DFIR Essentials: An Introduction to Cyber Security Incident Response

Knowledge
2022-05-07

Digital forensics and incident response (or DFIR for short) is a mix of cyber security and computer forensics. Its objective is to investigate what happened during the incident and uncovering any digital evidence that might point out to the person (or group) responsible.However, merely uncovering the digital evidence in criminal investigations is not enough. After it’s collected, we have to preserve it properly. Then, the stage is set for its analysis.

DFIR security also focuses on how to bolster the organization’s infrastructure to prevent similar kinds of cyber attacks in the future – that’s the main difference between DFIR and a traditional digital forensics investigation.

If the DFIR cyber security intervention is successful, your organization can resume its operations shortly thereafter. After the digital forensic evidence has been processed and the leads all point in the same direction, the evidence collected can be used as a basis to prosecute those responsible to the fullest extent of the law.

The importance of an incident response plan

One of the primary objectives of an incident response plan is to lose as little time as possible and stop ongoing cyber security threats from causing further damage to your network, data, and reputation. In other words, it’s much better to have a plan and not need it, rather than needing it and not having it.

During the DFIR forensics process, we are trying to discover:

  • Is this the work of a hacker?
  • What is the impact of the attack?
  • What is the cause?
  • The incriminating proof

The focus lies on mitigating the damage sustained by your organization or business and getting things up and running again, just like they were before the attack. A DFIR security procedure is as much about “bandaging the wounds” as it is about helping you understand what led you to such a position in the first place, thus contributing to your growth, education, and bolstering your cyber security defenses.

formulate a plan for DFIR

When disaster strikes, you’re already too late to formulate a plan. You should have one already in place and act upon it ASAP.

Cyber breaches - the frightening statistics

Did you know that…

  • Due to a simple database misconfiguration, more than 300.000 Hobby Lobby records were exposed in 2021?
  • In 2021, 500 million LinkedIn users had their profile information scraped and leaked on the dark web? This includes their email addresses, account IDs, and phone numbers.
  • GetHealth, a fitness app, was breached in 2021, revealing 61+ million records worth of health-related data?
  • Malware leaked the names, compensation information, social security numbers, and other sensitive data pertaining to Bose Corporation’s human resources in 2021?
  • An average ransomware breach causes $4.62m in damages, according to IBM?

(Source for the above: Varonis.com)

As you can see, these are recent events. All of this highlights the importance of DFIR cyber security, a digital forensics field that is becoming increasingly important in modern times.

Are most organizations careless in this regard?

According to a survey by Ponemon, 77% of respondents lack an incident response plan. Worse yet, among those who claim to have such a plan, only 32% would describe it as “mature”.

To say these figures are a cause for concern would be an understatement. And this is in an era where cyber security incidents make the news headlines almost every day.

On some occasions, it can take years before an organization even discovers that something has happened. In the meantime, the hackers responsible are free to cause all sorts of mischief by implanting malware, stealing data, and spying on the organization’s network.

The 4 vital components of a good incident response plan

Although no two incident response plans are the same, most industry experts agree that a good plan should have the following vital components:

1. Preparation

When time is at stake, you cannot afford to spend any of it on drafting a plan on how to move forward. Instead, you should have one prepared and ready to deploy in a moment’s notice.

2. Detection and analysis

The next step is to pinpoint what you’re dealing with and whether a cyber security accident has occurred or not. If so, what kind of incident are we talking about and what is its scale?

3. Containment and eradication

Containment and eradication is all about getting a grip on the situation before it gets out of hand even more. The objective is to prevent damage and eliminate the cyber threats that caused it.

4. Post-incident recovery

At the end of the day, what are the lessons learned? This is what the post-incident recovery of DFIR has centered around. Through thoughtful evaluation, we are trying to establish how to prevent such a scenario from happening ever again.

Things a digital forensics data analyst may look into

A digital forensics incident response investigation involves having a digital forensics data analyst take all the relevant IT devices under close examination as they look for clues.

Disk images

Instead of going through the hard drive directly, a digital forensics data analyst will make a digital image of it first. The reason being is that we cannot afford to risk compromising the integrity of the evidence as it needs to be admissible in court.

Memory images

Similar to a hard drive, it’s also possible to make a digital copy of data that are stored inside the computer’s RAM. Sometimes, the malware tries to disguise its presence on the system by leaving zero traces on the hard drive and running strictly from the memory.

