- Blog
- 28.11.22
Layers on layers on layers: information security investigations
The challenges of information security
The meteoric rise of the information security industry in recent years should come as no surprise.
The digital revolution of the 1990s and 2000s created a new global computing and communication infrastructure in just a few short years. This new system revolutionized the world for the better, but it was created without considering information security as a main priority.
Unfortunately, information technology systems are broadly open to attack and exploitation, and this is an issue that society still deals with today. In many cases, vulnerabilities can lead to a cascading series of unexpected events, seemingly never-ending attacks, and negative impacts on victims.
A changing threat landscape: how analysts can respond
Industry’s response to vulnerabilities in systems, products, hardware, and more has strengthened information security across public and private sector organizations alike. A security-first mindset in software developers has strengthened the security of software and operating systems. Additionally, regulation and better practices have further helped harden networks against intrusion and attacks.
AI-powered information security vendors and solutions have also recently flooded the market, providing further lines of defense against malicious cyberattacks and intrusions. While valuable, many of these products seek to automate key information security processes, which cannot be done hermetically or effectively without human analysts involved.
To prevent attacks and mitigate ongoing incidents, it is therefore important to empower human analysts with different investigation disciplines. Let’s explore some examples of these disciplines.
Cyber Threat Intelligence (CTI)
What is CTI?
One of the first lines of defense against cyberattacks is cyber threat intelligence. CTI can be split into several subfields. Broadly speaking, however, it is the collection, analysis, and dissemination of strategic and tactical intelligence on current and potential attacks that threaten an organization, its assets, its data and its employees when online.
Effective cyber threat intelligence practices enable organizations to manage cyber risk and exposure, preventing attacks and mitigating the impact of attacks that do occur.
Cyber threat intelligence is a broad field, encompassing everything from the monitoring of leaked or hacked credentials, to infiltrating hacking forums and chat groups, and beyond. Effective CTI procedures often involve the processing of massive amounts of data. This requires both automated systems and human analysts, tasked with distilling relevant and actionable insights from the sea of data.
These analysts must analyze areas such as a company’s leaked intellectual property, leaked credentials, chatter about threats to company infrastructure or assets, and more. Additionally, they will often need to investigate these threats deeply to unmask threat actors, better understand threat actor tactics, techniques and procedures (TTPs), and attribute malign activity to an individual or organization.
Using CTI effectively
CTI analysts investigating threat actors online need to be skilled in open-source intelligence alongside information security. These skills include enriching data points and identifiers such as usernames, email addresses, and phone numbers, as well as the ability to create link-analysis graphs, write reports, and more. SOC (Security Operations Center) analysts use this data to screen potentially malign IP addresses attempting to connect to their organization’s systems and share this data with law enforcement and external partners as well as internal information security departments.
This information is often provided to a number of stakeholders. These range from potential clients and partners to law enforcement and other organizations, as well as internal stakeholders such as threat hunters, who take the aforementioned CTI and utilize it. Collaboration is key not only externally, but internally as well. For example, utilizing intelligence from a recent cyberattack, threat hunters can take indicators of compromise (IoCs) — i.e. the signs that a network is compromised — and check internal networks and systems for any indications of potential intrusion by threat actors.
Digital Forensics and Incident Response (DFIR)
What is DFIR?
Unfortunately, even the best preparations and preventative measures can’t prevent all attacks. When attacks are successful and identified, digital forensics and incident response (DFIR) begins. Incident response (IR) refers to the successful identification, triage, and remediation of an ongoing cyberattack. This process utilizes digital forensics to investigate the attack, as well as to carry out post-attack investigations, aid in identifying the attacker, and strengthen defensive measures.
Incident response is a dynamic and fast-paced field that requires the quick collection and analysis of myriad data points from numerous sources. Potential malicious activity, such as known malicious IPs connecting to certain systems via certain ports, phishing attempts against employees, or unauthorized logins from unknown devices can all trigger alerts.
Using DFIR effectively
Fusing and visualizing data from incoming alerts of potentially malicious activity is key to reducing false positives and expediting the response to ongoing attacks. Analysts must also enrich alerts with data from internal sources and external APIs.
Reducing the time it takes to achieve this enables Security Operations Center (SOC) and Incident Response (IR) teams to quickly triage and remediate any potential threats prior to any damage or intrusion occurring. Additionally, promoting cooperation and data visibility with internal and external partners contributes greatly to effective IR and can help to ensure business continuity. Lastly, storing all of this information in a centralized, de-siloed and auditable configuration enables effective post-incident recovery and faster IR in the future.
Digital forensics is needed both during and after the IR process. Forensically investigating potentially compromised systems, network activity, and logs can expose several key details about an attack. For example, how attackers infiltrated a given system, which malware they used and how, and how they then exploited their infiltration to attack certain systems, steal information, or otherwise damage their victims’ assets. Digital forensics also provides key information to help identify threat actors, which may be key for any litigation, legal, and insurance processes for victims.
Further investigating a given attack by utilizing open-source intelligence methods can shine a light on attacker infrastructure. Investigating the IP origin of a given attack — and any other information or identifiers found during the investigation, such as email addresses used for phishing, phone numbers for messaging, or even file metadata — can be achieved with open-source intelligence. This can further expose attacker infrastructure and accordingly strengthen an organization’s defensive posture from any threats emanating from that infrastructure.
Simplifying analysis and reporting
Attacker infrastructure is often vast and comprised of a variety of different entities, ranging from domains to subdomains, servers, IP addresses, social media entities, and even registered companies. Effectively mapping out the infrastructure of confirmed positive attack attempts takes time to complete, not to mention the lengthy process of describing it in a report.
Creating link analysis graphs of attacker infrastructure helps stakeholders better understand the threat and implement countermeasures. However, graphing out potentially dozens to hundreds or even thousands of potential entities is extremely time-consuming. Additionally, comprehensive research on attacker infrastructure requires several external research tools and often upwards of four or five other tools for specific research and comprehensive data coverage. Integrating link analysis graphing capabilities and data enrichment via APIs significantly cuts down research time.
Falkor: for more efficient information security investigations
In many information security departments, the processes and teams we’ve discussed above are diffuse and decentralized. Improving collaboration and data sharing between information security teams is crucial to any effort to improve efficiency in information security workflows. The responsibilities and capabilities of these teams may vary, but they are in fact more similar to each other than they may initially appear, and smooth integration between them is vital.
Falkor offers a solution, empowering information security teams of all kinds — from cyber threat intelligence to threat hunting, and DFIR teams — to work in the same secure, regulation-compliant workspaces.
Falkor provides an analyst operating system with the exact features needed to boost efficiency across whole investigations: universal data ingestion and analysis, powerful link analysis and data visualization features, built-in collaboration and compartmentalization systems, and perhaps most importantly – external API and data integrations.
Want to learn more?
More resources
-
Beyond the Google Doc: How analysts are evolving the way they share insights
- Blog
- 16.05.22
-
The missing link: link analysis in financial crime investigations
- Blog
- 12.09.22
-
See no evil, hear no evil: siloed trust and safety teams
- Blog
- 21.09.22
-
Time is a flat circle: optimizing digital investigations
- Blog
- 01.11.22