A quiet, underground revolution is taking place in the security industry as companies shift from focusing on the perimeter to capturing and analyzing the residue left on endpoint devices by hackers and cyber attacks. Several years ago, a community of forensic researchers began reverse engineering the innards of operating systems. Their efforts led to finding “artifacts,” which reveal almost all users and application interaction with the operating system. These breadcrumbs can be found deep within file systems, memory and OS system files. Unlike clearing log files, artifacts are nearly impossible to manipulate.
The residue or artifacts left behind can provide clues about an intruder to IT security professionals. For example, RAT (Remote Access Trojan) residue was important in investigating the cause of the Office of Personnel Management’s (OPM) breach. OPM’s intrusion prevention system essentially logged data that was being exfiltrated without detecting any of the breadcrumbs that attackers left behind.
Today’s incident response and endpoint detection tools use forensic artifacts that have accumulated on endpoints. Advanced rootkits, zero-day attacks and command and control incidents leave an abundance of artifacts. Avoiding leaving a forensic trail is almost impossible.
In this slideshow, Paul Shomo, senior technical manager, Strategic Partnerships, Guidance Software, looks at forensic residue and how it can help organizations better protect themselves from security threats, both inside and outside the organization.
Forensic Residue and Cybersecurity
Click through for more on how forensic residue can help organizations better protect themselves from security threats, both inside and outside the organization, as identified by Paul Shomo, senior technical manager, Strategic Partnerships, Guidance Software.
Types of Residue
Attacks leave behind different types of residue.
Bad actors often choose to hide in plain sight, moving laterally through remote sessions – the same way system administrators do. However, as they navigate a network, they leave behind similar evidence as do users with physical access. Advanced persistent attacks, for example, need to survive reboots. As a result, they restart themselves regularly. To find such attacks, investigators typically look at registry evidence of malware rerunning itself by looking for “autorun” or task scheduler registry artifacts.
Artifacts can teach security professionals valuable lessons about attacks.
Forensic residue left on a disk can describe past activities going back months or even years. Residue and artifacts can provide deep insight to scope a breach, helping organizations create a timeline of a hacker’s lateral movement to locate “patient zero.” Employees working against you as “insider threats” leave large trails of evidence and are primarily caught with forensics.
Residue can offer valuable information about an attacker’s behaviors.
While targets may change and threats evolve, attackers can develop routines and habits. For example, a hacker may be more comfortable using a certain attack type or malware. It’s also possible to trace that a certain type of malware typically communicates with a specific command and control center. As an investigator collects data and artifacts from attacks, they can build a dossier on an attacker – gaining greater insights into who is targeting their network.
Indicators of Compromise
Artifacts can help identify Indicators of Compromise (IoCs).
Part of the forensic paradigm shift has been using artifacts in detection signatures, called Indicators of Compromise. Organizations can collect IoCs related to attacks targeting their network, run IoC detection scans and remediate if they pop up again. Older approaches, such as antivirus signatures, rely on fingerprints of known malware, instead of detecting its behavior. Many departments are overrun with security events, which they handle with tiered incident response. With a quick forensic triage, organizations can validate and remediate incidents. Once false positives or less dangerous attacks are ruled out, some incidents may be elevated into a deeper forensic investigation.
Proactive Threat Hunting
Proactive threat hunting is key to reducing similar intrusions in the future.
Taking a reactive approach to security – responding to attacks and/or breaches – is not an effective approach to security. In order to detect unusual activity, an organization must first know where their sensitive data is stored. Once they have documented where that data is and what machines it is running on, the organization can prioritize its network defense. Moving forward, one best practice is to periodically investigate a different endpoint in the network. By taking a proactive approach to examining artifacts, organizations can spot threats earlier on – helping mitigate the potential damage that they cause.