Inside the world of cyber incident investigations
Investigation of information security incidents is the last stage of enterprise protection and one of its most important parts, helping to minimize the damage caused by hackers and build defenses to prevent future incidents. The investigation assists in evaluating the security of the company's IT infrastructure and in formulating recommendations for its enhancement.
Incident investigation is a crucial component of any enterprise's information security framework. Merely monitoring the work of the security tools is not enough, as security incidents are happening all the time. Without a proper response to these incidents, the enterprise, in effect, lacks adequate information security protection.
At first glance, investigating information security incidents may seem straightforward: gathering data about the company's IT system, analyzing deviations, and resolving the issue. However, numerous uncertainties lurk beneath this seemingly simple algorithm.
An incident is not always limited to a problem in the infrastructure's operation. It could also involve the leakage of confidential information or the appearance of various cyber-attack artifacts, such as virus infections, fraud, sabotage, and more.
Frequently, external teams are brought in to conduct investigations. This is because companies typically lack in-house specialists with the appropriate expertise. The information security team handles the first line of defense, while the last line involves a more complex process that requires professional qualifications. As a result, these responsibilities are often outsourced to specialized firms.
When is an investigation necessary?
Not all incidents encountered by a company's IT or information security services lead to a full-scale investigation. For instance, DDoS attacks typically do not require an in-depth investigation. However, this does not imply that no action should be taken in the event of a DDoS attack. It is always beneficial to understand how to mitigate risks and take the necessary steps to prepare for subsequent DDoS attacks, minimizing damage from future cases.
Lately, many companies have been increasingly seeking assistance from specialists to investigate incidents involving ransomware. Their primary concern is the possibility of decrypting data. However, they should also be concerned about how the system was breached in the first place.
It is fundamentally wrong to abruptly stop an investigation if a verdict is issued that the encrypted data cannot be recovered. Understanding how the hack occurred is essential, as various factors could be responsible: phishing, software vulnerabilities, weak passwords, malicious insiders, etc.
It is logical to start data recovery after the exploited vulnerability has been fully addressed since the attacker may still have access to the infrastructure resources and could continue the attack. The primary objective of any ongoing investigation is to prevent the attacking hacker from maintaining control over the infrastructure. If the business has come to a halt after the attack, the issue of data decryption can only be addressed after a few days. Initially, several supplementary tasks must be completed, such as locating the "body" of the encryption software, etc.
False positives are a common occurrence in company infrastructures. This can happen when different administrators have their own "file dumps," where sometimes a file infected with a virus might accidentally end up. Although the antivirus software may detect it, there is usually no follow-up to such incidents as they are often random occurrences.
Desirably, investigations should always be conducted without any limitations on the types of incidents. For instance, the way a hard drive gets filled is unique, making it difficult to retrieve data even within two days of receiving an alert. However, in some cases, relevant data may still be found on that hard drive for an incident that happened over a year and a half ago or even earlier. Essentially, there is always a possibility of discovering valuable information.
At the same time, when initiating an investigation, it is important to consider each case individually. Sometimes the cost of investigating can be higher than the cost of the actual damage caused by the incident being investigated.
Classic investigation scenario
For companies, the top priority is not necessarily to identify and punish the culprit but rather to restore the normal functioning of their business systems. In reality, the sequence of events often goes like this: A hack is often discovered on Monday. Over the course of the week, the company's information security team works to neutralize the threat. Friday is usually the day for debriefing, where it is determined that despite all the efforts, they could not resolve the issue. It is at this point that they typically turn to professional investigators for further assistance.
The classic investigation scenario can be represented by data collection and analysis cycles. With each new iteration comes a more precise understanding of where and how to move on.
It is hard to determine the duration of the investigation in advance. The investigation itself can be completed in a day or two. As a result of the work of the group of investigators, a report is issued. It outlines the problems that were found in the process of studying the attacked system. Detailed analysis and final report preparation may take two weeks or a month.
How should one react when signs of an attack are immediately visible?
Situations can vary significantly. In some cases, such as when ransomware strikes, it might be helpful to shut down computers. In other scenarios, it is better to leave everything as is and avoid restarting or shutting down the server or computer. There are no one-size-fits-all guidelines. The key is to avoid making hasty decisions. Ideally, promptly contact investigators and refrain from making any changes.
Haphazard actions can sometimes only aggravate the situation. Things like running an antivirus in such a situation could potentially make matters worse. If a company faces ransomware or other destructive malware, the initial course of action should be to attempt to isolate the virus and prevent its spread. This can be done by promptly disconnecting the affected devices from the network and detaching any external storage devices.
Hacking motives can vary, and if the attackers intend to install mining tools, the company's response should be tailored accordingly. In such a scenario, it might be beneficial to adopt a counterintuitive approach and even weaken the defenses, allowing the attacking side to expose their methods. Investigators called in to help will be able to repel the attack professionally.
No incident should be viewed as a local event. This approach might have been acceptable 15 years ago, but today, security entails preserving the overall health of the entire ecosystem.
