Collecting and analyzing data on information security incidents is a real detective story, even without shots fired or surveillance with disguises. Like ordinary investigators, digital Sherlocks often have to walk in circles for a long time, putting forward and discarding different hypotheses until they manage to get to the bottom of things. And no cunning methodologies or magic tools based on AI will help if the specialist lacks skills, creativity and deduction.
In this article we will tell you how such work is carried out at Bastion and what influences the course of the investigation. Perhaps this information will help IT directors and other decision makers interact more effectively with the response team. The material will also be of interest to those readers who are thinking of changing their profile to computer forensics or virus analytics.
Motive, opportunity and execution: how cybercriminals operate
Tactics, techniques and procedures of attackers are described in detail in the Threat intelligence databases. To begin with, we will give a simplified picture of how cybercriminals operate and what goals they pursue. Like dramaturgy, here everything comes down to a number of basic “plots” – the rest are just nuances, albeit significant ones. So, first things first.
Motives and goals of cybercriminals
Some hackers are focused on long-term collection of information. In particular, these are cases of industrial espionage at the state level (so-called state sponsored cyber attacks).
A striking example is the sensational cyber attack by a North Korean hacker group on one of the leading Russian missile industry enterprises. The attackers maintained access to the enterprise networks for several months. As a result, valuable developments and drawings were leaked to Pyongyang. And one of our clients had hackers quietly “visiting” them… for 8 years! And this is still a modest estimate: for earlier periods, logs and other digital traces were not preserved.
Other cybercriminals are purely financially motivated and pursue more mundane goals such as extortion. For example, more and more companies are being targeted by hackers using ransomware.
The third motivation of cybercriminals is to obtain personal and other data for social engineering and the implementation of fraudulent schemes. As a result of the activities of hackers, the databases of companies and government agencies are leaked, which are then dumped in gigabytes on the darknet.
Opportunities for cyber attacks
For a long time, the most popular backdoors into corporate networks remained Internet application vulnerabilities (Exploit Public Facing Application). From our experience, most often these are VPNs and email services like Microsoft Exchange.
Phishing emails also serve as entry points for cybercriminals. A common option is fake invoices sent by email to accountants and other employees to pay for contractors’ services.
According to our statistics, attacks from a series of so-called Trusted Relationships, when attackers enter an organization’s network through contractors and partners, have recently taken first place.
Typical course of a cyber attack
The standard Kill Chain methodology identifies three main stages of a cyber attack
The defense has been bypassed, and the enemy is no longer even “at the gate”, but inside the corporate network. His next step is internal intelligence. The cybercriminal finds out how the network is structured, which hosts are responsible for what, where administrators log in, and where the most valuable information is located. This is followed by the infection of one of the machines, escalation of privileges, when the hacker finds out the necessary passwords and gains access to the administrator’s credentials in order to roam the network as if at home. His further actions depend on the motives and goals that we have already discussed above.
How does the incident response work?
This is where the computer forensics scientist comes into the picture. However, if such a specialist is not on staff, then we were a little hasty. First, the company needs to find a contractor who specializes in information security issues and sort out all the legal details (conclude an agreement, etc.).
The longer approvals and red tape drag on, the less evidence and traces remain. Logs are rotated, and valuable information about who authenticated and from which devices gradually disappears. This is why we sometimes suggest that our clients begin collecting data before all documents are signed.
What was the point of investigating a cyber attack?
If we are contacted during the active phase of the incident, when the hacker has not yet achieved his goals, the first thing we need to do is tie his hands. That is, figure out how the attacker gained a foothold in the network, which accounts are compromised, and at the same time secure all the organization’s hosts. Further tasks are to restore the sequence of the incident, determine the entry points into the network and think about how to protect it from intrusions in the future (the so-called network hardening).
In most cases, clients contact us after the attack is completed, and the work begins directly with the investigation.
