Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 3: Basics of the Incident Response and Triage Procedures

"There is nothing more deceptive than an obvious fact."

― Arthur Conan Doyle, The Boscombe Valley Mystery – a Sherlock Holmes Short Story

When responding to a cybersecurity incident, there are three essentials to consider:

Response time
Following appropriate procedures depending on the type of incident
Using the right tools

Every incident is unique and has very particular challenges...

We reviewed some cases in the first chapter where attackers used deception to make the response and investigations more difficult. For example, in the cyberattack against Banco de Chile, the attackers used the distraction to compromise around 9,000 devices using the KillMBR malware. The threat actors' real objective was to transfer money to another country, abusing the SWIFT money transfer system, to avoid the security staff figuring out what was happening.

An incident response professional needs to have the ability to understand the context of a security breach and identify the key elements to act in the shortest possible time.

In this chapter, you will learn about the following:

Principles of first response
Triage's concept and procedures
First response procedures in different scenarios
First response toolkit

Technical requirements

In case you haven't already done, you need to download and install VMware Workstation Player from this link https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html.

You'll also need to download the following from the book's official GitHub repository https://github.com/PacktPublishing/Incident-Response-with-Threat-Intelligence:

Virtual machines:
- IR-Laptop
- IR-Workstation
Lab file:
- Chapter03

Principles of first response

At the time of an incident, things happen quickly, and you need to act efficiently and assertively. It is therefore imperative to follow the correct procedures.

In many cases, the problem is that organizations do not have the staff with the skills, knowledge, or tools to perform the activities associated with first response or documented procedures. This obviously results in improvised actions that increase the risk of errors that can negatively affect an investigation's outcome.

Each incident is different and cannot be handled in the same way; however, there are basic standard procedures to follow. It is crucial to document these procedures and make them accessible to first responders.

First response guidelines

One of the basic principles of incident response is to preserve and protect the evidence's integrity, so the first responder must identify and evaluate the context of the incident and the environment around the scene to define the best approach to get the necessary information to investigate the incident without compromising the evidence:

Evaluating the context and the scene: Before taking any action, the first responder must know the nature and context of the incident; there are differences between the procedures to follow when responding to an incident related to an information leak to another where the attackers exploit a vulnerability that can compromise the organization's infrastructure.

The environment around the scene is also relevant for defining the procedures to follow; for instance, in a production environment, sometimes you need to be careful to not interrupt the business process or take away the devices.

Securing the scene: As mentioned, the integrity of the evidence must always be ensured, even before its acquisition. It is vital to secure the scene and prevent, as much as possible, anyone, even employees of the company, from using suspicious devices unless it is indispensable.

When you respond to a cybersecurity incident, you must act similarly to what would be done at a crime scene. Police secure the area and control all access to where the evidence is located.

This procedure must prevent someone from intentionally or accidentally contaminating the evidence, causing evidence to be lost. If the incident requires law enforcement intervention, this evidence could not be valid in court.

Identifying the sources of the evidence: Like a crime scene, the first responder must identify which elements can be useful as evidence based on the incident type. For example, if you respond to an incident where an insider is involved and their workspace is being insured, you should consider collecting information from their computer, USB devices, external hard disks, and everything that could contain relevant evidence for the investigation.
Volatile and non-volatile information: As I mentioned earlier, most digital information is volatile by nature, so you should try to recover as much evidence as you can before it is lost. The prioritization at this point is essential; you must first acquire the evidence considered volatile, such as RAM, and then what is stored in files or databases.

RFC 3227 defines the Guidelines for Evidence Collection and Archiving and describes how the evidence must be acquired following a particular order according to its volatility (https://tools.ietf.org/html/rfc3227).

Fortunately, some tools collect numerous pieces of evidence at once, reducing the chance of making mistakes or losing relevant evidence.

Establishing the legal admissibility of the evidence: Depending on the case's nature, sometimes cybersecurity incidents require following legal procedures. If this is the case, it is necessary to act following the procedures established by international laws or the country's laws where the incident happened; in some cases, it is even necessary to notify the judicial authorities to continue the procedure.

However, many cybersecurity incidents do not follow legal courses of action, sometimes for reputational reasons or to maintain the case's confidentiality, and do not require judicial handling.

Chain of custody: Part of the procedure to ensure the integrity of the evidence is related to chronological documentation of each part of the evidence transportation process, from the moment of the evidence acquisition until it is stored or until the investigation is completed. This is known as the chain of custody:

Figure 3.1 – Example of a chain of custody form

The goal of the chain of custody is to prevent the tampering or contamination of evidence.

As you may realize, first response procedures are critical in a cybersecurity incident as the quality of this work can determine the direction of an investigation.

Triage – concept and procedures

The amount of evidence around a cybercrime scene can be overwhelming, and the time available to perform first response procedures is limited. We also need to consider containment of the attack, and ensuring business continuity is vital for organizations. That's why the incident responder needs to identify and prioritize which forensic artifacts can provide useful information to the case.

