I’ve been involved in addressing many different cyberattacks in 2017 and early 2018, with some attacks being more successful than others. My involvement was usually in identifying the nature of the attack in a post mortem fashion or thwarting the advancement of an attack in progress. One common thread among all of them was the lack of forensic readiness by the organization that was attacked.
So, what exactly is forensic readiness?
Most organizations deploy some advanced hardware at the perimeter (such as firewall/application proxy) to control North-South traffic that is either generated from the local network heading to the Internet or vice versa. Other organizations adopt a more advanced model of installing an additional Intrusion Detection System on the network that monitors East-West traffic (traffic that moves between the users, servers, storage etc.). A logging system is installed to capture the events and then the assumption is that we can defend this ecosystem successfully. The reality is that this type of installation is typical but inadequate.
If something were to happen, (user account hacked, USB device, malware traversing an email file or someone gaining access to a cloud tenancy, etc.) the logs provided by the firewall and the IDS device would not be sufficient to ascertain what occurred let alone attempt to prosecute the case if the business was harmed.
I’m going to walk you through some of the changes that I think are necessary for a strong foundation in cybersecurity and pertain only to the data collection portion of the forensic process.
Identifying Sources of Data:
- Local equipment such as firewalls, servers, local Active Directory controllers, wireless devices, etc.
- Remote equipment: Similar to above but residing in a different location such as remote offices and data centers
- Cloud providers: O365, Azure, AWS, Google, and other hosting providers whether hosting Infrastructure or Application as a Service
Acquiring the data:
- Set up an NTP server to synchronize all devices to ensure that incoming data has proper timing (for correlation purposes)
- Configure the sources to send the logs to a centralized SIEM (Security Information and Event Management) system such as Splunk or AlienVault
- Configure the sources to have the necessary settings for the logs in order to sufficiently identify an attack and/or present enough evidence to allow prosecution
- Configure the cloud tenancies to adequately collect and forward the logs to the SIEM
- Install Intrusion Detection Systems/Capabilities on your VPN tunnels and any other external connector with a partner or client and ensure that proper logging is enabled and forwarding to your SIEM
Although data collection is a sub section of forensic readiness, it cannot be underestimated because in every incident I have participated in, the logs pertaining to the attack were never sufficient. Please feel free to comment on this blog and or contact me at firstname.lastname@example.org. Be on the lookout for my upcoming forensic toolkit, which addresses forensic readiness more comprehensively.
CEO & Enterprise Architect