SLEEPING WITH THE ENEMY (Insider Threat) — LIFE OF A DFIR

An Incident Responder (IR) neither DFIR, CSIRT, nor CERT in an IT or OT; the mindset is always proactive and out-of-the-box thinking against both insider and advanced persistent threat (APT’s). Always assuming that the network has been breached and paranoid of the adversary’s tools, techniques, and procedures (TTP’s) from any attacks.

Critical reasoning, agility, and self-driven are a must. Does not rely alone on the arsenals in-placed but by knowing how cybercriminal thinks and move. A DFIR profession is not just an 8 hours’ job. Continuous learning and researching even after office work is required. On-call support is also a part of it and when an incident occurs, an IR must drop everything and must respond to the critical alert and join the team in the “war room”.

This may not be fair but it is what it is that makes an IR special. They are like the Marines, “the few and the proud”. If none of these characteristics are present in any member of the DFIR team, then probably not fit to become one.

Tools of the Titan

The framework is a vital recipe in an incident response program. This is the building block of the incident response’ playbooks that should be followed including the policies. From Detection and Analysis up to the Remediation and Documentation. The cheat sheet of any responder whatever arsenals they may have; SIEM, EPP, EDR, dlp, UEBA, NMS, FW, IDS/IPS, WAF, Anti-Phishing, Honeypot, and Forensic tools.

This framework should be adapted from the industry standards like NIST, NERC, and other known best practices tools because these are already proven effective methodologies for decades.

It is important to take note that every security tools must not base from scuttlebutt or just merely survey but according to every organization’s use cases. A big factor to weigh is the maturity of the security solution provider on a specific product. For example, one may have known as a Forensic acquisition and analysis tool but not as an Endpoint Detection and Response.

Creating use cases would be efficient if it’s based on both experience and research as it will cater both sides of the coin; from your organization and others as well. Sometimes it could be overkill but if the cost is not an issue then at least you picked the right tool. But if you missed some criteria then you will regret that security gap until the subscription expired and you failed to maximize your annual budget. And not only that, your reputation as the one who did the POC and recommending security analyst loses too.

Heart of a Hunter

While most of the IR’s hunts based only on the indicators of compromised (IOC) but less of the indicators of attack (IOA) which should also be considered in threat hunting. Most adversaries will not use common attacks with known IOC’s to defeat the detections and prevention but they will exploit OS’ tool like Powershell, Netcat, Nmap, and other double-bladed programs.

These programs, when combined with Penetration Tester’s toolkits, are very effective as they are powerful in executing APT attacks. Below were publicly shared by Cybereason in one of their webinar, 2018.

Exploitation Frameworks

• Metasploit
• Cobalt Strike
• Kali

Vulnerability Scanners

• Nmap
• ZAP

Credential Dumpers

• WCE
• Mimikatz

Powershell Frameworks

• Powersploit
• Empire

This what makes a DFIR role exciting. The enemy is within. Where adversaries just need one chance to break your “defense-in-depth” while an IR needs not less than 100% to protect their turf.

For threat hunting, an IR should be looking at a different angle of attacks:

1. Persistence
2. Data Exfiltration
3. Lateral Movement
4. Command & Control
5. Privilege Escalation
6. Command Execution

Visibility and control are very important to this. You cannot protect what you don’t know. And asset management has a vital role in protecting any organization. From this, you will also know which machine remains unpatched.

Skills of Possession

Continuous learning and R&D has already been mentioned in many of my articles and it will remain as is, whether on what operational field of IT you are in. While some take certifications in a specific field but in my case, I preferred continuing education like Master degree, Professional Graduate Diploma, or Doctorate courses as these do not have expiration dates which literally you can carry even you are 6 feet under.

Although both do not guarantee on becoming an effective DFIR unless taken and executed by heart, not just decorations to email signatures and to amuse headhunters or human resources who do not understand those badges at all.

Experience is still the best knowledge (-Albert Einstein) and practice makes perfect I guess. And below are some skills a DFIR must possess in my honest opinion.

1. Computer Forensics
2. Mobile Forensics
3. Binary Analysis
4. Reverse Engineering
5. Vulnerability Assessment
6. Penetration Testing / Red Teaming
7. Network Forensics
8. Cryptography
9. Basic Programming & Scripting
10. Cyber Threat Intelligence
11. Computer HW/SW Troubleshooting
12. Traits of a Leader (not a manager)

Having a background in Systems Administration like Windows or especially Unix is a plus factor. I would also add communication skills, both written and verbal as an IR will need these. How could one create a policy or playbook, an executive or even technical summary report if you have difficulties writing in layman’s term? This is mandatory.

Imagine that one fine day you may be facing the jury inside the court of law to defend a piece of inculpatory evidence that you have written in your forensic analysis report and if you have no practice speaking in front of the audience then you might end-up shaking and peeing in your pants.

And realistically not all of these skills can be acquired by someone but at least two of them should be mastered, three is good, four is better, and all is best which makes you a one-man-team!

Learning is Fun if Free

Registering in different CTF online or enrolling in free educational sites, or downloading a real “ghost in the wire” and dumping it to an isolated VM in non-company laptop, dissect (static), analyze their behaviors and run (dynamic) it to validate your analysis are good routines.

REMnux (Reverse Engineering Malware Linux) is a good Linux distro that you could start with or SIFT (SANS Investigative and Forensic Toolkit) too. If you are a Windows user, you may want to try FOSS debugger like Radare, Immunity or OllyDBG for reverse engineering. A licensed IDA Pro and Binary Ninja are awesome tools for static Malware Analysis or Binary Forensics.

Same with the PCAP’s which is downloadable online, open them in tools like Wireshark or Network Miner. A raw memory or image dump files that can be run in Autopsy, RedLine, OSForensics, AD-FTK, Volatility, ProDiscover, and other tools of trades of your choice.

Crawling the 5th layer of the web for threat intelligence and also through automated OSINT tools to proactively gather information from different types of cyber-attacks and threat actors before it surfaces on the Internet.

I would say self-discipline is your best enemy here as you will be doing this in your non-working hours. If you are lazy to spend one hour of your free time in learning these stuff, then probably IR is not the type of role that fits with you.

However, not all FREE stuff is good. Sometimes you need to invest in training or formal schooling. Not all are being thought in the free sites as the trainers may have not acquired their knowledge for free too and that is fair enough so all of their investments should return as well. But I know what you’re thinking. Well yes, you can do Google Dorks for that or Torrent or ask from friends which totally depends on your strategy to get resources.

Attending meetups and conferences are part of sharpening your IT security skills and knowledge either for free paid events.

Conclusion

“There are so many ways on how to kill the chicken” as what I always say. I may have my personal opinion based on my experience and tools that I use in real cases which any DFIR/CSIRT/CERT’s have their preference too.

This article aims to give a glimpse of DFIR’s life in a day to any aspirants and also to the security operations managers (“not all though hehe”) so they would understand how tough the job that their subordinates were doing every day and not to micromanage but instead trust them and lead to mentor, empower, challenge, appreciate, value, involve, and always keep the team on a mission! These are people that need a leader and not things that can be managed!

This article also reminds me to stick to the fight till the hardest hit and even things get harder, I should not quit. (“Sounds like a fraternity”).

Humongous appreciation for the read and thanks for the long hours of flight that I have ably composed this article while crossing the pacific ocean (June 22, 2018).

21-gun salute to all Forensics and Incident Responders… “The Defenders”!

💡Note: Article originally posted in Peerlyst — August 01, 2019