The process of classification and prioritization is known as triage, and according to Oxford Languages, triage (from the French trier, which means to separate out) is defined as the action of sorting items according to quality. This term is used regularly in some professional fields such as healthcare.

In digital forensics, this prioritization is known as forensic triage. It refers to identifying, classifying, prioritizing, and acquiring evidence relevant to investigate the case. Doing it properly can be the difference between an investigation being successful or unsuccessful.

In first response procedures, the triage begins at the time when potential sources of evidence are identified; for example, in an incident related to information leakage, the data sources could be database servers, computers that might contain files with sensitive information, active directory servers with user activity logs, network traffic captured at any given time, network devices, or even USB devices or external hard drives.

Once the sources of information have been identified, it should be determined which techniques and tools to use to make the evidence acquisition as efficient as possible, reducing the risk of loss or contamination.

The triage process ends when the acquisition of images or forensic artifacts is completed and delivered for investigation.

First response procedures in different scenarios

The incident response professional plays a key role in supporting organizations in developing first response processes to address cybersecurity incidents. These processes cannot be developed generically and must be based on an evaluation and analysis of the organization where they need to be implemented.

This is a basic example of what the general steps might be in a first response procedure for a particular case of a ransomware attack:

The incident is reported via the help desk platform, by email or by phone.
The information provided by the user is evaluated to confirm the incident.
A ticket is generated on the incident response platform.
The device is requested to be secured.
First response staff is assigned to respond to the incident.
The chain of custody process begins.
Photos of ransom messages are taken on the screen.
Acquisition of the RAM on the affected computer or computers is carried out.
Forensic copying of the hard drive is made.
If making a forensic copy of the disc is not possible, the main artifacts are extracted from the device.
The scope of the incident is evaluated to validate whether more equipment is affected.
The evidence obtained is delivered for investigation.

During first response activities, it is likely that the environment's conditions could change. For example, you get intelligence information regarding certain communication to the internet from the affected computers. This can lead to the need to adapt the procedures to these new conditions, so the first responder must have the flexibility to make the necessary changes.

It is important to mention that once investigators receive forensic images or information extracted from the artifacts, they will start in parallel with the investigation, and the findings can lead to starting other activities such as threat containment, acquiring new evidence, or threat hunting.

First response toolkit

As I mentioned before, tools are a vital part of first response procedures. Their proper use will help obtain the evidence required for the investigation without compromising information or systems' integrity.

It is essential to know the technical details of the tools you will use, how they work, and how they interact with the target systems; this will prevent contamination, leading to invalidating it in a legal case or making it unusable when analyzing it.

The goal of these tools is to obtain a forensic image of the device to be investigated. The first responder must integrate these tools into their toolkit to always be prepared.

Fortunately, there are not just commercial tools for first responders; there are also many free and open source reliable options. We will mention and use a few of them in the practical labs for this book's purposes.

There are two categories of tools that are used: those to obtain forensic images and then analyze them with specialized tools in a post-mortem stage and those that allow the acquisition of particular forensic artifacts, such as information from Windows registry keys, web browsing history, network connections, or processes, regularly obtained in a live environment.

There are excellent commercial and free tools for the Digital Forensics and Incident Response (DFIR) investigations field, many of them even open source.

To make it easier for you to learn how to use the tools and perform the practical labs in this book, we will use Free and Open Source Software (FOSS), although we will also mention commercial tools.

Forensic image acquisition tools

Forensic evidence acquisition tools make a bit-to-bit copy of the devices to ensure the integrity of the information to be analyzed post-mortem without affecting the conditions that exist when taking the image.

Tools for memory acquisition

As we learned earlier, it is imperative to consider that it is a priority to collect volatile information that could be lost if the environment's conditions change, or you need to restart or disconnect the device you want to analyze.

Magnet RAM Capture

Magnet RAM Capture is a tool that makes a physical acquisition of the suspicious computer's memory in a raw format, which means that the resulting file size will be equal to the RAM the device has.

One of the advantages of this tool is that it does not require installation and can be run from a pen drive without the risk of contaminating the evidence:

Figure 3.2 – Magnet RAM Forensics GUI interface

This tool only works in Windows environments and is supported from Windows XP to Windows 10 (works even with Virtual Secure Mode enabled) in desktop and Windows 2008 to 2012 Server (32 and 64 bits).

You can download this tool from here: https://www.magnetforensics.com/resources/magnet-ram-capture/.

Belkasoft Live RAM Capturer

Belkasoft Live RAM Capturer is also a tool to acquire the device's RAM content even if the system is protected by anti-debugging or anti-dumping, and you can run it from a pen drive.

When you download the tool, you will get the 32-bit and 64-bit versions separately:

Figure 3.3 – Belkasoft Live RAM Capturer GUI interface

This tool supports all Windows versions from Windows XP to Windows 10 and Windows 2003 to 2008 Server.

