by Mirko Zorz - Monday, 17 February 2014.
The primary goal of the investigation work stream is to develop sufficient evidence of the breadth, depth, scope and methods of the compromise to enable successful eradication of the attackers. To conduct this investigation, a company requires four critical capabilities:
- a. Network forensics and event visibility will include a centralized, searchable event log repository combined with deep-packet inspection capabilities to give the company continuous visibility into security events and insight into attacker techniques.
- b. Enterprise memory forensics will include the ability to inspect running processes in memory looking for suspicious behaviors—because some malicious software is configured never to be written to disk and signature based detection mechanisms cannot discover malware it has never seen.
- c. Enterprise host-based forensics will enable the investigation team to confirm malware infection on, access to, or data exfiltration from hosts identified by other work streams or through the forensic process, as well as accounts compromised to or created by the attackers that allow them persistent access to the environment.
- d. Enterprise sweep will enable the investigation to search hosts across the enterprise for the indicators of compromise developed during the investigation to identify computer assets that must be addressed during the eradication event.
The remediation work stream, which runs concurrently with the investigation, will serve multiple purposes:
- a. First, it will identify and address vulnerabilities in the environment that may have been exploited by the attackers to get in or might be exploited by them to re-enter after the eradication event.
- b. Second, it must seek to harden the environment, to complicate an attacker’s efforts to get back into the environment after eradication.
- c. Third, it must enhance the company’s ability to detect future attacks.
- d. Fourth, it must expand the company’s capability to respond to sophisticated attacks.
- e. And finally, the remediation plan must prepare the company for the eradication event.
The eradication event will be planned such that in a very short period of time (typically over a long weekend), the company will rapidly cut off the attacker’s access to the environment with the full understanding that the attackers will most likely seek to re-establish access. The eradication event cannot occur before the investigation has developed sufficient evidence of the breadth, depth, scope and methods of the attacker’s capability to maintain persistent access to the company’s environment and certain remediation activities have sufficiently hardened the environment against re-attack, have enabled visibility into the attacker’s attempts to get back in, and have enhanced the company’s ability to respond to attacks.