Unfortunately, not everyone correctly understands the meaning of incident response. Some clients only ask to restore encrypted files so as not to pay the ransom. Just think – the weak points of the network remain unexplored and seem to tell the attackers: “Come again!” In addition, most modern ransomware programs work in such a way that the encryption is irreversible and even a cryptographic genius cannot cope with it without a private key. We try to explain this to the client, and then everything depends on his understanding of the situation and priorities.
Collection and analysis of information on a cyber attack
We have decided on the goals, now let’s move on to the response process. There is no clearly regulated algorithm of actions: after all, an investigation is not an inventory or reconciliation. But there are a number of mandatory steps and control points. To begin with, a forensic scientist “combs” the client’s network and devices to collect the so-called triage. This word with a French feudal flair means a basic set of incident data obtained from hard drives, RAM, traffic, etc.
- logs of various applications;
- OS logs;
- information about authentication and program launch.
Any structured information generated by one or another software can be useful.
The resulting digital catch is converted into convenient formats and analyzed. Forensic scientists are helped in this by parsers and artifact extractors, software for working with logs and system images, utilities for extracting metadata, and so on.
Sometimes you have to write some kind of map-reduce on your knees to speed up log parsing and more effectively identify anomalies. Automation simplifies the work, but tools do not always give the desired effect in a couple of clicks. Sometimes you still need to analyze something manually.
Triage analysis gives a high-level picture of what happened and indicates in which direction to dig further. At a minimum, a specific computer or account pops up with which the uninvited guest has finally gained a foothold on the network. The first step is to carefully examine this “last line of defense”, then find out where the hacker came from. There is a step-by-step reverse movement along the attack vector – from host to host, from account to account. All these reference points are also carefully studied. This cyclical work continues until it is possible to return to the very first step of the hacker.
Conditional diagram of the investigation progress
If researching hosts and other sources does not yield results, all you have to do is be creative and make hypotheses. It happens that they are not confirmed, and the investigation temporarily reaches a dead end. Let’s say a number of indirect evidence indicated that the network was penetrated through the account of a certain contractor, but the suspicion was not justified. We have to “rewind” everything and test alternative versions.
At the same time, a criminologist always tries to get to the bottom of three fundamental points. The first is what exactly, where and how was performed by the digital criminal. The second is what credentials were used and compromised during the attack. The third is the timestamps of all detected actions. These are the main pieces that make up the complete puzzle of any cyber attack.
How to deal with malware
A common situation: a criminologist stumbles upon some strange file. “Malware!” says instinct, experience, VirusTotal, or both. This means it’s time to involve another important hero of our detective story – a virus analyst. He studies the suspicious find, helps to understand its functionality and, therefore, the actions available to the attacker.
As with forensic work, there are no standardized approaches or templates. Only the most general steps are highlighted, and then how it goes depends on a lot of factors. A virus analyst unpacks a file or program, decrypts lines and imports using a specialized disassembler and debugger, and determines functionality. At the same time, he tries to attribute the malware by family, etc.
Alas, virus analysts also do not rely on a “magic wand” to work, solving all problems in a couple of clicks. Instead – mastery of technology
magical arithmancyreverse engineering, knowledge of scripting programming languages, ability to work with C-like code produced by a disassembler. Familiarity with the APIs of different operating systems is also useful.
What are the specific results of the work of a virus analyst? First of all, this is the identification of indicators of compromise: IP addresses, domain names, all kinds of traces in the registry, files created by malware. Such information makes it possible to identify other infected devices and hosts where the cybercriminal operated. Ideally, write a script to quickly decrypt the payload of a malicious file and detect it on the network. It wouldn’t hurt to attribute the find to understand who exactly (for example, which group of hackers) is using it in their attacks. Then you will be able to replenish the Threat intelligence database and immediately recognize the handwriting of hackers next time. By analogy, find out where and how they use certain tools, which ones leave traces. All this will significantly speed up and simplify further work.
