Cyber attack successful – Which 3 disciplines of IT Security are needed now!

In the event of a successful cyber attack, you need the optimal interaction of three sub-disciplines of IT security: incident response, compromise assessment and digital forensics. This article explains what these three approaches do and how they build on each other.

Incident Response: Good preparation is essential for survival!

As one of the cornerstones of cybersecurity, Incident Response aims to ensure a timely and appropriate response to IT security incidents in order to be protected against the loss of sensitive data and reputation damage that threatens the company’s existence. Incident Response is not a tool, but ensures the optimal response of a company to an IT security incident that has occurred – using predefined actions and instructions for action.

As an essential cornerstone of cybersecurity, incident response covers the full cycle of incident investigation and remediation, initially addressing issues such as what steps to take next and whether systems need to be isolated, backups restored, or the system reinstalled.

If responded to quickly and correctly, this can contain the damage of an attack. Incident Management, as part of Incident Response, also controls all involved parties of the affected company and the IT service provider. 

To ensure a sustainable Incident Response, SECUINFRA Cyber Defense experts recommend following a 6-step plan:

1. Preparation: This phase includes all the necessary steps that should be taken to make the work on an Incident as efficient as possible. With targeted workshops, employees and decision-makers of a company are optimally prepared for possible IT security incidents.
2. Identification: Identifying Indicators of Compromise (IOCs) as quickly and comprehensively as possible is the key point of the second phase. Ideally, a Compromise Assessment is used at this point, which is discussed in more detail in the following section.
3. Containment: Detected attackers are immediately isolated so that the damage is kept to a minimum. Several steps are needed here to fully contain the incident while preventing the destruction of evidence that may be needed for law enforcement.
4. Eradication: The goal of eradication is to remove malware or other artifacts introduced by the attacks from the enterprise in a coordinated and targeted manner and to fully recover all affected assets. At the same time, the risk of the attacker returning is reduced.
5. Recovery: The aim of recovery is to restore all systems to full functionality after ensuring that they are clean and the threat has been eliminated. This is the only way that business operations can continue promptly and without impairment after an IT security incident.
6. Lessons learned: With the fastest possible processing of the incident and the reactions to it, incident response processes are optimized and the cyber resilience of the company is increased.

Compromise Assessment: Uncovering traces of attackers and assessing the extent of the attack

After the Incident Response Team has collected basic information about the IT security incident in the Identification Phase, the second step is to locate all affected systems and determine the exact extent of the cyber attack. This is where the Compromise Assessment comes in. The goal of the Compromise Assessment is to obtain a comprehensive picture of the extent to which the company has been compromised as quickly and efficiently as possible. Thus, the Compromise Assessment forms the basis of all subsequent Incident Response measures and ensures that all compromised systems are identified. These are then separated from non-compromised systems during the containment phase.

This means that systems must be scanned and evaluated, and the scanner used does not intervene in identified, potentially critical events in order to take active action against them.
Various sources (files, the Windows registry, SHIMCache, Amcache, running processes, event logs, etc.) on a system are used and checked against a database of IOCs (Indicators of Compromise). If there are hits, the scanner used generates a corresponding event and the analyst must evaluate this and decide whether or not action is required.

The attack traces (IOCs) thus uncovered – which are inevitably left behind by attackers – add up to a very detailed picture of the extent of the cyberattack.

Digital forensics: Reconstruct the course of events, learn from your own mistakes and increase cyber resilience

Once compromised systems have been identified, the detailed analysis starts with the help of forensic tools and techniques. It should be noted that not every system needs to be analyzed in detail, but only those relevant to clarifying the course of events. Otherwise, the costs of a DFIR deployment will quickly get out of hand and the analysis will drag on for months.

Since every incident and every system landscape is different, the methodology to be applied depends on the attack and the environment. For example, the SECUINFRA Falcon team uses a range of established digital forensics tools and techniques. This can be roughly divided into three parts:

• Endpoint Forensics involves analyzing devices such as servers, workstations or laptops to detect traces of attacks such as malware, data exfiltration or conspicuous user behavior.
• Network Forensics includes the identification and analysis of attack traces based on network traffic with the same goal as Endpoint Forensics.
• Finally, Malware Analysis includes the analysis of potential malware to understand how it works and to draw conclusions about the creator of the malware and the attacker’s infrastructure. These points are used to identify further Indicators of Compromise (IoC’s).

The goal of digital forensics is the detailed analysis of the attack in order to be able to reconstruct the exact course of events.

To this end, the following questions are answered step by step:

• Which communication channels did the attacker use?
• Did the attacker gain persistence, and if so, where and how?
• How was the attacker able to spread throughout the company?
• What lateral movement techniques did he use?
• Which accounts have been compromised?
• Which system is patient zero?
• How did the initial compromise occur?

To answer these and other questions, the digital forensics experts meticulously collect traces related to the cyber attack. On the one hand, the collected traces serve as evidence in criminal prosecution and for enforcing claims for damages against insurance companies; on the other hand, they can be used to identify errors in the company’s own security architecture.

If these errors are evaluated during the lessons learned phase and the right measures are derived from them, the company’s cyber resilience increases as a result: the probability of becoming a victim of a cyber attack again decreases. If this does not happen, you should keep the incident response team in-house right away, because the next successful cyber attack will not be long in coming!