Preparing for an investigation
Unfortunately, preparations for investigations are often either absent or done spontaneously. It is crucial to plan this process carefully. It is essential to proactively document the standard configuration of the company's information flows and network structure and maintain up-to-date software, hardware, and user account records.
In many companies, this information is not readily available. This is because different departments may each have their own separate systems, and there may even be competition between the IT and IS departments. Although they eventually work together to recover the necessary information, this can take up valuable time during the investigation.
The first piece of advice is to clearly define the roles and establish communication channels between the IT and information security departments. Although their interests may sometimes seem to conflict, the IT department has technical knowledge of how the company's infrastructure is set up, while the information security department has a better understanding of the context in which IT assets need to be used. During an investigation, it is important for both parties to recognize the possibility of incident propagation and to work together harmoniously to address it during critical moments.
Installed protections
Many companies have several types of security software installed, but just having it installed does not always mean there is actual protection in place. It is unacceptable when customers disable certain functions of their security tools. For example, turning off event logging because: "There are just too many logs being created." Logging is a crucial factor and always important, so proper log collection and management should be established.
You can collect and store logs from various sources such as antivirus, firewalls, and other protection tools for up to 90 days. This period should be sufficient to provide the necessary information for an appropriate response to incidents and investigations.
From an investigator's perspective, the first requirement is having DNS logs, which allows them to identify any external communications made with the corporate resource where the alert was triggered. The second requirement is access control, and the third is the ability to centrally launch protection tools, such as scripts. Although admins may not like the last feature, its absence can significantly complicate the task of responding quickly to an incident.
Legal considerations
Restoring the regular operation of the affected systems is not the only objective set by the customer. The company may choose to involve law enforcement agencies and take the case to court.
This can make the incident publicized, as judicial information is open. This can create reputational risks for the company, and some firms may prefer to keep information about incidents confidential.
If an external team of investigators is needed, a damage assessment should already be in place. However, this can be challenging until there is a complete understanding of what exactly happened.
If the company's management decides to take the case to court, this decision should be made early on. In this situation, it is best not to make any changes to the infrastructure and immediately seek advice from a law firm. They can provide consulting services and suggest the appropriate course of action.
One of the challenges is ensuring proper control and documentation of the process of copying, deleting, or overwriting data. If evidence collection is not done correctly or there are procedural violations, the court may reject using that data in the proceedings. This could significantly impact the outcome of the case.
Responsibility of investigators
Maintaining the confidentiality of information accessed by investigators is an extremely sensitive issue, and investigators are fully aware of this. They understand that if a company experiences a data leak, it can result in the collapse of their business and legal consequences. As such, investigators would never intentionally cause such harm.
The situation regarding investigators' access to corporate data is not as critical as it may initially appear. Investigators collect only selective data that is necessary for the investigation. This typically includes lists of users who have logged in, programs that have been launched, and when they were launched. Collecting this information does not typically involve truly sensitive information that the customer is worried about being leaked.
Investigators do not collect email addresses or email messages, and they do not need the contents of documents. They do not collect information commonly found on the black market in the form of data leaks.
It is important to note that all information gathered during investigations is securely stored in compliance with strict security protocols. After a specified period, the data is then deleted.
There might also be worries that investigators could potentially share information about incidents with others. The company running the investigation is not obligated to provide information about the incidents under investigation to other parties, including the police. It is up to the victims themselves to report such incidents.
Furthermore, investigators' actions are not aimed at undermining information security departments. It is inappropriate to dismiss security personnel after incidents they may have overlooked. While this sometimes occurs, it is not related to the investigation but rather a decision made by the client company's management. No security system is flawless, and there will always be vulnerabilities.
If an incident occurred due to an unaddressed, old and well-known vulnerability, it must be included in the report. Investigators are not permitted to conceal such information.
Collaborative efforts in incident investigation
Many clients are less concerned about the specific details of an attack, such as the country of origin or the hacker group responsible. Their primary focus is restoring their business processes and ensuring such malicious actions do not recur.
At the same time, investigators can reverse-engineer the malware code to gather valuable data that might indicate the hacker's country of origin. The unique techniques or tools the attacker uses can occasionally reveal their potential affiliation with a specific hacker group.
Investigators are primarily interested in the technical aspects that can aid in related investigations. The gathered artifacts serve to enhance their knowledge base.
Final thoughts
The significance of investigating cybersecurity incidents has grown more apparent to clients compared to the past. There has been a noticeable shift in clients' approach toward third-party investigation services. Present conditions are driving them to treat information security incidents with greater urgency, bolster their preparedness to tackle threats and work more closely with independent investigation teams to minimize the impact of security incidents. As companies continue to strengthen their information security capabilities, it is anticipated that they will start establishing their own in-house investigation teams, leading to higher quality investigations overall.
Image credit: kopitin/depositphotos.com
Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He writes for numerous tech-related publications sharing his security experience.