Cyber Stages of an Investigation

Initial Assessment

Firstly, network monitoring tools like Wireshark or Suricata identify indicators of compromise (IOCs) and suspicious network activity. These indicators could be connections to command-and-control servers, URLs, traditional DF forensic artefacts, shim cache and large amounts of requests or data being uploaded, suggesting exfiltration.

Employment of log analysis tools (e.g., Splunk, ELK stack) to review system and event logs for anomalies and signs of intrusion. These tools ingest log files and allow visualisation to identify anomalies quickly for examiners. I like using EmEditor’s low-level tool, which reads GBs of textual data, parses it, and provides lightning filtering and export for reporting reasons.

The use memory analysis using tools like Volatility or Rekall to identify active malware or suspicious processes. Volatility, for example, has functions which flag malware processes and allows for the export of dlls and processes for fingerprinting via hashes against a known database, as well as the highlighting of hidden processes and malware disguised as system processes.

Incident Containment and Mitigation

The Utilisation of endpoint security tools and even Anti-Virus isolate affected systems and can even prevent the further spread of malware. On Deadbox images, I have had the best experience with Avast! Anti-virus all settings switched on; it even picks out detected and contained threats in container files, if not encrypted. Cybereason and Sentinel One are serious corporate platforms that allow control from a central computer and remote scanning of endpoints utilising the corporate network.

Employ network security tools (e.g., firewalls, intrusion detection systems) to block malicious traffic and contain the breach. SnortSam, for example, can block bad IPs and help prevent the violation.

They use network forensic tools (e.g., Security Onion, Network Miner) to capture and analyse network traffic for additional evidence. Security Onion is, again, open source—Elastic Stack (Elasticsearch, Logstash, and Kibana) for centralised log management and analysis. A great use of Security Onion is the way it enables indexing, searching, and visualising log data from various sources, helping detect and investigate security incidents.

Evidence Collection

Disk imaging using FTK Imager and Linux Forensic Distributions is still pivotal to preserve the state of compromised systems for further analysis.

Volatile data is lost when a machine is powered off and can be collected using F-Response, FTK, MDD, or Volatility tools to capture system memory and running processes. More than that, Axiom by Magnet Forensics can retrieve log files and internet history from the RAM (Random Access Memory). In a ransomware case where all the files are locked, apart from the $MFT files, which contain information about every file written to a system, the RAM may be the only hope of piecing together the chronology of a breach.

Forensic Analysis

Sometimes it may be more pertinent to have a more modular targeted approach to analysis. For example, collecting log files, event data, and other relevant artefacts and analysing these, to begin with, while other items are processed may give a head-start to the complete examination and information found, such as evidence of how the attacker gained entry and data exfiltrated to relay to C-Level staff and regulators early on is often welcome sooner rather than later.

Use forensic analysis tools like Autopsy, The Sleuth Kit, or X-Ways Forensics to examine acquired disk images and file systems for evidence. These tools drill down and display otherwise ignored system artefacts, recover deleted files, filter known and alert fingerprints of files and allow for rapid keyword searching.

Employ malware analysis tools (e.g., IDA Pro, Ghidra) to dissect malicious software and understand its behaviour and capabilities. For example, Ghidra can reverse engineer malware and detect its actions if it is a brand-new variant. Another technique is to run the variant in a Virtual Environment and note any changes compared to a test image.

NetworkMiner is a favourite for identifying command and control (C2) communications or data exfiltration.

Threat Intelligence

Leverage threat intelligence platforms (e.g., Recorded Future, ThreatConnect) to gather information about the attacker, their tactics, techniques, and indicators. Here Google is our friend, and a Google search of an IP or hash can sometimes bring up results from intel sites or security forum posts.

Employing open-source intelligence (OSINT) tools like Maltego, Shodan, or SpiderFoot to gather information from public sources and identify potential leads. Dehashed and other devices can indicate if credentials have been reused, what accounts are high risk and theHarvester if there are subdomain names, virtual hosts, open ports, and email addresses of any company/website.

Reporting and Remediation

An incident response report plan should detail the action concisely and consistently. The document should be legally admissible and document the items in the case. There should be a concise chronology of the chain of events in the case and the indicators of compromise listed in the case. The language should be as it is understood not just by the IT team at the firm but by executives and legal representatives.

IT teams should be aware of the claim in terms of the BI/Cyber/Property insurance plan, management, and legal counsel to plan and execute appropriate remediation measures within a budget, separating pre-loss and improvement measures in the inventory.

Lastly, vulnerability assessment tools (e.g., Nessus, OpenVAS) to identify and patch security vulnerabilities to prevent future breaches.

Often, changing passwords from reused/default, employing multifactor authentication, disallowing BOYD devices at work, and using some proper Anti-Virus/Malware tools that cannot be switched off and are up to date can thwart future attacks for a cash-strapped SME.

CCL Forensics

Alistair Ewing wrote this article, which CCL Solutions Group employs. For more information on our services, please email [email protected] or call 01789 261200.