Memory storage - digital data

Certain types o modern malware are smart enough to leave no traces behind on the hard drive.

Application data

A computer is so much more than what’s written on the hard drive. With this in mind, DFIR forensics also focuses on examining other elements of the operating system such as network device logs, host logs, and logs pertaining to specific software that may be installed on the device.

Database data

Using cutting-edge digital forensics tools such as DBF by SalvationDATA, it’s possible to uncover exactly who altered the database’s records and uncover any traces the perpetrators left behind.

Following the facts, we can then establish whether this was an inside job or not.

 

Other types of evidence DFIR investigators may assess

The evidence listed above can stand in court without question. However, DFIR investigators may also collect other types of digital evidence:

1. Circumstantial evidence

Prior to drawing a conclusion, we look at circumstantial evidence that might not stand on its own, but it can tell a more complete picture of what happened when placed side by side with other known facts. A DFIR investigation often requires a hypothesis to be put forward and to do so, we have to take other known facts into consideration.

2. Character evidence

To prove a motive, intent, or opportunity, expert testimony can give new dimensions to the case.

3. Anecdotal evidence

Although anecdotal evidence is inadmissible in court, it’s still important for the general understanding of the case. During a digital forensics & incident response investigation, a DFIR examiner will also collect stories and claims from third parties to support a theory.

4. Analogical evidence

Have there been other related cyber security incidents with similar circumstances in the past? What were the conclusions drawn? It’s important to look at these to see if there are any relevant takeaways that we can apply to the current case.

DFIR is a mix of multiple disciplines

DFIR forensics is a multidisciplinary field that requires special DFIR certification and DFIR training. Alongside having strong fundamentals in digital forensics, a DFIR analyst must also have a strong grasp of:

Log analysis

The objective of log analysis is to detect whether the device is performing in an abnormal way. Automation may be used to speed up the process.

Network forensics

Since we’re trying to pinpoint where the hackers got in, network security forensics is an essential part of DFIR. To this end, analyzing the network can reveal valuable clues regarding the point of the breach and uncover the attack vector.

File system forensics

To get to the bottom of a system’s vulnerabilities, we first need to understand how its file system is structured and how it works. This includes analyzing any remote devices involved in the breach.

Malware forensics

What type of malware led to the breach and how was the end-user tricked into executing it? This, and many related things, are part of malware forensics. During the process, a forensic cyber investigator also attempts to reverse-engineer the malicious code to determine its type and gauges the scope of its severity.

Memory forensics

Modern types of malware are incredibly cleverly designed as to not leave any traces behind on the hard drive. To respond to these tactics, memory forensics experts analyze system memory to pick up on any malicious behavior.

Software development

To beat hackers and malware developers at their own game, coding and software development is an important things to know about DFIR. This allows for getting into their way of thinking and predicting where they could have found a vulnerability to capitalize on.

Forensic Tools for DFIR

To catch a hacker red-handed and investigate traces left behind by a cyber attack, DFIR experts resort to various means, including open-source digital forensics tools we’ve covered in one of our previous posts.

You can find a short rundown of DFIR tools that can be of use during the breach investigation:

  • Falco. This software focuses on raising alerts in real-time. To perform at its best, you have to teach it the right criteria by coming up with your own rules of what constitutes trouble.

falco

  • Kube-forensics. A splendid open-source tool for Kubernetes forensics.

kube-forensics

  • Docker Explorer. After making a snapshot of the data we’re trying to analyze, this handy tool allows conducting a thorough investigation of it offline.

docker explorer

  • SIEM. Also known as ElasticSearch, this is a tool designed for collecting and storing logs in a monitored environment. It can streamline the identification phase of DFIR.

SIEM

  • Prometheus. A solid metrics and monitoring solution that features alerting as part of its design.

Prometheus

  • Cloud Forensics Utils. As the name implies, this digital forensics tool is meant to help you streamline the evidence collection phase.

google cloud forensics utils

  • Falcosidekick. This tool expands upon the capacities of Falco, forwarding its events to different outputs.

falcosidekick

  • kubesploit. This is a whitehat hacking tool intended for discovering and patching up any weaknesses in your network.

kubesploit.

 

Conclusion

Although DFIR is a long and complex topic, we’ve covered what we believe are the very essentials of it.

At any rate, this should be more than enough to get your feet wet and a good springboard for further research on your end.