Skip to the main content.

5 min read

Why fast, remote evidence acquisition is critical for improved enterprise Incident Response

Featured Image

A changing work environment

In the last 10 years, the way everyone works has changed irrevocably. This is due to the spread of cloud technologies, BYOD initiatives, Covid-19, and enterprises adapting to the demands for digitization and remote working.

Globally, enterprise companies have continued to embrace digital transformation but some of these impacts are slow to be realized and more difficult to anticipate.

In most modern enterprises standardization has given way to personal preference. The software stack is increasingly fragmented with many different technologies, operating systems, applications, and platforms being used. It's no longer about absolute control but more about giving people the mix of tools they feel most comfortable with.

Most enterprise companies have geographically dispersed offices, from international headquarters to smaller regional offices and again, employees who work from home.

The reality of this is that enterprise companies are experiencing different kinds of cyber-attacks and different frequencies and severity levels almost every day. And, the number of attacks is growing.

The demands of being a 24/7 Security Operation Centre (SOC) mean there's a continuous struggle with those continual alerts and events whilst DFIR staff also need to examine and respond to a challenging volume of incidents.

Though DFIR staff can solve many of these cases easily and quickly, some incidents simply need more attention to detail and careful examination.

More tools and people aren’t the answer

Traditional incident response and digital forensics methods are not fit for purpose in this new reality of ongoing cyber attacks. Whilst key tasks like taking a disk image remain valuable in certain situations, the approach of investigating and containing all associated devices one by one is no longer a sensible, timely or scalable solution.

Even if all DFIR staff work like superheroes, they generally don't have teleportation powers to move from one incident location to another. The ability to self-duplicate to get more things done simultaneously, or time-bending powers to speed up the data collection and investigation durations.

Therefore they need to work harder and longer for installation, collection, examination, and report activities.

They'll often be required to travel from one location to another or engage external contractors or, worse, people without the right experience in IT or security whose actions might compromise the investigation and response process.

Compromised devices that are off-network or that cannot be remotely investigated due to insufficient tools may need to be physically moved to the location of the DFIR team. In these cases, the investigation of a device sometimes takes days or weeks. In some security incidents, where every second matters, taking days to investigate is simply not acceptable and runs contrary to the expectations of any modern enterprise company.

DFIR professionals generally try to solve incident response and digital investigation-related problems with different commercial and open-source DFIR tools. But, these tools also have issues.

Instead of working like a Swiss army knife, where everything is in one place for all eventualities, these tools resemble a jumble of different solutions.

Many don't have central management or remote installation, standardized outputs, limited feature sets, don't support multiple operating systems, and don't provide multiple device investigations simultaneously. Generally speaking, it's a mess.

So, DFIR colleagues generally need to install and operate different tools to get the job done. Where possible, they'll try to connect remote machines with the help of remote desktop tools or similar applications - but these have their own inherent challenges.

They usually use one tool for data collection, another for analysis, and another for reporting and response. Using so many tools is inefficient, burning time and resources just when the situation requires the total opposite.

So, whilst DFIR professionals try to solve operational problems with the best tools they can find, the reality is that they're left mixing a cocktail of options that were never designed to work side by side.

The stakes are high

With an ever-increasing volume and variety of devices in the mix, contamination spreads extremely quickly across the increased attack surface.

In these situations, time and resources are the single biggest determiner for successfully containing and investigating incidents.

If the DFIR team can't respond to an incident in time, the financial impact of an incident will typically increase.

Since nearly all businesses integrate their connected IT systems and data, any cyber security incident which affects the confidentiality, integrity, or availability of the data poses a massive reputational threat.

In sectors providing critical infrastructure operational impacts of incidents that are poorly responded to can be wide and systemically damaging.

A vision of best practice

When an incident occurs, no matter how experienced the team is, an atmosphere of urgency tends to arise and Murphy's laws come to mind – what can go wrong will go wrong!

Therefore, experienced, skilled, and highly communicative teammates, well-established processes, and stable and capable software are life savers for the DFIR team in such situations.

Consider a situation where there are 50 endpoints and they’re all in different geographic locations. Let’s imagine we have 5 network and application servers, 1 email server, and 1 directory server, and an unknown number of users are compromised in an enterprise company. 

In this scenario, even the collection of the required evidence data is a big issue and we’re not even talking about how to analyze the data yet. 

Since DFIR teams are in a fight against time they need more agile, fast, and effective methods and tools to manage modern attacks and attackers. 

The most important and time-consuming task in digital forensics and incident response activities is usually collecting the required data and presenting it to the DFIR team as quickly and clearly as possible.

So what are the key elements of best practice in this situation?

  • First and foremost we need a capable, smart, skilled, and focused team. We need procedures, incident response plans, communication plans etc. This is all required to keep this great team aligned, together and working effectively.
  • Secondly, and periodically, we need to practice our readiness via some drills, continuous training and exercises.
  • We also need tools that are easy to use, capable, stable, fast, effective, collaborative, and fit with today's cyber security and DFIR requirements like automation, scalability and integration.

The right tools for the IR job

Binalyze AIR is a full-featured DFIR tool. DFIR teams can use Binalyze AIR in their DFIR activities and security operations. The deployment of the management console and related OS agents takes minutes to complete. It’s really that easy to have digital forensics and incident response activities ready to go with AIR.

After the deployment, Binalyze AIR automatically categorizes assets according to their functions like SQL Server, Web Server, Domain Controller, Exchange, Active Directory, etc. DFIR team can also create custom rules to tag assets in their network. We do this because we understand the value of tagging assets quickly and automatically when you are under fire is a lifesaver.

Your DFIR teams can collect more than 270 different types of evidence for Windows, macOS, Linux, ChromeOS, and VMware in minutes. DFIR teams can use either predefined data acquisition profiles or create and use their own profiles easily.

They can scan assets with YARA and Sigma rules to discover other compromised assets or different threats in their network. Or, use Binalyze AIR’s smart, automated built-in compromise assessment technology DRONE to scan, discover, prioritize, and present a list of suspicious and dangerous evidence. This is super-powerful and enables DFIR teams to create new leads and deepen their investigation in a highly targeted way.

 

For deeper investigation and remediation DFIR teams can use our fully-featured, permission-based, secure remote shell called interACT. interACT provides a wide range of CLI commands which allows file and directory actions, killing, listing processes/services downloading and uploading files, and OSQuery for detailed investigation and containment activities.

 

Binalyze AIR also provides a very useful visual Timeline investigation feature that DFIR teams can easily create. These timelines can be built automatically by using acquired data, they can also tag data or create milestones to solve cases easily. This is really useful when there’s a need to get granular and add key dates, such as when a new starter gained access to the network or the date when someone left an organization.  

Binalyze AIR also provides a wide range of integrations that SOC analysts can use to automate the verification and validation of incidents easily and quickly. They can integrate their SIEM, SOAR, EDR, XDR or any software that can use Web API to make DFIR activities easier and quicker with Binalyze AIR.

When every second matters

So, if fast remote evidence acquisition and improved IR are critical factors in your role, why not sign-up to our next webinar, taking place on December 14th at 11am GST?

To reserve your seat, click the link.

3 min read

Digital Forensics in the Cloud

Cloud computing has become an integral part of our business infrastructure.

We use cloud computing primarily for application development, providing...

Read More

2 min read

Credence and Binalyze see the power in partnerships

At Binalyze, we always look at the world from the viewpoint of our customers. How can we add more value, what are their pain points and how do we...

Read More