You're reading from Incident Response for Windows Adapt effective strategies for managing sophisticated cyberattacks targeting Windows systems

Product type Paperback

Published in Aug 2024

Publisher Packt

ISBN-13 9781804619322

Length 244 pages

Edition 1st Edition

Concepts

Cybersecurity

Authors (2):

Anatoly Tykushin

Svetlana Ostrovskaya

View More author details

Table of Contents (20) Chapters

Preface

1. Part 1: Understanding the Threat Landscape and Attack Life Cycle

2. Chapter 1: Introduction to the Threat Landscape FREE CHAPTER

3. Chapter 2: Understanding the Attack Life Cycle

4. Part 2: Incident Response Procedures and Endpoint Forensic Evidence Collection

5. Chapter 3: Phases of an Efficient Incident Response on Windows Infrastructure

6. Chapter 4: Endpoint Forensic Evidence Collection

7. Part 3: Incident Analysis and Threat Hunting on Windows Systems

8. Chapter 5: Gaining Access to the Network

9. Chapter 6: Establishing a Foothold

10. Chapter 7: Network and Key Assets Discovery

11. Chapter 8: Network Propagation

12. Chapter 9: Data Collection and Exfiltration

13. Chapter 10: Impact

14. Chapter 11: Threat Hunting and Analysis of TTPs

15. Part 4: Incident Investigation Management and Reporting

16. Chapter 12: Incident Containment, Eradication, and Recovery

17. Chapter 13: Incident Investigation Closure and Reporting

18. Index

Why subscribe?

19. Other Books You May Enjoy

Scaling forensic evidence collection

When we talk about enterprise-wide data collection, the first thing that probably comes to mind is security controls. There are many security controls that can provide valuable data for incident investigation. However, it is important to remember that security controls’ storage is limited. EDRs usually store telemetry for between one week and several months. Again, not all solutions presented on the market provide proper telemetry collection capabilities or indexing and search options depending on the licensing and solution architecture. We will perform a deep dive into telemetry analysis and its enrichment techniques for incident investigation and threat hunting in the following chapters.

Security Information and Event Management (SIEM), or log management systems, collect and index logs acquired from the different configured data sources for anywhere between one month to one year based on the licensing. These solutions should guarantee proper data field completeness, parsing, and indexing. Once data has been stored within indices, various search queries can be run to get data that is relevant to the cybersecurity incident. Sometimes the logs from SIEM can be archived for one more year or even more depending on local regulations.

Note

In 49 out of 50 incident response engagements, different gaps were observed by our team. One of the major gaps is the lack of visibility. Some important endpoint events are skipped, or only a limited set of devices is covered. At the same time, Windows event logs can be cleaned using the built-in wevtutil command. It is not feasible to forward event logs from all workstations in huge enterprises. That’s why, in the wild, you will see SIEM covering server infrastructure, while workstations are covered with EDR solutions with limited telemetry collection configured due to the high associated costs.

From a triaging perspective, data from SIEM can easily be exported via GUI. It is necessary to export relevant information to raw formats, such as text, CSV, or JSON, which can be retained together with the case evidence. We do not recommend exporting to PDF format since it has a sufficient drawback: it is not possible to use custom-developed scripts for data analysis in such cases. A similar approach is also applicable to network security controls.

Even though the information from security controls may give us some visibility on the situation, what should we do if we need to gain enterprise-wide visibility by collecting triages from the endpoints themselves? From our experience, sometimes you may find yourself needing to collect triage from more than 50 endpoints at the same time. Well, some EDRs on the market do not support raw artifact collection by design. Moreover, there are not a lot of organizations that can afford EDR purchase and implementation. In such situations, it is better to be ready.

Here are several things you can prepare in advance:

A network share, SFTP server, or cloud storage to store acquired evidence, ensuring network bandwidth.
A CLI-based triage collector with a ready-to-use command line configuring the targets.
Software deployment tools like Group Policy Object (GPO), PsExec, WMI, PSremoting, or any solution which is capable of executing commands or programs remotely.
The collection scope. For example, you might set up a new organizational unit within the active directory to apply a group policy object, create a file containing IP addresses or hostnames, and feed it to the software deployment tool of your choice.
Set up proper access. The IR team must use a dedicated user account with a fine-grained set of limited privileges and scope to run the necessary scripts, commands, or tools on the endpoints in the environment. The IR team must also consider the risk of compromising this user account, given that the target endpoints may be infected, the threat actor may be monitoring for new user sessions, and the credentials of this user account may be captured from memory.

Having this process of scaled evidence collection prepared and tested outside of incident responses means that the cybersecurity within the organization has reached a certain maturity level, which significantly reduces time to collect data and gives a serious advantage in intrusion investigation.

Now, we have covered all aspects of evidence collection. Let’s summarize everything we have discussed throughout this chapter.