In the recent Rapid7 webcast, “Storming the Breach, Part 1: Initial Infection Vector”, Incident Response experts Wade Woolwine and Mike Scutt had a technical discussion on investigation methodologies for the 3 most common breach scenarios: spear phishing, browser exploitation, and web server compromise. Their discussion was packed with details and expert tips for investigating these scenarios, so it's definitely worth the watch, but in the meantime, here are the top 3 takeaways from their discussion:
Time lining is Everything – During an investigation, building out a timeline is crucial. By building out the chain of attack that was used, you will start to get a better understanding of what may be happening in your environment. The best way to get a good footing is to start from a pivot point, whether that be something like the date an email was sent, in the case of spear phishing, or any piece of data or time stamp that can give a rough idea of when a browser exploitation occurred. If you don't have this initial pivot point, use some techniques to reduce noise and locate one, like finding malware and working your way back. Use whatever data you can find to piece together what happened right before, during, and after the malware was dropped.
Tools are your friend – There are many tools that can help during an investigation to make your job easier and faster, whether you're analyzing malware or in the mitigation stage. (Specific tools that help during an investigation are recommended throughout the on-demand webinar.) There are also tools and systems that you can have in place to help prevent and detect attacks on your network. IPS/IDS systems are vital for helping to protect endpoints. Further, make sure to sandbox critical applications known to be targets of attacks, such as email clients, flash, java, adobe acrobat, web browsers, etc., so that if they're infected by malware, it can't entrench itself in your system beyond that application.
Limit Admin Access – You can save yourself a lot of headaches, time, money, and more, by limiting user access. Do not allow all users to have admin privileges. There is no reason for the average user to have local admin on their box, and you can easily ensure that users contact a help desk if they need to install additional software. Make sure your users only have the privileges they need to accomplish their job on a day to day basis. Attackers are getting really smart and constantly finding new and interesting ways of hiding themselves, so make sure you're doing everything in your power to make your systems and users more difficult to attack.
View the on-demand webinar now to get the detailed picture of how experts begin to investigate a breach.
Register for the follow up of this technical discussion, "Storming the Breach, Part 2: Uncovering Attacker Tracks", by visiting the webcast fire pit at Rapid7's free Security Summer Camp.