Getting the complete picture with in-depth investigation
By Yitzhak (Itzik) Vager, VP Cyber Product Management & Business Development at Verint Systems Ltd., Verint Systems Ltd.
The art of forensics is probably best defined as the use of science and technology to investigate and establish facts in criminal or civil courts of law. Computer forensics runs along much the same lines, with the main difference being the end goal – in the case of cyber security, it’s usually to understand the exact scale of a breach, what damage was done and where.
Accurate and insightful forensics can be invaluable to detection and response – helping piece together the complete storyline of an attack or refuting alerts to lower false positive rates. A strong forensics approach starts with three main vectors – coverage, integration and visibility. Ticking these boxes can be the difference between actually being able to respond to a threat and relative chaos.
Criminal forensics always start with going back to the crime scene to start collecting evidence. The critical thing to notice is that the “crime scene” is often much larger than the store that was robbed – it also includes the thief’s vehicle, the building next door he came in through, and much more.
In our world, this means that forensic analysis must cover the entire range of potential data sources – not just from the endpoint where malware has been found but other endpoints that have been in contact and the network itself. This is the only way to create a complete picture that will accurately show where the threat came from, how it got in, and where it went. Naturally, dissecting every bit and byte of the infected machine is just as important, but in many cases, without mapping out the threat, defenders are left in no man’s land.
Forensic data is almost never isolated. There is never just one clue. In our world, that’s a bit of an understatement – if you can look hard enough, there are usually hundreds of miniscule network and endpoint events that can be traced back to the attack. This makes being able to connect two different “dots” imperative to the task. In practice, it means that using multiple forensic tools can cause quite an issue – in many cases, they won’t speak the same language and their findings will not be able to be used to their full potential and be intelligently cross-referenced. For example, using independent tools for endpoint, server and network can glean a substantial amount of information from each but will leave an overwhelmed analyst needing to delve through thousands of findings that could be seen and used much more efficiently if they had all been designed to live and work together.
Another benefit of integration, especially when paired with automation, is the ability to automatically and continuously initiate additional forensic data collection based on previous forensics or findings.
Forensic findings are somewhat meaningless unless they can be seen. Visibility is essentially the combined result of coverage and integration. Visibility means placing the various pieces of forensic evidence in the exact way that will make the story of the attack clearest to the user. In the cyber domain, malicious incidents are seldom isolated and will almost always contain multiple different events (the initial breach, contacting a command and control server, laterally moving to the target host via a specific network protocol or a USB stick). While interesting and valuable in their own right, they become truly powerful when displayed as a chain of events, narrating the entire attack from start to finish. Not only is this far more informational, it enables the analysts to take the best course of action when responding to the attack.
The Forensic “Time Machine”
Forensics is naturally a big part of investigating a threat, which makes it critical to the action of responding to and mitigating a threat. Forensics drives knowing which devices to isolate, what part of the network is vulnerable and generally what needs to be done to ensure a higher level of safety from now on. But this goes beyond a single investigation.
A key advantage of collecting and storing forensic data is the ability to “go back in time” and re-evaluate past crime scenes as new information comes in. For example, if new alerts or new indicators of compromise come in, correlating this new information with forensics data collected in the past can dramatically change both ongoing and past investigations.
With a strong combination of coverage, integration, and visibility, forensics investigations will be more streamlined, allowing your teams to build the knowledge infrastructure required to prevent and mitigate future attacks.
Yitzhak (Itzik) Vager is VP Cyber Product Management & Business Development at Verint Systems Ltd., Verint Systems Ltd. Verint Threat Protection System automates and orchestrates threat detection, investigation, and forensics.