What factors influence the collection and analysis of information on incidents?
When investigating information security incidents, the devil is in a “million” details. There were no plans to stretch the article into an epic novel, so we combined all the factors influencing the response process into three main groups.
1. Type of incident
Leaks databases and ransomware attacks usually do not cause difficulties and are investigated fairly quickly. The mechanisms of such incidents are described in detail in various Threat intelligence; the techniques of cybercriminals are well studied. Of course, a lot depends on how the operating systems are configured and how correctly the data is logged in the organization. But solving any problems that arise is rather a matter of technology.
Things get more complicated when insider attackswhen someone from the organization is involved. Most often, an insider does not need to scan the network and gain a foothold in it. He immediately knows where to go and what to do, which means he leaves virtually no traces, and it’s easy for him to get lost among other users. It is difficult to determine where there is legitimate activity and where it is not.
Let’s say one of the employees changed the password to a simpler one a month ago and soon the network was penetrated to steal or encrypt data. Are we looking at the attacker himself, an accomplice, or just a victim of phishing? Or maybe there was a strange coincidence and there is no direct connection?
This is where the “investigative” work begins. You have to observe the behavior of the “exposed” employee, look for other suspicious actions, inconsistencies, and build hypotheses based on them.
If you’re lucky, you’ll be able to gather evidence quickly. I analyzed logs based on the time of connections to various services, studied application log files, compared them with standard activity – and the anomaly is obvious. But the necessary recordings often manage to go into rotation. And it can be difficult for a criminologist to work through the guesswork that has arisen only on his own. You won’t “stab” suspects during interrogations. This is where the help of client administrators, who have sufficient technical capabilities to thoroughly check the actions of employees on the network, comes in handy.
Similar difficulties arise when investigating attacks involving contractors and trusted individuals (the aforementioned Trusted Relationship). Again, there are minimal traces of network penetration, since the attacker uses the legitimate access and capabilities of the contractor. Unlucky to find some database query timestamp indicating the required authentication, or other clue, and the investigation stalls.
A case study comes to mind. Hackers entered our client’s network through the account of one of the contractors. We were contacted a couple of months after the incident, when the company’s cooperation with this third-party contractor had already ceased. As luck would have it, the client’s system administrator did not delete the SSH key that the contractor used to log in to the system, but commented it out. From the logs of a successfully occurring database query error, we learned the approximate time of the leak. It also turned out which SSH key was used during authentication – the same one! This is how we realized which contractor was compromised. Such luck looks like a “piano in the bushes”, and yet this is a real case.
2. Scope of attack and cybercriminal techniques
The duration of the investigation largely depends on the size of the affected IT infrastructure. There are “one-handle cases” when only a few hosts of the organization are involved. Since the search area is highly localized, it’s possible to figure out what happened in a couple of hours. The main thing is that the necessary logs do not have time to go into rotation. On the contrary, the more hosts “noted” in the incident, the longer the collection and analysis of information takes.
An equally important factor is the nature of the actions of cybercriminals. Take, for example, cyber attacks with encryption. In most cases, hackers use ransomware that only affects the files themselves. There remains access to the OS with its logs and registries, and it is possible to collect logs and other forensic artifacts for analysis.
It is much worse if programs like BitLocker are used and full-disk encryption is performed. Collecting forensic artifacts becomes difficult. All hope is that the cybercriminal inherited this by mistake. It is necessary to take information security readings and study network equipment logs in order to at least roughly estimate the time frame of the incident based on indirect data. Suddenly, something went wrong for the hackers, and within this time frame some kind of request error occurred, which they can identify and start from in their search. Or there are unencrypted disks left somewhere. If such an attack affected absolutely all the organization’s hosts, the chances of obtaining artifacts are negligible.
A less sophisticated, but still effective way to cover your tracks and hinder the investigation of an incident is to manually clear the logs in the OS logs. In the case of Windows and Linux, this is quite simple. Particularly creative hackers even create virtual machines on hosts, which they use as a springboard for data theft, and then delete everything. There is a clue to such tricks, but the investigation process is significantly extended.
The types of malware used by hackers also influence the progress of work. While a conditional Cobalt Strike with non-obfuscated code can be quickly disassembled with one script, this will not work with custom malware. It is highly likely that you will need to write some kind of automation in Python and use additional utilities for analysis.
3. Client maturity
The higher it is, the more information security functions in the client’s digital infrastructure. Having SIEM and EDR solutions online makes it much easier to collect incident data. Sometimes it all literally comes down to requests to SIEM for different types and times of events, specific hosts. Such systems usually have their own cold storage, where even those logs that have long been rotated in OS logs are stored. Directly in the Web interface, you can look at records for the last month, two or three and quickly restore the picture of what happened.
The opposite situation is also not uncommon, when there is no information security in the client infrastructure, and even the investigation starts a month after the incident due to red tape. To collect information, you need to separately comb each host, transmit and unarchive the received data.
And now we are able to identify the device on which the leak most likely occurred. Only this is never “Bingo!”, since all the necessary logs have already disappeared. There is no backup provided, and there is no cold storage either. It is only clear that there was illegitimate activity here, and it is no longer possible to find out from which server or host the cybercriminal came.
Along with purely technical issues, there is also an organizational aspect due to the maturity of the client. The system administrator went on vacation, the IT director went on a business trip, and without their “autograph,” forensic scientists have no way to gain access to the necessary hosts. Time passes, the logs disappear. Then
We quote the words of Alice the fox to the client: “You are your own enemy!”We are trying to explain the consequences of delay and speed up the process. But it doesn’t always work out.
Key Takeaways and Tips
Let’s summarize all of the above. At the same time, we will give some advice to decision makers who are looking for contractors to investigate incidents, and to various IT specialists with a professional interest in this area.
If you are a decision maker and are looking for a contractor to investigate incidents
- Set the right goals for the response team: understand the sequence of the incident, identify entry points for cybercriminals, and develop measures to protect the network. Limiting yourself to only restoring files encrypted by ransomware is half-measures and is not always technically feasible.
- Try to speed up approvals and eliminate legal obstacles so as not to delay the start of the investigation. Sometimes it is worth starting collecting information immediately, even before signing the contract. Minimize the number of administrative barriers for forensic scientists at all stages of the response.
- Soberly assess your level of maturity (availability of information security, approval procedures, etc.) and keep in mind that the timing and results of the investigation may depend on this.
- Be prepared that forensic experts will need the help of your administrators. Only they will be able to collect the most complete information on the actions of employees.
If you are an IT specialist and are thinking about changing your profile
- Don’t expect to be able to act solely according to ready-made templates. All available methods are approximate and are not the “ultimate truth”. You will often have to be “creative” depending on the type and complexity of the attack, the maturity of the client and a host of other circumstances.
- This is not only technical work, but also an investigation in the full sense of the word. Here you cannot do without logical thinking, deduction, attention to the smallest details, building hypotheses, etc.
- Automated tools help, but they are not a magic wand. Much will still have to be done manually.
- Programming skills can be useful in investigating cyber attacks, for example, to write some utility for data analysis “on your knees.”
- Constantly study the Threat intelligence database. Information from them allows you to correctly navigate the attack and go in the right direction, even if the analysis did not yield anything.
- Better stock up
antidepressantspatience and calm. The hypotheses put forward are not always confirmed, and sometimes the investigation even moves in circles.
- It is important not only to understand what happened, but also to advise the client on measures to prevent similar incidents in the future. During the investigation, you will have to notice the slightest “gaps” in the network and think through how to close them.
- A forensic scientist and a virus analyst are two different specialists. And yet, it wouldn’t hurt for them to have at least the most general understanding of each other’s working tools and techniques. This way the interaction will be more effective.