You can download this tool from here: https://belkasoft.com/ram-capturer.

Linux Memory Extractor (LiME)

On modern Linux systems, restrictions on virtual devices only allow access to a subset of memory, which is why it is no longer an option to use tools built into the system such as dd.

LiME is a Loadable Kernel Module (LKM) tool, which allows the full acquisition of memory from Linux and Android-based devices. Similarly, as with the tools mentioned previously, it does not significantly modify the memory's contents during its acquisition:

Figure 3.4 – Example of Linux memory acquisition using LiME

Unlike the other tools, LiME also allows remote memory acquisition over the network.

You can download this tool from here: https://github.com/504ensicsLabs/LiME.

Acquire Volatile Memory for Linux (AVML)

This is a volatile memory acquisition tool developed by Microsoft that supports the x86_64 architecture. An interesting functionality is that you do not need to know the target OS and you can compile it in a single binary:

Figure 3.5 – Example of Linux memory acquisition using AVML

AVML uses the LiME output format. You can download this tool from here: https://github.com/microsoft/avml.

Disk acquisition

Sometimes, the information in memory won't be enough, and you will need to get forensic artifacts from the disk. In that case, you can use acquisition tools that follow the same principle and make bit-to-bit copies.

Here are some useful and free disk forensic acquisition tools.

Forensic Toolkit® (FTK) Imager

FTK Imager is a data preview and disk acquisition tool; you can use it to get an image of the device's local hard drives, folders, or individual files; you can also preview and analyze the content and even mount forensic images for analysis in a forensic way without the risk of compromising the original image:

Figure 3.6 – FTK Imager GUI interface

You can select different output formats that are compatible with the major industry standards (Raw DD, SMART, E01, or AFF) supported by almost any forensic analysis tool.

You can download this tool from here: https://accessdata.com/product-download/.

USB acquisition

Sometimes you will need to get evidence from USB devices; remember that it's imperative to do it forensically to reduce the possibility of compromising its integrity.

ImageUSB

ImageUSB is a tool to create USB Flash Drive (UFD) forensic bit-to-bit and master boot records:

Figure 3.7 – ImageUSB GUI interface

It's important to mention that if you use a USB device to output the forensic image, the developer recommends using a USB with a similar storage capacity; thus, you will optimize the space.

You can download this tool from here: https://www.osforensics.com/tools/write-usb-images.html.

Network package acquisition

Sometimes you need to correlate information from different sources; for example, if you find some suspected connections in memory analysis, it would be useful to have a capture of the traffic that provides more information.

Wireshark

Wireshark is free and an extraordinary tool to capture and analyze network traffic. You can install the tool or just use the portable version; all you need is to connect the device with Wireshark to a span port of a network device and filter to capture the specific information you need:

Figure 3.8 – Screenshot of a Wireshark network traffic capture

Wireshark is multiplatform and you can use the GUI version or the command line version using TShark. You can download this tool from here: https://www.wireshark.org/download.html.

Artifact collectors

Artifact collectors are tools that extract specific information from a system that can be useful in an investigation.

It is estimated that less than 5% of the information will be useful in 99% of an investigation, so it is extremely important to identify not only the best way to get that information but also what could be the most accurate sources to obtain it, especially when time is limited, and we do not have a guarantee that we will be able to access this source again.

Kroll Artifact Parser and Extractor (KAPE)

KAPE is a Windows artifact collector tool. This tool collects different artifacts from a target system and processes the information using different integrated tools. You can run this tool from a USB drive because it doesn't need any installation:

Figure 3.9 – Screenshot of KAPE GUI

KAPE is modular, so you can select what modules you want to run to do the triage. You can use the GUI or the command-line version. You can download this tool from here: https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape.

MAGNET Web Page Saver (WPS)

Magnet Web Pager Saver (WPS) is a tool to capture web page content to collect evidence of the content at a specific time. WPS supports snapshots using scrolling functionality and you can save the captured data in a SQLite database file:

Figure 3.10 – Magnet WPS GUI interface

Magnet WPS supports Windows 7 or higher. You can download this tool from here: https://www.magnetforensics.com/resources/web-page-saver/.

DFIR-O365RC

This tool for Office 365 log collection works using PowerShell and PowerShell Core. You can get data from Azure Active Directory (AD) sign-in and audit logs and from Office 365 unified audit logs:

Figure 3.11 – GitHub repository of the DFIR-O365RC Project

DFIR-O365RC is a multiplatform tool that works on Windows, Linux, and macOS. You can download this tool from here: https://github.com/ANSSI-FR/DFIR-O365RC.

Summary

In this chapter, we learned the importance of first response procedures when addressing a cybersecurity incident. We also reviewed the concept of chain of custody and prioritizing the acquisition of evidence based on the order of volatility.

We also learned about the concept of triage and the different tools we can use to collect evidence from forensic artifacts.

In the next chapter, we will apply the concepts learned in the first three chapters to work on practical labs based on scenarios.