Learn more about the process of in-depth breach investigation.
Explore Surface CommandDFIR is the process of collecting digital forensic evidence, hunting for suspicious activities, and continuously monitoring for endpoint events. Going a bit more in-depth, security expert Scott J. Roberts defines DFIR as "a multidisciplinary profession that focuses on identifying, investigating, and remediating computer-network exploitation."
From a process standpoint, an incident response and investigation plan that leverages comprehensive forensics will include responsibilities such as investigation, analysis management, threat detection, communications, and documentation of findings.
Subsequent remediation and cleanup typically includes removing attacker remote-access capabilities, restoring prioritized business processes and systems, and securing compromised user accounts.
Contained in the minutiae of those processes are the following key components of a DFIR framework:
Within the larger framework of cybersecurity practices, DFIR serves to obtain a finely detailed look at how a breach occurred and the specific steps it will take to remediate that particular incident. Let’s dive deeper into the separate functions that make up a holistic DFIR practice.
Detecting compromised users affected by a breach is the first step to gaining visibility into what occurred and crafting a timely response to ensure attackers are purged from the network, the breach contained and fixed, and any remaining exploitable vulnerabilities remediated. From there, a thoughtful investigation can take place, one that can identify evolving attacker behavior and more accurately spot it in the future.
An investigation into a specific breach is never going to look like the investigation that came before it. It’s imperative to customize a situational approach to a threat, whether that threat is impending or has already taken place. When launching an investigation, a security team might perform data analysis on the affected asset(s), acquiring browser-history artifacts, event logs, files from directories, and registry hives.
The most critical step in gathering threat intelligence is ensuring the data are tailored to each and every function in a security organization. Once put into practice, the intelligence cycle will produce results by collecting, analyzing, and disseminating to relevant stakeholders in the organization. This process presupposes a heavy emphasis on automated analysis that can quickly search through data and surface relevant insights.
In the analysis of potential malware on a network, a security team would submit a suspicious sample, run it through a chain of analyzers, and then classify the threat based on risk score. This can help to prioritize the situation. Is it something that needs immediate attention or can it wait? In this analysis period, reverse engineering malware can help teams find the best way to understand its ultimate target and quickly eradicate it.
Once a breach has been fully scoped and the affected assets, applications, and users have been contained, a security operations center (SOC) will launch a predetermined plan to restore normal business operating processes. Documentation is key to disaster planning so teams can understand the various components of the backup system. Maintaining an automated, offline backup can further help the process of recovering from a malware attack.
Digital forensics is used in incident response by becoming embedded in the process. As every security professional knows, it’s not enough to respond to incidents and fix the issue, you have to know exactly what happened and how it happened so that systems can be calibrated for that attack path and surface customized alerts the next time that behavior is spotted.
If someone were to ask, ”what are digital forensics?”, we would more pointedly want to have a discussion on multi-system forensics (briefly mentioned above). That is, the ability to monitor and query critical systems and asset types all along a network for indications of suspicious behavior. Let’s take a more granular look into what that process entails:
Digital forensics should enable threat responders and hunters to collect, query, and monitor almost any aspect of an endpoint, groups of endpoints, or an entire network. The practice can also be used to create continuous monitoring rules on an endpoint as well as automate server tasks. Specific use cases can include:
DFIR is a critical tool in a cybersecurity program because it helps to more accurately and granularly reveal the methodology and path that an attacker is looking to take or has already taken to breach a network.
It’s in the best interest of a business and its security program to go beyond response and calibrate preventive measures to recognize the same or similar behavior in the future.
The benefits of DFIR are impossible to overstate, as the goal of breach investigation is visibility so that security teams can gain insights from what happened and create a stronger program.