A common pattern

While each digital probe is different, they generally follow a common pattern, according to investigators. For public- and private-sector organisations with advanced capabilities, the investigation is usually prompted after the security team discovers a compromise on some part of the network. At this point, the organisation will have some knowledge about the incident, including an idea of where an intruder is on the network and, possibly, an offending IP address.

Through the examination of an infected machine, a forensic team can start to build an intelligence profile of the adversaries. As part of the investigation, malware is often passed to specialists in reverse engineering who can take it apart and determine how it is loaded, where it exists and the mechanism keeping it active. This threat intelligence is then fed back to security operation centers and used to scan for additional compromised machines.

 Investigations play out a little differently at less-resourced firms. Often, these victim organisations don't even know they have been breached and only find out through an external party, such as a technology firm, law enforcement body or government entity, says Mandiant's Merkel.

Most large and midsize businesses have some incident response capabilities, he adds. Few, though, have experience dealing with aggressive, targeted attackers. If not, the organisation may choose to bring in a third-party computer forensic company to aid incident response activities. In such cases, the contracted investigators will likely deploy technologies that increase the ability to observe what's going on.

Hunting for adversaries

Regardless of whether the company has the capabilities in-house or has contracted a third-party, the next step is to go “hunting” for adversaries, Lee says. This involves examining the network for anomalies and using the information gathered to know what to look for.

“We have had situations where the company knows they were dealing with one kind of threat – an APT problem – and we do an investigation and find out that, indeed, they do,” Merkel says. “But, they also have a credit card breach we find by virtue of doing the investigation.”

For this reason, it makes sense to scope out the extent of a compromise before reacting to it, experts say. If just one infected system is cleaned at a time, hackers can react by moving laterally through the network to retain their foothold. Instead, all infected systems should be taken down simultaneously, at which time the security team can improve its organisation's level of protection by deploying additional network defenses, creating blocks for the offending IP addresses, forcing users to change all their passwords and providing user education. “It's a continual process,” Lee says. “It's like weeding a garden. You never win. You try to get the weeds out before they become an issue.”   

This article originally appeared at scmagazineus.com