The art of forensics is probably best defined as the use of science and technology to investigate and establish facts in criminal or civil cases. Computer forensics runs along much the same lines, with the main difference being the end goal - in the case of cyber-security, it's usually to understand the exact scale of a breach, what damage was done, where it occurred, and, if possible, who committed the offence.
Accurate and insightful forensics help piece together the complete storyline of an attack,
providing lessons learned that can be applied to ensure the same type of attack cannot happen again.
A strong forensics approach starts with three main vectors - coverage, integration and visibility. Making a concerted effort to tick these boxes can be the difference between being able to respond to a threat and relative chaos.
Coverage Is critical
Criminal forensics always start with going back to the scene of the crime to start collecting evidence. The critical thing to notice is that the “crime scene” extends beyond the site of the offence – it also includes the thief's vehicle, the building next door they came in through, and much more.
In the cyber world, forensic analysis must cover the entire range of potential data sources - not just from the endpoint where malware has been found, but other endpoints that have been in contact and the network itself. This is the only way to create a complete picture that will accurately show where the threat came from, how it got in and where it went.
Naturally, dissecting every bit and byte of the infected machine is just as important, but in many cases, without mapping out the threat, defenders are left in no man's land.
Integration for a single storyline
Forensic data is almost never isolated; there's never just one clue. If you can look hard enough, usually hundreds of miniscule network and endpoint events can be traced back to the attack. This makes being able to connect two – or hundreds – of different “dots” imperative to the task. In practice, though, while you need many clues, using multiple different forensic tools can significantly complicate the situation. In many cases, they won't speak the same language and their findings will not be able to be used to their full potential and be intelligently cross-referenced.
For example, using independent tools for endpoint, server and network allows you to glean a substantial amount of information from each, but will leave an overwhelmed analyst needing to delve through and synthesise the thousands of findings that could be seen and used much more efficiently if they had all been designed to live and work together.
Another benefit of integration, especially when paired with automation, is the ability to automatically and continuously initiate additional forensic data collection based on previous forensics or findings.
Visibility = coverage + integration
Visibility is essentially the combined result of coverage and integration, ensuring the various pieces of forensic evidence are organised in such a way to make the story of the attack clear to the analyst.
Malicious incidents are seldom isolated and almost always contain multiple events linked to the same attack – the initial infiltration, contacting a command and control server, laterally moving to the target host via a specific network protocol, etc.
While interesting and valuable in their own right, they become truly powerful when displayed as a chain of events, narrating the entire attack from start to finish. Not only is this far more informative, it enables the analysts to perform the most critical task – Response.
Forensics drive investigation and response
Forensics is a big part of investigating a threat, which makes it critical to the action of responding to and mitigating it. Once the bigger picture is formed, you know which devices to isolate, what parts of the network are vulnerable and generally what needs to be done to ensure a higher level of safety moving forward.
Organisations must assume that an attacker is lurking in their network, now it's about finding them fast enough to reduce dwell time and minimise damage. Integrated and automated forensics across networks and endpoints helps you find them more quickly and stop them in their stride.
Contributed by Noam Rosenfeld, SVP, cyber-security solutions, Verint Systems Ltd.