying to over-identify it. Keep in mind that, at this time, it is more critical to be able to start the DFIR process as soon as possible than to dispose of more information on what’s precisely happening. After all, it is the DFIR team role to bring you a diagnosis about what is happening and help you mitigate.

Second step – Who you gonna call?

To launch an attack, attackers usually don’t wait for all your teams to be available, ready and fully operational. As Sun Tzu could have said “the enemy does not care that your sysadmin was on vacation”. It is not that rare for an incident to be analyzed several days after initial discovery due to a CISO (Chief Information Security Officer) or technical teams’ unavailability. Be assured, at all times, that there is a dedicated interlocutor for each subject: collection and analysis, crisis management, internal and external communication (at least). Define who’s in charge of what, and who’s going to second who in case of unavailability. Don’t hesitate to organize dedicated workshops before incidents to talk about this with your teams.

Third step – Divide and conquer

Being ready to start on the DFIR side does not mean being authorized to do so. Usually (and especially if you intend to call external providers), they will need an administrative and financial cover to be authorized to start the analysis. Ergo: their contract will need to be signed. And the first hours of the crisis are not the moment when you want to lose time in negotiation through emails, calls and meetings. Ideally, split your teams between commercial and technical people, so that negotiation process won’t interfere with the analysis process. Most of the DFIR providers will have type-contracts dedicated to these types of interventions, so don’t hesitate to ask for it.

Fourth step – Don’t wait for the corpse to freeze

Qualifying an incident and preparing DFIR analysis takes time. The problem is that this time creates a period during which logs could be lost, machines can be rebooted and incidents can escalate. And a 4 hour delay can represent the difference between “One stranger put a RDP foothold on a workstation” and “Global infrastructure-spread ransomware”. As a preparation, proceed as soon as possible to the following tasks:

• Isolate completely from all networks all potentially compromised assets.
• Don’t reboot the machines. Rebooting can induce losing traces crucial for the analysis (RAM memory is fully wiped out during a reboot, for example).
• Anticipate collection. Collecting artifacts and traces and transferring them to DFIR teams will allow them to start analyzing the assets. These collects can either be raw (by extracting and copying a hard drive for example) or ran through dedicated collecting tools (such as DFIR-ORC). Depending on the asset, processing a collection can take hours to days. Moreover, the logs and traces can potentially be targeted by attackers to perform anti-forensics techniques. As a result, the sooner the collection starts, the better. When the DFIR teams will ask for them, they will be ready.

Fifth step – You can tell a good worker by his tools

Last but not least, you will require dedicated tools to communicate and exchange resources with your teams. Ideally, these tools have to be able to work independently from your usual infrastructure, in the case where your usual solutions won’t be available or reliable due to potential compromises. You will need to, at least, determine tools for each of the following needs:

• Communicate textually
• Communicate orally
• Exchange small resources (docs, images, …)
• Exchange large files (collection results)

The point is to have these tools ready and configured. Knowing the process of how to add external users, manage permissions, start instances. Be assured that it is usable and reachable externally. You don’t want to lose two hours just because the analysts can’t connect to the qualification meeting or because the collection traces can’t be sent to them.

So, what is the best way to prepare for a cyber incident?

Crisis situation is not the moment where you want to rest. Also, this is the phase where all organization flaws will pop out all at once, delaying intervention and investigation. React, transfer clear directives, determine actors, dispatch roles, prepare collection processes and specify crisis-dedicated tools, and your potential incidents will be taken into account quickly, and efficiently. And as Miguel Gutierrez could have said: “If you suffer an attack your best ally is to keep calm.”