Cyber attacks did not slow down in 2021. With this pace, the need for strengthening your approach to preserving forensic data in a cyber incident response plan has only grown. We discussed many of these attacks and reviewed mitigation strategies to protect against them, as well as threats you need to be preparing against right now.
Under the threat of increased attacks, in IT and in particular OT infrastructure, we are reviewing CISA’s targeted cyber intrusion and detection mitigation strategies. Our series looks at the ConsoleWorks answer to these strategies, from preserving forensic data in a cyber incident response plan, strict role-based access control, DNS logging, credential management and more.
How to Preserve Forensic Data in a Cyber Incident Response Plan
Preserving forensic evidence is a key aspect in a cyber incident response plan. Threat detection is critical to catching an attack and preventing damage, but if you can’t capture or retain forensic data from a breach, your abilities to contain or prevent the next one are limited.
Building a cybersecurity infrastructure that gives you a complete view of forensic data is critical to get right. Let’s look at CISA’s recommended strategies and how ConsoleWorks simplifies forensic data retention as part of your cyber incident response plan.
- Keep detailed notes of all observations, including dates/times, mitigation steps taken/not taken, device logging enabled/disabled, and machine names for suspected compromised equipment. More information is generally better than less information.
- When possible, capture live system data (i.e., current network connections and open processes) prior to disconnecting a compromised machine from the network.
ConsoleWorks collects configuration data of all your devices and keeps logs of all observations using a common time stamp across these devices. This timestamp, exceeding the millisecond, becomes metadata across the forensic data collected.
This common timestamp is critically important, as it helps you understand the sequences of what happened and when, across disparate devices in your network. You can also view the log files and annotate them to make additional notes or assessments of the forensic data as a separate keyed file, leaving the hashed log file attributes undisturbed.
The common timestamp, although stored as metadata, may not align with the timestamp in the data or logged output from a logging source containing a timestamp due to drift or other factors. It may still be used to synchronize data from all log sources even though the data may not contain a timestamp in it.
When output is received by ConsoleWorks, metadata is appended to the Source Data to contain additional information such as Source Name, Common Timestamp, Line Number, Line Hash and other information.
This application of a common time stamp resolves the challenges of missing timestamps from source data, as ConsoleWorks’ timestamp is applied to all Source Data from all devices. This synchronizes time across disparate devices.
As humans mitigate a breach and activities are taken as part of that mitigation, ConsoleWorks captures it. This capture provides you with a complete picture not only of your devices, but also of the people during the attack. See a full picture of steps taken, command by command, response by response, answering the Who, What, When, Where, How, and Why for Change Control and Mitigation Response.
ConsoleWorks also integrates with your other solutions to collect alerts and alarms, tying your investment from other monitoring solutions together to provide a unified picture from multiple data points.
- When powering down a system, physically pull the plug from the wall rather than gracefully shutting down. Forensic data can be destroyed if the operating system (OS) executes a normal shut down process.
- After shutting down, capture forensic images of the host hard drives.
- Avoid running any antivirus software “after the fact” as the antivirus scan changes critical file dates and impedes discovery and analysis of suspected malicious files and timelines.
- Avoid making any changes to the OS or hardware, including updates and patches, as they might overwrite important information relevant to the analysis. Organizations should consult with trained forensic investigators for advice and assistance prior to implementing any recovery or forensic efforts.
ConsoleWorks controls who gains access to a compromised asset, with all activity logged, providing a complete understanding of the steps and order of activities taken. This includes the commands used and responses, which are retained and can be reviewed.
This helps to verify that everything was done properly, if specific steps were out of order or missed, or if additional steps are needed. This is only possible with monitoring of your whole environment. It gives you the full picture, both human and device, of what happened.
More important than not running antivirus software that could change critical dates after the fact and reduce the quality of your forensic data, you also need to know what the state of the device looked like prior to the attack.
ConsoleWorks keeps the baselines of all configuration information for each device. It can compare the current settings of your machines against what you declare as your baseline master. It can monitor everything from files, configurations, or security settings that have changed and show what is different.
Analysis of what ports may have been opened or other device changes that leave you vulnerable to an attack or indicate that an attack might be happening can be performed on a regular schedule, rather than after the fact.
Beyond Zero Trust with ConsoleWorks
ConsoleWorks simplifies forensic data retention and collection and helps prevent cyberattacks from happening in the first place. By creating a protocol break between the human and the infrastructure, you are mostly mitigating or preventing human interaction from having direct access to a device or asset. This prevents the path for infection of the asset when the user’s own workstation is infected, preventing the malware or virus from using the user’s VPN connectivity and authentication to a device as a pathway to find other ports, services or pivot techniques to infect an end point.
We are responding to more intrusion and mitigation strategies in our on-going series. Keep your eye on our updates page to see our posts around strict role-based access control, DNS logging, credential management and more.
For more on increasing your defense capabilities, you can see our recent paper on achieving cybersecurity maturity and going beyond Zero Trust security, including technology and design considerations, here.