Security Watercooler: Remote incident response, with ContextIS' Stephanie Albertina

Thursday, 2 April, 2020

This week we are trialling an idea around a virtual ‘Security Watercooler’. 25~30 min video calls to break up the day and showcase different viewpoints. Check out more about the concept here.

Today Robin Oldham was joined by ContextIS’ Stephanie Albertina to discuss the remote incident response. Here are the summary notes from the call:

As a CIR firm around 70-80% of Context IS’ response work is already conducted remotely. There are lots of efficiencies to be gained by being able to swing into action right away, instead of having to travel to a physical site (though this does form a part of engagements.)

Capturing data remotely and transferring it electronically means you can begin investigation faster. Hosting it (securely!) on a cloud platform also allows for investigates from around the world to work on it together. It’s a luxury, though works really well in a ‘follow the sun’ model that allows you to work 24 hours a day, without any of the team becoming fatigued, which can be a big issue for response teams.

All this remote work only works if you have the basics in place and prepared for it in advance!

  • How well do you understand your IT environment?
  • Do you have the right tooling and secure access?
  • What about the human and process elements like escalation handling and delegation of authority?

Having these clearly laid out will make it a much smoother process when you’re under pressure.

DoA is especially important with the current Coronavirus situation with many more people not just working from home, but working flexible hours around other commitments. That could be a real test in some organisations.

Communicate and log who is doing what using collaboration tools in a central place. Be clear and factual, and don’t leave things implicit that should be made explicit.

Once you’ve got those fundamentals in place then: test, test, test!

Opportunistic attacks that are typically a bit more basic in nature can take ‘days’ to investigate and resolve. More sophisticated groups/APTs can take 3-12 months and beyond from initial identification to full remediation.

Remember: you’ll often need support from IT teams and so you’ll want to understand how you can interface with them too, plus any other suppliers, and their service level agreements.

The more known about a threat actor - their tactics, techniques and procedures (TTPs) - the more confident you can be in what they’re after and how they operate. You’ll know what to look for and where to look for it. This means you have have greater confidence in knowing that the actor has been eradicated at the end of an incident.

Threat intelligence can be a good source of this for internal teams. If you’re looking for an external vendor/ service provider then you want to look for teams that do both response and research and can bring this to bare during investigations.

Working remotely needn’t sacrifice evidential requirements: you can use digital signatures and hashes to verify the integrity of files. However for police/case that go to court then the physical evidence will likely be required and that will mean someone having to be in the right place to take custody of the evidence.

There are lots of Endpoint Detection and Response (EDR) tools out there - Carbon Black, Crowdstrike, etc - that can help from a tooling perspective. But it doesn’t need to cost you the world: share what you know with IT as they may be able to help you with running PowerShell scripts that can detect or report against known indicators of compromise (IOCs.)

Commercial vs Open Source: Commercial tends to be easier to deploy (and better supported) than open-source, which usually has more configuration and customisation steps. Some other tools include Velociraptor and the OSquery-based Zercurity.

Regardless of the tool - it is just a tool after all! - make sure you have visibility of your critical assets. That doesn’t mean instrumenting everything, but you want to make sure you have good coverage of different vectors to your crown jewels.

Another consideration for remote IR is, obviously, ransomware. Organisations may have a reduced ability to segment or take down particular systems quickly. You can’t just ‘break glass and cut cable.’ Though the flexible working hours may also help stem the spread and make it easier to contain.

One of the main gotchas that you see as a DFIR consultant are the fragmented solutions that often are the result of company acquisitions. Overlapping, or separate capabilities that make getting the big picture difficult. Those on the call agreed rationalising security toolsets was a real challenge for them!

You can follow Robin on LinkedIn and @RTO and Steph on LinkedIn and @StephAlbertina.

Use this Google Form to register and receive joining instructions for future Security Watercooler sessions.

Tomorrow, Friday 3rd, join us at 12:00 BST for RECOVER: Communicating your recovery, with Jessica Lennard.