Memento Mori.
Forensic Strategies.

IT infrastructures are expanding and becoming more complex, linking almost all the elements that make up the cybersphere. About 7 billion lives have become interconnected without taking into account the magnitude of the associated risks involved. Unfortunately, many people and entities are already happily using these new territories as trajectories and targets, sometimes reminding us in the chaos that human creations possess within themselves the seeds of their own destruction. The survival instinct, which is specific to living entities, will push the most adapted structures to protect themselves, aiming at resilience. But when certain cybersecurity incidents occur, it is necessary to act and sometimes assess a crisis situation quickly and effectively. We have to protect ourselves, get organized, limit our area of exposure, but also humbly recognize the risk of intrusion, and prepare for post-mortem with a forensic strategy.

The Need for Effective Instrumentation

Experience shows that in the event of a cybersecurity incident, it is very useful to have tools to verify a situation and to regain remote areas occupied by aggressors. Imagine the network of a large structure, with several thousand machines, heterogeneous in terms of applications and systems and spread over different sites or even countries.

In such a situation, when a technical doubt arises, the analysis is so complex that there are going to be delays, contributing to more danger at the cybersecurity level and many concerns at the organizational, technical and even psychological level (stress).

The terms Rapid Intervention Force (RIF), Digital Forensics and Incident Response (DFIR) and many other acronyms and definitions are often employed in these situations. The underlying idea is to be able to intervene quickly for “post-mortem” analysis or to eliminate doubt. Many documents or standards already explain how and why to prepare crisis cells, operational centers, intervention teams and so on, but it is often noted that there is no mention of technology. This is because it is considered as a secondary concern which can be studied later, since the health of the overall organization takes priority. Teams with backpacks and laptops are prepared to go on a defensive mission, but in reality, how long will it take to reach and cover several remote sites that are more urgently in need of real coordinated action?

The secret to improving this situation lies in unifying strategies and tactics. This means having plans, but also the means to be able to handle each real case. One must then set up their infrastructures in a way to be able to manage incidents and fight against cyber enemies in a global manner.

The choice of Instrumentation

Cybersecurity companies that manage very large volumes of events for international infrastructures will prefer to benefit from remote analysis tools, coupled with traceability elements.

While some choose network level intrusion detection probes, others have decided to get as close as possible to their enemies, aiming directly at their operating systems. Close combat is then possible, with computer hand-to-hand combat giving way to defensive, sometimes violent computer attack sessions.

Attackers can take several different forms. They can be humans with illicit remote access, more or less autonomous offensive software, or even a recurrent coupling of the two. Their malicious actions could be directed at all aggressive phases, from target recognition to the final operation.

  • In recent years, the trend has been moving towards a term that is more powerful than others on this topic: EDR or Endpoint Detection and Response. These are agents that are deployed on the field for defensive reasons. Their mission includes the following in particular:
  • Detecting and neutralizing malicious behavior, such as blocking ransomware or closing off sneaky and unknown malicious backdoors,
  • Tracking and tracing a maximum of useful elements and communicating them to a defensive command center, such as a SIEM with workstation logs, so as not to lose valuable evidence,
  • Qualifying the level of potential exposure, such as identifying local vulnerabilities in each system,
  • And finally, authorizing many types of remote investigations, possibly accompanied by countermeasure actions.

Video :  “TEHTRIS EDR” Console / Remote autopsy follow-up (process, disk, etc)

The Use of the Right Instruments

Let’s take the example of a heterogeneous and geographically dispersed computer population. Is it necessary to finance projects to have people available 24/7 to travel to different sites that could be more than 500 or even 5,000 miles away? Or, another way of operating, should we use the advanced functionalities of an EDR, so that a SOC/CSIRT expert can work remotely?

In this case, the EDR agent becomes somewhat the avatar of the cyber guardian who will be able to carry out his fight remotely. And when such an agent also has autonomous or semi-autonomous components, we are getting closer to the notions of Smart Sensors, which are very well known, for example, in the Industry 4.0 world.

Indeed, considering an EDR agent that would be quite effective, a well-trained or experienced SOC/CSIRT team would be able to carry out many actions remotely, such as:

  • Launching forensics on several potentially hacked systems,
  • Gathering evidence of compromise quickly and using it to find all the other potentially “contaminated” machines,
  • Sharing technical elements and evidence with colleagues, with tickets or in associated databases, from which other IoC-oriented tools (Inversion of Control) can rely on to remove and detect these same attacks elsewhere,
  • And finally, containing the aggression by launching technical countermeasures: isolation of compromised equipment, identification of all machines linked to the aggression, application of remote treatments to clean/limit faults or intrusive elements, detection of lateral displacements, etc.

All this exists and is already in production in the many companies that want to limit malicious attacks as much as possible. These companies generally have a willingness to technically manage threats by adding these layers of shielding and incident response to their entire fleet.

It would undoubtedly be better to protect ourselves rather than to find ourselves planning crisis cells in case of incidents. A very good prevention scheme will limit a maximum number of attacks, making crisis outbreaks less recurrent. Otherwise, there would be too much risk of causing fatigue or organizational breakdowns.

Moreover, an EDR also generally has defensive capabilities, beyond the incident response aspects. Therefore, if one considers that an EDR is truly effective, it will also be able to do some of the groundwork on its own, 24/7, virtually providing a form of Level 1 action in the ITIL sense.

Thus, not only will the EDR be able to eliminate threats not captured by traditional security solutions (viruses, APT, ransomware, etc., unknown in the signature databases of the moment), but it can also help by automating defensive processes, which can lead to savings at the organizational level, depending on the situation.

It is therefore understandable that it is better to shield your infrastructure with efficient EDR agents everywhere, rather than having staff reading log lines 24/7 to provide detection, protection and response. Nevertheless, it would still be necessary to keep a strike force for specific FIR-type needs, but the overall cost can then be controlled, as these teams will only move in an organized and well thought-out manner, thanks to an upstream defensive phase (information gathering, preparations, etc.) assisted by an effective EDR.

Conclusion

Memento Mori: with this slight metaphorical expression, we notice that the elements that make up IT infrastructures can nowadays unfortunately be easily compromised.

Let’s set up defensive strategies that take into account the daily lives of systems, but also their possible “death” or here “compromise”.

We therefore need solutions capable of detecting, protecting, auditing, monitoring, not forgetting the possibility of repairing, investigating and intervening in the event of a crisis, both remotely and in immediate mode.

All of this is the job of EDR agents, which can sometimes be confused with other IT solutions such as EPP.

Many entities have already begun to build up their defenses on all or part of their IT infrastructures, and we can bet that this positive desire for true technical security will take over and continuously reduce the number of attackers, in order to contribute to peace on the Internet and to the resilience of all the positive means of the cybersphere.

TEHTRIS EDR is a French solution created by TEHTRIS, which officially qualified with 100% blocked threats on Windows in 2018, 2019, 2020 by an independent laboratory accredited at the international level.

Forensic Audit GIF

Video : "TEHTRIS EDR" Console / Remote autopsy follow-up (process, disk, etc)

close

Keep in touch with TEHTRIS