The proliferation of hybrid and multi-cloud environments, the fast uptake of SaaS-based applications, advent of the metaverse and positive feelings about remote work has led to a paradigm shift in the way organizations serve their customers. At the same time, it has also expanded the attack surface in a world where cyber adversaries have upped their game. With almost everything going digital, work has become riskier.
Such a climate warrants organizations to invest in cybersecurity defense mechanisms that give weightage to both digital forensics and automated incident response. While effective digital forensics enables organizations to investigate and get to the root cause of a problem, automated incident response helps mitigate the problem as quickly as possible.
Drilling down into the details with a digital forensic analysis
Imagine a scenario where an attacker has compromised a user’s account from a remote location by exploiting a vulnerability in the remote desktop protocol (RDP) connection. The attacker then “lives-off-the-land” by using PowerShell cmdlets, and conducts a domain reconnaissance. They find out important details about the domain such as the names of security groups and organizational units, and the members within these. They also find out the names of network file shares and backup folders, and the password policy that is in effect. They do this, not at a fast pace, but by lying low and taking their time, so as not to arouse any suspicion. Then they escalate privileges and move laterally, finding their way into the organization’s cloud environment. And once they are here, they launch a ransomware attack.
This is just one example of the numerous ways by which an attacker’s nefarious designs gets executed. An organization’s security analytics platform or SIEM solution should ideally be able to link these events together, conclude that this sequence of events is malicious, and alert the security team even though the attacker has taken efforts to minimize suspicion. It should be able to do this using capabilities such as advanced event correlation and anomaly detection, a.k.a user and entity behavior analytics that analyze events that occur in different parts of a hybrid network in real time. The security team can then use digital forensics to understand what really happened and recommend a permanent solution.
For effective digital forensics, the security team should first be able to view all the events from across the network for a specified time range, at one place. They should then be able to write queries connected to the alert they received to drill down to the root cause. Or better yet, they should be able to drill-down using click-based search which allows them to click on the “event message” or any variable contained within. For example, the image below could be an event that is logged:
If the security analyst wants to know all the activities performed by the user called Localuser within that same tie range, they would simply click on Localuser. However, if they want a list of all users who triggered events during the time range, they would click in Username. Please note that this is just an example; the way forensics works in different solutions will be different.
With the use of queries or click-based search, the security analyst can ultimately get to the root cause of the problem. For example, they may finally find out the IP address, the host and the process that were involved in the malicious initial access. They will also be able to build a complete time line of the attack kill chain, and recommend a feasible policy change for better defense.
Atomated incident response to the rescue
Automated incident response allows organizations to mitigate possible attacks quickly. The security analytics platform or SIEM solution should send an alert as soon as the tell-tale signs are noticed. At the same time, it should also be able to execute response actions automatically. These automatic response actions should be executed simultaneously as the security analyst performs the forensics analysis. This way, the first response is immediate and the attack can be contained.
For automated incident response to be effective, the security analyst should be able to associate alerts with predefined or custom response workflows. For example, they could have created a workflow to log off and disable a user, and then isolate the machine that were all involved in the alert. As soon as the alert is triggered, this set of response actions will be performed. Besides this, several alerts can be automatically combined into one incident through an incident rule, and a particular security analyst can be automatically assigned to resolve it.
Effective incident response also means that there should be a provision for the SIEM solution to send the generated alerts as service tickets to a ticketing solution, through an integration. The alerts can then be worked on and resolved from within the ticketing solution. This will lead to even more streamlined incident response.
Streamlining digital forensics and automated incident response is critical for organizations that want to improve their security maturity. It will also help with improve analyst experience and enable the security team to make better decisions.