Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Investigating is the most important task in Cyber Security
We have seen how organized crime has changed its mode of operation, finding in extortive attacks a quick and interesting source of income. Latin America, like other regions of the world, has become an attractive market for those who wish to exploit security breaches in companies.
This has generated changes in the way cyber security is approached globally, focusing on early detection as the only option to mitigate impacts. The cyber security industry has developed tools that enable automated and rapid response to incidents.
While this ecosystem has significantly improved incident detection and response, it still relies heavily on how solutions are configured. To be clear on this, it is necessary to understand the behavior of threats and malicious actors that use these mechanisms to generate attacks
Early detection as the only option for mitigating impacts.
As a result, investigation becomes a primary task for cyber security analyst teams and an integral part of operations. The best example is during an incident where recovery is entirely dependent on the investigation that incident response analysts initiate.
Cyber Security investigators can, practically speaking, take many approaches. Some are dedicated to detecting potential breaches in protocols or services without these being associated with active incidents. Others consider how to exploit services or features to generate attacks. We will focus on what an investigator should do during an incident.
What to investigate during a security incident
During an incident, investigators must determine who, what, when, where and why the attack is taking place. In order to do so, they must be especially observant, know what to ask and how to validate the information found or sought, to understand what each piece of information means and how to turn it into valuable information for the investigation.
Latin America, like other regions, has become an attractive market for those who wish to exploit security breaches in some organizations.
The incident response teams follow methodologies and share information under teamwork schemes that help to establish the hypotheses to be followed in the investigation to solve these questions. For example, when one investigator states that evidence is an error, another may find valuable information in the same evidence. To avoid duplication of effort, all of this is recorded in the research log.
Now, imagine your organization facing an incident alert. Security teams should initiate the investigation before activating the DFIR (Digital Forensics Incident Response) team, who should come in only when the initial analysis confirms five specifics of the attack:
1. Is it a real attack?
The first step for investigators will be to confirm that the alert is real. For this, information must be collected from the tools that generated the alert and compared with the devices that generated it to verify its authenticity.
The other important piece of information that should emerge from the initial analysis is provided by the tool that generated the alert, where the situation that generated the alert and its respective risk assessment associated with the organization's most critical assets is associated with a tactic or technique.
2. Did the attack generate affectation?
Sometimes, alerts are configured to detect previous steps of the attackers, generating a proactive detection of the threat and giving incident response teams time to control the impact. It is therefore very important that the initial investigation determines the impact on services or devices.
The investigation becomes a primary task for Cyber Security analyst teams.
During an incident, the DFIR team does not react and respond in the same way if the threat detected is before the execution of a ransomware or if all devices have already been encrypted. This response must be quick and clear, in order to determine the activation of an in-depth investigation or, in some cases, to close the incident.
3. What assets are compromised?
In parallel with the previous answer, it is important for the investigation team to determine the number of compromised assets and validate their level of importance in relation to the risk matrix and the organization's definition of critical assets.
This analysis allows the response to focus on containing actions within the affected assets, protecting other important assets and initiating threat hunting processes to detect other affected assets using the detected indicators of compromise
Determine who, what, when, where and why the attack is taking place.
4. What activities did the actor perform?
It is not always possible to fully answer this question in the initial review, but having clarity on why it qualified as a real incident provides characteristics of what the attackers performed. This data is valuable in determining whether to activate a crisis room and at what level of criticality the incident is rated, which should be directly associated with the response procedure.
This process may seem laborious and time-consuming, but it should be carried out quickly by the investigators, using the monitoring tools to determine which were the actual actions that triggered the alert. This allows for an initial assessment of the attacker's activities, so that the intelligence and threat search teams can begin their work.
5. How should one respond to this attack?
Only after it is clear what the attacker did is it possible to propose initial containment actions. This step should only be performed by experienced investigators who have had time to get a complete picture of the actions taken by the attacker. Acting without this investigative foundation generates more damage than solutions.
Security teams should initiate the investigation before activating the DFIR team.
In a first response, the investigators, with the information described above, can propose some initial actions, such as controlling possible movements of the attacker in the network through changes in the network segments generating an isolation of the compromised equipment, although this depends on the type of incident.
Another possible measure is to activate automatic response processes in the EDR (Endpoint Detection and Response), using the IoC (Indicators of Compromise) and IoA (Indicators of Attack) detected, which would mitigate that non-compromised devices would be affected by the already known actions.
Conclusion
The Cyber Security investigation process is vital in all fields, but the contribution of having a first response investigation team or clear procedures on how to act in the event of an alert that could generate a major incident is invaluable.
All companies, regardless of their size or type of business, are exposed to suffer a major incident.
The only way to survive is to have an initial investigation team that is prepared to answer these five questions in the shortest possible time, so that management or those involved in the response plan can make the right decisions to respond and contain the threat.
