In order to prepare for and identify a security incident in today’s cyber landscape, it is necessary to gain a thorough understanding of the content and context of the networks and systems you are protecting.
Alerts on possible malicious activities can come in many different forms; security tools, end-users, business partners and third parties such as law enforcement. These various sources require an organization to develop an incident response capability that is prepared to handle all of these inputs and outputs.
It is far too common for organizations to wait until an incident occurs to figure out what to do. All too often this is the beginning of a disaster for the organization and it leads to great losses (financial, reputation, etc.) for an extended period of time.
If a security analyst is alerted of, or suspects a suspicious activity, the common places to begin the investigation are in these following areas:
- Network, e.g. DNS and HTTP logs
- Application, e.g. altered configuration files
- Operating System, e.g. a new registry key entry
These logs and artifacts can be used by the analyst to confirm and reconstruct the incident. The analyst needs only to know where to look, what to look for and then interpret these signals and traces.
Some of the more common behaviors that should be examined during the analysis/response stage include the following:
- Changes to the system (e.g. adapter in promiscuous mode)
- Communication from/to anomalous networks or geographical areas
- File transfers from the system to data storage providers
- Mismatched port and protocol traffic
- Network share created
- Off-hour activities or odd connection durations
- OS Event/System Log files cleared
- Privileges escalation by exploiting flaw or bug in the system (or in an installed application)
- System accounts created, deleted, disabled
- Unexpected rise of activities, e.g. CPU or disk utilization
I have mentioned just few of these threat indicators but they may raise a red flag and lead the investigation beyond the operating system and to other systems in the organization.
An important component to consider is which category of systems can immediately be re-imaged after a forensic acquisition versus those systems that are critical (high value assets) and need a proper deep-dive investigation while still supporting the business.
Quick detection and resolution of security incidents requires continuous analysis and a holistic approach which includes a well thought out and practical IR plan. It must be maintained on an ongoing basis to keep it up to date regarding the current situation in the IT security ecosystem.