When you start investigating any cybersecurity incident, your prime focus is to scope the incident properly.
What you do basically is that you attempt to identify all systems with which the attacker has interacted before and during the attack. This includes systems where the attacker has placed persistent malware, executed utilities, harvested data, or simply logged into as part of the reconnaissance phase.
In order to gauge the full scope an incident, you must ask yourself the following questions:
Q. How did the attacker gain access to the environment?
Q. How did the attacker maintain access to the environment?
Q. How did the attacker move laterally throughout the environment?
Q. What data was stolen from the environment?
Q. What is the impact of the breach on the organization?
Q. Has the breach been contained?
Based on these questions, it’s clear that identifying attacker malware used in a compromise is only one aspect of scoping. Attackers can access systems without placing malware on them—a common scenario in incidents where data is stolen.
Today, more advanced attackers rely on malware as a means to gain an initial foothold within an organization. After that initial foothold is established, they shift their tactics to using legitimate means of remote access, such as an organization’s virtual private network (VPN).
It has been observed that attackers subsequently remove all the backdoors they had initially placed in an environment and then, rely exclusively on a company’s VPN to maintain access to the environment.
In addition, attackers will mostly use legitimate credentials to move laterally and exfiltrate data from the environment.
In fact, an attacker can steal all of your sensitive data without installing any backdoors at all.
In one incident somewhere, the attacker had only installed six backdoors in the victim organization’s environment, yet they managed to access more than 600 systems while dumping passwords and searching for sensitive data.
Traditional investigative techniques may involve running multiple antivirus products or rootkit detection utilities, or interacting live with suspect systems.
But by depending solely on traditional techniques, you can miss the majority of attacker activity, or, worse, you may destroy critical evidence remaining on the system.
That's why to determine the full extent of a compromise, you must analyze both the systems with evidence of malware and the systems that the attacker accessed. This includes focusing on non-malware related evidence that attackers leave behind, such as a logon to the system, files the attacker accessed, or folders the attacker browsed.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM