Did anything highlight the need for companies to engage in crisis preparation as acutely as the ongoing coronavirus pandemic? We doubt. With many companies switching to a remote working model —something that’s here to stay– their incident forensics must be on point if they’re looking to adapt to this new normal. What does this mean? Addressing the new risks that come with it.
Your enterprise may truly be in crisis if it suffers from a major cybersecurity incident. Therefore, forward-thinking enterprises must be prepared in advance, and understanding the lifecycle of incident forensics is the best place to start.
1. Evidence of initial compromise
Maybe, an RDP brute force attacks a server, so you may explore the event logs to find some useful information, or the host may have been compromised during lateral movement using harvested credentials or PsExec. Maybe new APT crafts a spear-phishing email (perhaps, high-class) so you can browse recent documents that the users opened. Or maybe, it’s a drive-by download, which means the web-browsing activity of a user may offer you a fair bit of information.
2. Evidence of execution
Nowadays, it isn’t difficult to find one. For example, we have some new artifacts like Windows Timeline and BAM/DAM and some old ones like UserAssist and Prefetch files. Maybe, finding evidence of execution for malware isn’t the only thing you’re looking for—you want to get your hands on software that an adversary used, for instance, for data exfiltration, lateral movement, or reconnaissance.
3. Evidence of achieving persistence
Did you ever see MITRE Framework? If yes, you’ll know that there are innumerable persistence mechanisms that threat actors use. It may include anything from startup folders and run keys to WMI.
4. Evidence of lateral movement
In the majority of cases, adversaries complete the initial compromise and then move laterally through the network. Why? Because compromising the final target is almost impossible. For example, if a money-hungry APT wants to steal quite a few dollars from a bank, they’ll gain access to the computer of a regular user through spear-phishing, subsequently elevating privileges and laterally moving through the network to find the main target. If you want to look for evidence of WMI, PsExec, network shares, RDP, etc., go through the file system, registry, and event logs.
5. Evidence of actions on objectives
During this phase, you’ll come across a lot of stuff. For instance, 9 out of 10 times Cobalt Gang will create a Support452 account. So, you can undertake an analysis of NTUSER.DAT and find out that it was used for reconnaissance and lateral movement. Maybe, you’ll discover evidence of the execution of a network scanner on a host where it doesn’t usually execute. Or maybe, the whole case may begin from finding ZIP-archives with the contents of the My Documents folder in unfamiliar places.
Eclipse Forensics’ cyber forensic expert helps you neutralize threats with cutting-edge, intelligent solutions
Fast investigation and early detection are crucial when it comes to dealing with threats and keeping the attackers at bay. However, a lack of visibility, inadequate information, and an overwhelming number of alerts may limit you from achieving these tasks. This is where Eclipse Forensics’ digital forensic consultant can help!
Contact our digital forensic engineer now!