Home » Data Protection » Network Security

Basics

Incident Detection, Response, and Forensics: The Basics

Richard Bejtlich on how to build an effective cyber incident detection and response mechanism in your organization.

By Richard Bejtlich

Page 4

The question of who pulls the plug, and when it could happen, is also paramount in 2008. Most important systems run in data centers built for uptime and redundancy. Pulling the plug isn't a normal operation, and even getting to the server in question can be an adventure. Furthermore, few asset owners would consent to having their money-making systems abruptly removed from operation. Some managers are willing to tolerate compromise because losing a production host is considered the greater risk (never mind that hacker -- we need to make money!).

Given these realities, incident response in 2008 is now a different animal. Often a system suspected of being compromised is on another continent, in the hands of a user who may not even speak the same language as the security team. Hard drives are routinely 80-160GB on laptops and more than 500GB on servers, with storage area networks and related systems easily exceeding any investigator's ability to duplicate. With such huge volumes of data to analyze, it makes more sense to concentrate on the 4GB of virtual memory present on 32-bit systems.

Incident responders are increasingly relying on live response, or the collection and analysis of system RAM for indicators of compromise. Live response activities have been used for the last eight to ten years by professional investigators in high-end cases, but modern realities are forcing most security pros to add the techniques to their repertoire. Current tools usually push an agent or executable to a remote system, capture or parse memory, and communicate the results to a central location. There an expert human or, in some cases, a series of programs reviews the evidence for signs of malware or unusual activity.

In addition to remote retrieval and analysis of memory, incident responders and forensic investigators are trying to avoid duplicating the entire hard drive of target computers. Increasingly it is just not technically possible or cost effective to do so. Judges, agents, and investigators who were taught that only a "bit for bit copy" was a "forensically sound copy" will have to wake up to the expansive nature of today's digital environment. Why copy a 2-terabyte RAID array on a server if cursory analysis reveals that a small set of files provides all of the necessary evidence to make a sound case? Expect greater use of "remote previews" during incident response and select retrieval of important files for forensic analysis.

In addition to focusing on just the material that matters, modern incident response and forensic processes are more rapid and effective than historical methods. When hard drives were 40MB in size, it was feasible for a moderately skilled investigator to fairly thoroughly examine all of the relevant data for signs of wrongdoing. With today's volume of malicious activity, hard drive size, and efforts to evade investigators (counter- and anti-forensics, for example), live response with selective retrieval and review are powerful techniques.