Organizations face ongoing cybercrime from hackers and attackers targeting their data or money. Emails with infected attachments or links are a classic gateway. End users in particular are often targeted by attackers, as they tend to have little training and experience in recognizing attacks as such. Attacks are mostly targeted via so-called spear phishing or are run as large-scale campaigns across the board to exploit gaps in systems.
“The threat level is high or even increasing,” says Tobias Messinger, Senior Cyber Defense Consultant at IT security service provider SECUINFRA. The SECUINFRA Falcon team was set up specifically for this reason. “In spring 2021, four serious security vulnerabilities in the Microsoft Exchange server became known. With a combination of the vulnerabilities, it was possible for attackers to create, modify as well as delete files on the system. This allowed the actors to gain permanent access on the system, among other things.” The German Federal Office for Information Security (BSI) therefore classified the problem as highly critical. “It is only a matter of time before attackers track down and exploit the next gap,” warns Messinger.
Companies need to fend off these attacks and protect themselves against the loss of sensitive data or damage to their reputation. In the event of an attack, companies should therefore take appropriate countermeasures with professional help. The tool of choice is Digital Forensics & Incident Response (DFIR). This allows attacks to be reconstructed, the exploited vulnerabilities in the IT infrastructure to be identified and subsequently closed.
“The so-called Indicators of Compromise (IOC), i.e. those traces that an attacker leaves in the systems, can be discovered and processed using digital forensics methods,” Messinger continues. “When an incident occurs, systems across the enterprise are scanned for identified traces of compromise. The goal is to identify the patient zero. Another possible goal is root-cause analysis (RCA).”
Incident response, another cornerstone of cyber security, covers the full cycle of incident investigation and remediation and includes recommended actions based on digital forensics findings: What steps are taken next, what data from what system is affected, do systems need to be isolated, backups restored, or the system reinstalled? If responded to quickly and correctly, this can contain the damage of an attack. Incident response also manages all parties involved in the affected company and the IT service provider. “The goal is to reduce the damage as much as possible and restore the ability to work as quickly as possible,” summarizes Leon Hormel, Cyber Defense Consultant in the SECUINFRA Falcon Team.
DFIR: The tools and the approach
For DFIR, the approach is always case-dependent: “Since every incident and every system landscape is different, the methodology to be applied depends on the attack and the environment,” Messinger explains. For example, the SECUINFRA Falcon team uses a range of established digital forensics tools. This can be roughly divided into three parts: Endpoint Forensics analyzes devices such as servers, workstations or laptops to detect traces of attacks such as malware, data exfiltration or conspicuous user behavior. Network Forensics includes the identification and analysis of attack traces based on network traffic. Finally, Malware Forensics includes the analysis of (potential) malware to identify IOC, the reconstruction of the attack process, and the assessment of the extent of damage.
The forensic analysis follows the six steps of the Investigation Life Cycle: In the Identification phase, the forensic experts obtain an initial overview. This includes interviewing the client and conducting a source search. Phase two of the Investigation Life Cycle is the Preservation phase, which ensures that evidence taken and analyzed in later phases forms a traceable chain of evidence that cannot be tampered with. This allows the attack to be accurately tracked. “The chronological documentation of evidence is important for claiming insurance benefits as well as countering damage claims or initiating criminal prosecution,” Messinger adds. In the collection phase, evidence is gathered – it can be hardware such as laptops, phones and hard drives, for example, but also files such as downloads, log data or recordings of network traffic. In order to draw conclusions, collected evidence is systematically sifted through and evaluated in the Analysis phase. The actual fifth phase, Documentation, is a continuous process throughout the entire Digital Forensics deployment. It ensures traceability – from the recording of the case to the reconstruction of the attack. The final phase of the assignment is the presentation phase: the attack is reconstructed as accurately as possible. If necessary, suggestions for improvement to strengthen cyber resilience are made in this phase. “The individual phases can be run through several times to confirm or refute hypotheses,” Hormel explains.
The analysis typically spans three days. In the worst case, systems must be rebuilt; however, it may be sufficient to run updates and patches, change passwords, revise the role concept or deploy protective measures such as firewalls and endpoint detection and response (EDR) tools.
Analysts usually know from experience what the case is about when they take it on. While every case is different, patterns often provide clues. It’s important to initiate incident response quickly. “Because artifacts are sometimes volatile, the further in the past an attack is, the more difficult it becomes to work through,” Hormel says. An attack is not always immediately recognizable as such. Data leakage, in particular, is often noticed late in the process.
DFIR needs flexibility and expertise
Companies of all sizes and industries are affected by attacks. It is possible to clean up a compromised system on your own. However, this does not clarify how the attack came about; the attack vector cannot be closed in this way. Lateral movement can also be overlooked, if the attacker has nested undetected in neighboring systems, thereby creating persistence for future attacks. However, setting up a company’s own internal incident response team is time-consuming and resource-intensive, which is why companies have specialized partners at their disposal.
Messinger summarizes: “A DFIR team needs flexibility: Attacks often occur at night outside regular working hours. Especially then, it’s important to be able to provide support quickly.” Cyber defense experts also need analytical skills and a broad IT security and IT knowledge. They need to be on the ball. Another challenge is to keep an eye on the big picture and not get bogged down in details. Open communication is important on the company side: DFIR requires trust on both sides.
DFIR allows cyberattacks and IT security incidents to be resolved promptly and completely. A DFIR team identifies, analyzes and documents digital artifacts, assists with incident response and makes recommendations to improve cyber resilience. The company gains clarity on the extent of the damage and can take countermeasures.
For the detection of cyber attacks, SECUINFRA primarily relies on Security Information & Event Management (SIEM) with which it is possible to combine security-relevant events from a wide variety of sources in order to analyze them automatically and in near real time. In addition, SECUINFRA successfully applies Digital Forensics and Incident Response (DFIR) methods and increases the cyber resilience of its customers with Compromise Assessments.