If you have not hit by cyberattacks yet, It does not mean it will never happen to you! It’s just a matter of time!
The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; — Sun Tzu
As well quoted by Sun Tzu, it’s all about our readiness, what would you do? Just deploy a tool and wait for alerts? No way! It’s not a task of a tool only, Yes even an AI one, but an expert with the help of tools and rules [ tactic | technique ].
We should proactively and iteratively look for evidence of suspicious or malicious activities in a digital environment. It significantly helps to reduce risks as a proactive approach has many advantages as follows:
1- Shall we keep up the tradition?!
Ideally [and traditionally!], when it comes to incident response and digital forensics, we think of having forensics data acquisition, etc. It is a common practice for in-depth analysis. But… it’s a non-interactive approach with no chance to investigate the entire running system.
Some sophisticated attacks may not leave any trace on harddisk! or it would be a challenge to catch them on forensics images [e.g. Encrypted or file-less attacks].
Besides, we may deal with servers with a massive volume of harddisk in which making forensics images requires a long time and a few packs of popcorn! Sometimes it may not be even practical [e.g. NAS, SANs, large RAID arrays].
On the other hand, the live system analysis provides a better understanding of ongoing events. However, the considerable risk of unintentional changes in system or environment is there, especially during a manual analysis; moreover, the investigation process may not be repeatable as the system state keep changing!
what to do…? it's not about choosing either one of the techniques we need both!
2- Live Analysis: An offer we can’t refuse
System live analysis is a good practice to conduct a light investigation and to have first look at potential incident to determine if any serious issue is there which needs detailed traditional forensics analysis.
Just keep in mind that we should be well trained to conduct the live analysis as unlike working on forensics images we may have only one chance to do it right. Therefore:
- Maintain forensic integrity and Minimize system changes.
- Avoid installing any tools on the target system.
- Avoid copying anything on the target system.
- Validate the publisher of third-party tools.
- Use light tools which require minimum user interaction.
- When its possible record the results for further analysis.
Please Note this write-up series aims to discuss manual system analysis without using automated tools such as EDR.
3- Alice in wonderland!
One of the main factors in a successful investigation is to know what to look for! Otherwise, we get confused as much as Alice was in the wonderland.
Digital Forensics Wonderland: A considerable amount of forensics images [hardsik, RAM, memory cards…], Logs, data, records, etc. that make investigators’ life miserable if they don’t have a proper strategy [sop, cheatsheet, playbooks, and indeed enough expreince] to formulate initial hypothesises.
How to become a master in blue teaming, simple steps that need commitment and effort. Read and practice, keep ourselves updated with the latest techniques, communicate with experts and join professional communities, read and practice [Yes its is essential that’s why I mentioned it twice :)]
We should actively sharpen our skills by understanding the different Techniques, Tactics, and Procedures (TTP) used by cybercriminals, and learn how to look for their traces.
Let's start with two essential concepts that help us to investigate a potential case, Indicators of Compromise and Indicators of Attack.
4- IoC and IoA: Game of Indicators!
Indicators of compromise (IoC) is a forensics artifact left by intruders in systems or network logs that proves some form of malicious/suspicious activity or infection has occurred.
In contrast, Indicators of attack (IoA) is any sign of the beginning of a malicious or suspicious activity that helps us to detect them at early stages or even before they become a successful attack.
IoCs and IoAs can be applied to most of the stages of an attack life cycle, so we should use both!… Ha, wait you said this post is about the proactive hunt! Is looking for IoC-based detection considered active detection!
Let's think a little bit out of the box, IoC-based detection may not look proactive as IoA-based. But when it comes to the full lifecycle of cyberattacks, finding IoCs related to the successful early stages [e.g. initial access and excution] may help to look for the indicators of next potential steps such as privilege escalation, lateral movement, secondary infection, etc. And yes that is considered a proactive hunt to me.
Stay Tuned… we will have more fun in upcoming parts.