No company wants to be the next victim in what seems like a never-ending series of high profile breaches that have dominated the headlines over the last few years. This new reality has fueled a heightened awareness of cyber issues across all industries and at all levels, including boards of directors and the federal government. Unfortunately, there is no silver bullet that can make a company 100% immune to cyber-attacks apart from disconnecting completely from the Internet. This supports the commonly held belief that “it’s not a matter of if, but when” any given company will get the news that they have been compromised.
In this environment, the market has been flooded with companies claiming to have breach response capabilities. They range from small start-ups to large security software companies that have launched complementary services to support incident response. The result of this influx is confusion among victim companies as to which responder can best support them during a crisis. Choosing the wrong incident response team can result in an incomplete or unsatisfactory breach investigation that may not withstand regulatory inquiry or mitigate liability during follow-on litigation. To use the military vernacular, when the enemy is in your camp, you need to call in the special forces – a strategic, targeted team of specially trained operatives to identify and neutralize the threat.
Many of these software vendors posing as incident response companies rely on the deployment of their own proprietary tools to conduct investigations. They typically operate by deploying these proprietary tools across the victim’s networked environment to search for indicators of compromise. The goal of the responder here is twofold: (1) collect targeted information from systems to look for evidence of compromise; and (2) embed a tool within the client’s environment that can be monetized on a go-forward basis (typically a monthly subscription fee).
A tool that can scan across the network for affected systems is a valuable part of any responder’s toolkit, but its primary usefulness is to identify the scope or reach of the compromise (i.e., how many systems did the attacker infect). These tools don’t do much to address the more complex questions around the operability of the malware, dates that any given system was at-risk, and the like. These questions require a deeper dive into the affected systems through what’s known as host-based forensic analysis. Host-based analysis is typically conducted on the systems that show the greatest evidence of compromise — much like an ER doctor triages the most critical patients first — and can be done statically using forensic images, or performed live on running systems.
As a veteran responder who has been in the trenches and worked hundreds of breach investigations, I have a number of concerns with an investigative approach that relies on nothing more than a tool that’s deployed over the network to report back on specific information. First, a victim company loses precious time when an investigation begins with the purchase, installation, and configuration of the equipment required for many of these solutions. During an incident, companies are under intense pressure to learn as much as possible about what happened as quickly as possible – time is of the essence. In addition, the company is typically required to meet reporting deadlines, depending upon the types of information that the company handles (such as credit card, health care, personally identifiable information, and financial data) and manage internal and external notifications to the public. Companies don’t have time to waste waiting for appliance installation or agent deployment before responders begin the investigation in earnest. Nonetheless, I’ve seen several cases recently where this is exactly what has happened. In one instance, the victim engaged an incident response company that started working immediately, but because the focus was on tool implementation, it was nearly two weeks before agents were deployed and the investigation actually began. That’s time a victim can’t afford to lose!
Another concern I have is that network-deployed tools almost always ignore an incredibly rich source of forensic evidence: unallocated space. Attackers are savvy to the fact that most enterprise environments employ monitoring tools and, as a result, they have adapted their methods so as to leave little in the way of trace evidence in the form of active files on disk. At Stroz Friedberg, we’re seeing more breaches where attackers use fileless malware that never hits the system’s disk. Rather, the malware is transported over the network and injected directly into memory. Now, more than ever, targeted forensic preservation and analysis of compromised systems is critical to building a more complete picture of the actions an attacker took while in the environment. By conducting host-based analysis of select systems, following the initial triage effort, investigators can explore unallocated space, potentially capturing information about the attacker’s command usage, script fragments, captured data, and executable files, among other things.
Breach investigations are necessarily fast-paced and the focus can change quickly as facts are uncovered. You need to have the right team working beside you, one that understands the importance of a thorough investigation and has the experience to deliver. Don’t be swayed by technical lingo and marketing fluff around tools that claim to do it all, and don’t settle for an investigation that relies solely on tool deployment. Demand a thorough response investigation that begins with an initial triage effort followed by deeper analysis of compromised systems to understand the scope and impact of the compromise. Doing so will allow you to gain a level of comfort around what happened, what was at risk, what may have left your environment, the effectiveness of containment measures, and other factors impacting your critical business decisions.