SLEEPING WITH THE ENEMY: LIFE OF AN IR

The mindset of an IR is always one of proactive and out-of-the-box thinking against both insiders and advanced persistent threat (APT’s). He is always assuming that the network has been breached and is paranoid of the adversary’s tools, techniques, and procedures (TTP’s) from any attacks.Critical reasoning, agility, and self-drive are musts for an IR. He does not rely alone on the arsenals in place, but also on knowing how cybercriminals think and move. A DFIR profession is not just an 8-hour job. Continuous learning and researching, even after office work, are required. On-call support is also a part of the job, and when an incident occurs, an IR must drop everything and respond to the critical alert, joining the team in the “war room.”This may not be fair, but it is what makes an IR special. They are like the Marines: “the few and the proud.” If none of these characteristics are present in any member of the DFIR team, then he is probably not fit to become one.

Tools of the Titan

The framework is a vital element in an incident response program. This is the building block of the incident response playbooks that should be followed, including the policies, which range from Detection and Analysis up to the Remediation and Documentation. The cheat sheet of any responder will contain information on whatever arsenals they may have: SIEM, EDR, DLP, UBA, AV, NMS, FW, IDS/IPS, WAF, anti-phishing, and forensic tools.This framework should be adapted from industry standards like NIST, NERC, and other known best practices tools because these have already been proven to be effective methodologies for decades.It is important to take note that every security tool must not be based on scuttlebutt or just merely survey, but it must be used according to every organization’s use cases. A big factor to weigh is the experience of the security solution provider on a specific product. For example, a provider may have a known forensic acquisition and analysis tool but not specialize in endpoint detection and response.Creating use cases would be efficient if it’s based on both experience and research, as it will cater to both sides of the coin, for your organization and others as well. Sometimes, it could be overkill, but if the cost is not an issue, then at least you picked the right tool. But if you missed some criteria, then you will regret that security gap until the subscription expires and you fail to maximize your annual budget. And not only that, your reputation as the one who did the POC and the recommended security analyst suffer too.

Heart of a Hunter

While most of the IRs’ hunts are based only on the indicators of compromise (IOC), the indicators of attack (IOA) should also be considered in threat hunting. Most adversaries will not use common attacks with known IOC’s to defeat the detections and prevention, but they will exploit OS tools like Powershell, Netcat, Nmap, and other double-bladed programs.These programs, when combined with Penetration Tester’s toolkits, are very effective, as they are powerful in executing APT attacks. Below are some publicly shared programs from Cybereason at one of their webinars in 2018.Exploitation Frameworks•    Metasploit•    Cobalt Strike•    KaliVulnerability Scanners•    Nmap•    ZAPCredential Dumpers•    WCE•    MimikatzPowershell Frameworks•    Powersploit•    EmpireThis is what makes a DFIR role exciting. The enemy is within. Where adversaries just need one chance to break your “defense-in-depth,” an IR needs no less than 100% to protect his turf.For threat hunting, an IR should be looking at a different angle of attacks:1.    Persistence2.    Data Exfiltration3.    Lateral Movement4.    Command & Control5.    Privilege Escalation6.    Command ExecutionVisibility and control are very important for this. You cannot protect what you don’t know. And asset management has a vital role in protecting any organization. From this, you will also know which machine remains unpatched.

Skills of Possession

Continuous learning and R&D have already been mentioned in many of my articles and will remain as they are, no matter what operational field of IT you are in. While some take certifications in a specific field, in my case, I preferred continuing education like a Master's degree, a professional graduate diploma, or doctorate courses, as these do not have expiration dates.Experience is still the best teacher and practice makes perfect, I guess. Below are some skills a DFIR professional must possess, in my honest opinion.1.    Computer Forensics2.    Mobile Forensics3.    Binary Analysis4.    Reverse Engineering5.    Vulnerability Assessment6.    Penetration Testing/Red Teaming7.    Network Forensics8.    Cryptography9.    Basic Programming10.  Cyber Threat Intelligence11.   Computer HW/SW Troubleshooting12.   Traits of a LeaderHaving a background in systems administration on things like Windows or Unix is a plus factor. I would also add communication skills, both written and presentation, as an IR will need these. How could one create a policy or playbook, an executive or even technical summary report if he has difficulties writing in layman’s terms? This is mandatory.Imagine that one fine day, you may be facing the jury inside a court of law to defend inculpatory evidence that you have written in your forensic analysis report, and if you have no practice speaking in front of the audience, then you might end up shaking in your pants.And realistically, not all of these skills can be acquired by someone, but at least two of them should be mastered. Three is good, four is better, and all is best, which will make you a one-man team!

Learning is Fun if Free

Registering in different CTF's online or enrolling in free educational sites are good ways to learn. Downloading a real “ghost in the wire” and dumping it to an isolated VM in a non-company laptop, dissecting (static), analyzing their behaviors, and running (dynamic) it to validate your analysis are good routines.REMnux (Reverse Engineering Malware Linux) is a good Linux distro that you could start with, and so is SIFT (SANS Investigative and Forensic Toolkit). If you are a Windows user, you may want to try a FOSS debugger like Radare, Immunity, or OllyDBG for reverse engineering. A licensed IDA Pro is an awesome tool for static malware analysis.The case is the same with the PCAP’s, which are downloadable online; they can be opened in tools like Wireshark or Network Miner. Raw memory or image dump files that can be run in Autopsy, RedLine, OSForensics, AD-FTK, Volatility, ProDiscover, and other tools of trades of your choice.Another way to learn is by crawling the fifth layer of the Web for threat intelligence and using automated OSINT tools to proactively gather information from different types of cyberattacks and threat actors before the threats surface on the Internet.I would say self-discipline is your best enemy here, as you will be doing this in your non-working hours. If you are too lazy to spend one hour of your free time learning this stuff, then IR is probably not the type of role that suits you.However, not all FREE stuff is good. Sometimes, you need to invest in training or formal schooling. But I know what you’re thinking ;). Well yes, you can do Google Dorks for that or Torrent or ask friends, which totally depends on your strategy to get resources.Attending meetups and conferences is also part of sharpening your IT security skills and knowledge obtained from free paid events.

Conclusion

“There are so many ways to kill the chicken,” as I always say. I may have my personal opinion based from my experience and tools that I use in real cases, and any DFIR/CSIRT/CERT’s have their preferred too.This article aims to give a glimpse of a DFIR professional’s day in the life to any aspirants and also to the security operations managers (“not all :) hehe”). This article aims to help them understand how tough the job is that their subordinates are doing every day and not to micromanage but instead trust them and lead to mentor, empower, challenge, appreciate, value, involve, and always keep the team on a mission! These are people and not things that can be managed!This article also reminds me to stick to the fight till the hardest hit and even things gets harder, I should not quit. (“Sounds like a fraternity ;)").Humongous appreciation for the read, and thanks for the long hours of flight during which I was able composed this article while crossing the Pacific Ocean :).21-gun salute to all Forensicators and Incident Responders… Blue Teamers!