Topic Overview
DFIR是收集数字法医证据的过程, 搜寻可疑活动, 并持续监视端点事件. 更深入一点,安全专家Scott J. Roberts defines DFIR 作为“一个多学科的专业,专注于识别, investigating, 纠正计算机网络剥削."
From a process standpoint, an incident response and investigation plan that leverages comprehensive forensics will include responsibilities such as investigation, analysis management, threat detection, communications, and documentation of findings.
Subsequent remediation and cleanup typically includes removing attacker remote-access capabilities, 恢复优先级的业务流程和系统, 保护受损用户的账户.
Contained in the minutiae of those processes are the following key components of a DFIR framework:
在更大的网络安全实践框架内, DFIR serves to obtain a finely detailed look at how a breach occurred and the specific steps it will take to remediate that particular incident. Let’s dive deeper into the separate functions that make up a holistic DFIR practice.
Detecting compromised users affected by a breach is the first step to gaining visibility into what occurred and crafting a timely response to ensure attackers are purged from the network, the breach contained and fixed, and any remaining exploitable vulnerabilities remediated. From there, 可以进行深思熟虑的调查, one that can identify evolving attacker behavior and more accurately spot it in the future.
An investigation into a specific breach is never going to look like the investigation that came before it. 定制应对威胁的情境方法是非常必要的, 这种威胁是否即将发生或已经发生. When launching an investigation, 安全团队可能会对受影响的资产执行数据分析。, 获取浏览器历史工件, event logs, files from directories, and registry hives.
采集过程中最关键的一步 threat intelligence is ensuring the data are tailored to each and every function in a security organization. Once put into practice, the intelligence cycle 通过收集会产生结果吗, analyzing, 并传播给组织中的相关利益相关者. This process presupposes a heavy emphasis on automated analysis that can quickly search through data and surface relevant insights.
In the analysis of potential malware on a network, 安全小组会提交可疑样本, 在一连串的分析中进行分析, 然后根据风险评分对威胁进行分类. 这有助于分清轻重缓急. 这是需要立即关注的事情还是可以等待? In this analysis period, reverse engineering malware can help teams find the best way to understand its ultimate target and quickly eradicate it.
一旦入侵范围和受影响的资产完全确定, applications, and users have been contained, a security operations center (SOC) will launch a predetermined plan to restore normal business operating processes. Documentation is key to disaster planning so teams can understand the various components of the backup system. Maintaining an automated, offline backup can further help the process of recovering from a malware attack.
Digital forensics is used in incident response 通过融入这个过程. 每个安全专家都知道, 仅仅对事件做出反应并解决问题是不够的, you have to know exactly what happened and how it happened so that systems can be calibrated for that attack path and surface customized alerts the next time that behavior is spotted.
如果有人问,“什么是数字取证?”, we would more pointedly want to have a discussion on multi-system forensics (briefly mentioned above). That is, the ability to monitor and query critical systems and asset types all along a network for indications of suspicious behavior. 让我们更细致地看看这个过程需要做些什么:
数字取证应该使威胁响应者和猎人能够收集, query, 并监视端点的几乎任何方面, groups of endpoints, or an entire network. The practice can also be used to create continuous monitoring rules on an endpoint as well as automate server tasks. Specific use cases can include:
DFIR is a critical tool in a cybersecurity program because it helps to more accurately and granularly reveal the methodology and path that an attacker is looking to take or has already taken to breach a network.
It’s in the best interest of a business and its security program to go beyond response and calibrate preventive measures to recognize the same or similar behavior in the future.
DFIR的好处怎么说都不为过, as the goal of breach investigation is visibility so that security teams can gain insights from what happened and create a stronger program.