Digital Forensics & Incident Response (DFIR)
Companies are constantly exposed to cybercrime from hackers and attackers who want their data or money. A classic gateway are emails with infected attachments or links. End users in particular are often targeted by attackers, as they tend to be poorly trained and experienced in recognizing attacks as such. Attacks are usually targeted via so-called spear phishing or are carried out as large-scale campaigns on a broad basis in order to exploit gaps in systems.
“The threat level is high or even increasing,” says Tobias Messinger, Senior Cyber Defense Consultant at the IT security service provider SECUINFRA. The SECUINFRA Falcon team was set up specifically for this reason. “In spring 2021, four serious security gaps in the Microsoft Exchange server became known. When the vulnerabilities were combined, attackers were able to create, modify and delete files on the system. This enabled the actors to gain permanent access to the system, among other things.” The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) therefore classified the problem as very critical. “It is only a matter of time before attackers track down and exploit the next vulnerability,” warns Messinger.
Companies need to fend off these attacks and protect themselves from the loss of sensitive data or damage to their reputation. In the event of an attack, companies should therefore take suitable countermeasures with professional help. The tool of choice is Digital Forensics & Incident Response (DFIR). In this way, attacks can be reconstructed, vulnerabilities in the IT infrastructure which were exploited can be identified and then closed.
“The so-called Indicators of Compromise (IOC), i.e. those traces that an attacker leaves in the systems, can be discovered and processed using methods of digital forensics,” continues Messinger. “In the event of an incident, the systems across the company are scanned for the identified traces of a compromise. The goal is to identify the patient zero. Another possible goal is the Root Cause Analysis (RCA). ”
The incident response, another cornerstone of cyber security, covers the entire cycle of incident investigation and resolution and includes recommendations for action based on the findings of digital forensics: What steps are taken next, which data are affected by which system, do systems need to be isolated, backups restored or the system reinstalled? Reacting quickly and correctly can reduce the damage caused by an attack. The incident response also controls all those involved in the company concerned and the IT service provider. “The goal is to reduce the damage as much as possible and restore the ability to work as quickly as possible,” summarizes Leon Hormel, Cyber Defense Consultant in the SECUINFRA Falcon Team.
DFIR: Tools and Procedure
For DFIR, the procedure is always case-dependent: “Since every incident and every system landscape is different, the methodology to be used depends on the attack and the environment,” explains Messinger. For example, the SECUINFRA Falcon team uses a range of established digital forensic tools. These can be roughly divided into three parts: In endpoint forensics, devices such as servers, workstations or laptops are analyzed in order to discover traces of attack such as malware, data exfiltration or conspicuous user behavior. Network forensics includes the identification and analysis of traces of attack based on network traffic. Finally, malware forensics includes the analysis of (potential) malware to identify the IOC, the reconstruction of the course of events and the assessment of the extent of the damage.
The forensic analysis follows the six steps of the investigation life cycle: In the identification phase, the forensic experts get an initial overview. This includes questioning the client and a source search. Phase two of the investigation life cycle is the preservation phase, which ensures that evidence that is taken and analyzed in the later phases forms a traceable and non-manipulable chain of evidence. In this way, the attack can be precisely tracked. “The chronological documentation of evidence is important in order to be able to claim insurance benefits, counter claims for damages or initiate criminal prosecution,” adds Messinger. Evidence is gathered in the collection phase – this can include hardware such as laptops, telephones and hard drives, but also files such as downloads, log data or recordings of network traffic. In order to draw conclusions from this, the collected evidence is systematically searched and evaluated in the analysis phase. The fifth phase, documentation, is a continuous process during the entire digital forensics operation. It ensures traceability – from the acceptance of the case to the reconstruction of the attack. The final phase of the assignment is the presentation phase: The attack is reconstructed as precisely as possible. If necessary, suggestions for improving cyber resilience are submitted in this phase. “The individual phases can be run through several times in order to confirm or refute hypotheses,” explains Hormel.
The analysis usually takes three days. In the worst case, the systems have to be rebuilt; however, it may also be sufficient to carry out updates and patches, change passwords, revise the role concept or use protective measures such as firewalls and EDR tools (Endpoint Detection and Response).
When taking on the case, the analysts usually know from experience what it is about. Each case is different, but patterns often provide clues. It is important that the incident response is initiated quickly: “Since artifacts are sometimes volatile, processing becomes more difficult the further in the past an attack is,” says Hormel. An attack is not always immediately recognizable as such. The outflow of data in particular is often only noticed late.
DFIR needs flexibility and expertise
Companies of all sizes and in all sectors are affected by attacks. It is possible to clean up a compromised system on your own, but in doing so this will come uncover how the attack came about; the attack vector cannot be closed in this way. Lateral movement can also be overlooked if the attacker has embedded himself undetected in neighboring systems and thereby creates persistence for future attacks. However, setting up your own in-house incident response team is time-consuming and resource-intensive, which is why companies have specialized partners available.
Messinger summarizes: “A DFIR team needs flexibility: Attacks often occur at night outside of regular working hours. It is precisely then that it is important to be able to provide support quickly.” Cyber defense experts also need analytical skills as well as extensive IT security and IT knowledge. You have to stay on the ball. Another challenge is to keep the big picture in view and not get bogged down in details. Open communication is important on the company side: DFIR needs trust on both sides.
DFIR enables cyber attacks and IT security incidents to be investigated promptly and completely. A DFIR team identifies, analyzes and documents the digital artifacts, supports the incident response and gives recommendations to improve cyber resilience. The company gains clarity about the extent of the damage and can take countermeasures.