Investigating a Cybersecurity Incident: Making a Start

When incidents happen, its essential that organizations and their cybersecurity teams can get the most complete picture of what happened, how to fix it and how to prevent a recurrence. Digital forensics play an essential role in cybersecurity incident response. But where do you start?

Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2. 

Digital forensics is defined by Interpol as “a branch of forensic science that focuses on identifying, acquiring, processing, analyzing and reporting on data stored electronically”. We see the use of digital forensics all the time on TV, albeit not always portrayed accurately. Watch pretty much any crime drama and within just two or three episodes the investigation team will be recovering data from smashed laptop hard drives or tracing kidnappers back to the country cabin where they are holding their victims.

It should come as no surprise that digital forensics is a highly complex, specialist area of cybersecurity. While the average IT engineer can do basic things like figuring out which PC a file server ransomware attack is originating from, the investigative tasks that need to be done following an incident require skill, care and extremely strong procedures if they are to be done correctly and usefully. The digital forensics activities for incident response are split into four stages.

Identification

The first stage of the forensic process is where the in-house IT specialists can be most helpful. Passive analysis of network traffic and the like can pinpoint the source of a malware attack, for example, or will show that data is being exfiltrated to an IP address in a sanctioned country. The most important word here is passive: the identification stage is all about finding out what we can but without affecting what is happening in any way whatsoever. The identification stage is the smallest of the four areas of digital forensics, because we are restricted to looking at routing tables, watching logs (being cautious that opening them to read them is not locking them against writing), sniffing network packets etc. Anything that stands the slightest chance of changing the behavior of any element of the attack should not be part of the identification stage.

Collection and Preservation

Forensic data is only useful if it can be relied upon. At the extreme end of the scale, if there is the potential for a prosecution to be brought once an attacker has been identified, we need to be confident that we can conclusively demonstrate that data integrity has been absolutely preserved and that what we present legally can be relied upon. However, even if we believe the data will only be used for our own purposes – understanding and eradicating the problem – we still need data integrity if we are to stand any hope of reaching an accurate conclusion.

Step one, then, is to freeze the data at a point in time. Virtualized infrastructures are a tremendous bonus in this respect, because we can literally hit the “pause” button and stop a virtual server in its tracks, save the state along with the contents of memory and virtual disks, for later analysis. This task is harder with physical servers, though there are plenty of tools available that can be used to take a “dump” of server memory in order to create a near-real-time snapshot of the system. When it comes to storage, the key aim is to preserve the disk contents unchanged so that they can be worked on with confidence: every forensic specialist’s toolbox includes a write blocker – a device that connects between the disk and the computer and prevents data from being written to the disk.

Once the data has been preserved, there is a final step in the collection and preservation stage: making read-only, like-for-like clones of the data for the next stage and ensuring that at least one master copy of everything is stored securely.

Examination and Analysis

The examination and analysis stage is, as the name suggests, where specialists use the data provided to them to figure out as much as they can regarding the attack, how it was perpetrated, where it came from, how it got into the company, and so on. It is the digital equivalent of a taped-off crime scene, preserved for physical investigation.

At the simple end this will involve looking at logs or decoding packet captures from the network. At the complex end are tasks such as reverse-engineering the binary executable of a piece of malware or using brute-force tools to decode encrypted data or binaries. It is very common, incidentally, to engage external specialist for this stage of the investigation: people with the necessary skills and equipment simply do not exist in-house in most organizations.

The analysis stage can involve more than just looking at read-only copies of evidence. In a virtual infrastructure the analysis team may choose to fire up frozen virtual machines in an isolated “sandbox” environment to conduct experiments, try things and observe behavior. Or they might choose to re-enable write functions on the disk of an encrypted laptop and observe its behavior – again with strict controls and in a sandbox. This is where the collection and preservation activities bring their main benefit: such work can only be done if we have 100% confidence that we can roll everything back to where it was when we hit “stop”.

Documentation and Reporting

At the advanced level, where criminal prosecutions may ensue, it is vital to have a complete chain of evidence for every single activity that takes place during the incident response. In this sense, documenting and reporting is not really a “stage” of the forensic exercise, because it needs to begin at the very start and continue until every related activity is complete. At every stage, the key members of the team must ask the question: if I am challenged about this in court, can I put my hand on my heart and tell the story with absolute confidence?

Even if things are unlikely to get to court, though, proper documentation and reporting still matter hugely because they can have massive influence in a variety of directions. In regulated businesses such as banks, the ability to demonstrate effective response and prove that the attack has been understood and fully dealt will always mitigate the level of sanctions the regulator imposes. In a large retailer the reputational impact of an attack is often reduced if customers are given a high degree of confidence that, despite the intrusion, the company nonetheless did a competent job of dealing with it. In a more general sense, clear reporting is a tremendous enabler for an effective lessons-learned process and as a basis for training technical teams, so they are better placed for future incidents – and of course to understand risks and hopefully use what they have learned to help avoid such future incidents.

Summing Up

The digital forensics element of incident response is complicated and must be done correctly. Perhaps the trickiest element, however, is to put the forensic element into the context of the wider organization requirement: there is no point carrying out an intensive, detailed, perfect forensic exercise if in the meantime the organization is teetering on the brink of financial or operational calamity because the forensic work is preventing it from trading. As with anything, there will be a leadership decision to be made regarding where to draw the line between understanding the attack (and potentially prosecuting the perpetrator) and keeping the organization in business.

Related Insights

• SSCP – Systems Security Certified Practitioner
• Addressing Weak Incident Response Plans
• ISC2 Spotlight: Modernizing Security Operations
• Course: The Board of Directors’ Role in Incident Response