Theres nothing like the adrenaline rush of being onsite and starting a new case. Going through fresh data, trying to find the bad guy, hunting an active attacker and stopping them in their tracks is one of the best parts of the job. It’s easy to spend dozens of hours on a system, finding every forensic artifact and chasing down new leads. Sometimes we even lose sight of our main focus and get lost reading browser history, chat logs or emails. These are all fun things to distract ourselves with, but we know we have clients to answer to and lawyers demanding answers. That’s why I approach each case with a few key questions.
How did they get in? Where did they go? What did they take? Are they still here?
How did they get in?
This is one of the key questions we are asked. You may have heard it called “initial compromise” or “patient 0” . This usually comes down to one of 2 ways. Insecure remote access or phishing. Knowning this, it helps you direct your hunt for those aspects. If we are looking for remote access, check RDP, remote access tools like screen connect or logmein and finally check the VPN.
If they came in via phishing, look for those telltale phishing documents with office documents attached. Most of the time, these documents will contain some sort of embedded macro that launches and downloads the second stage of malware. A lot of times, that second stage malware is either Dridex, Trickbot or Emotet.
Where did they go?
This phase of the investigation is all about tracking lateral movement. What other systems did they touch? What persistence was set? How did they move laterally in the enviroment? A lot of times we see threat actors using open SMB shares, RDP and tools such as PsExec. It’s important to trace lateral movement as thoroughly as possible. Each new lead expands scope until we have the entire incident mapped out. Its key to understand where the attacker went and have the full picture of the infection before remediation happens. The reason for this is, if a host or device is missed and it has a backdoor on it, the attacker will simply go dark for a period of time. You may think you have won, but the attacker will simply come right back in using that device that was overlooked.
What did they take?
When working with counsel, one of their key questions is “what data was exfiltrated”. Counsel needs to know if data was taken, as well as what type. Knowing that data was exfiltrated often triggers additional legal obligations such as notice to their customers if PII or PHI was taken.
How do you prove data exfiltration? Honestly, this can be extremely difficult. Especially if you are dealing with an adversary who is using post exploration tools such as Cobalt Strike or Metasploit that reside primarily in memory. Fortunately, most attackers are fairly lazy and leave behind several key artifacts for us to examine.
Usually, an attacker will copy dozens or hundreds of files from file shares or servers all at once and then store them on a central system in prepration for exfil. When they do this, we can use the Windows Event Logs to look for network share access and also look at the MFT for files being created as well as new compressed archives being created. We can also check the browser history for access to file sharing sites like Mega, or Dropbox or Box.com. We will also look for command line usage for exfil programs, some attackers will even use FTP to send data out of the environment.
Are they still here?
This question comes down to finding persistence and an active attacker. Looking at firewall logs for connections, running processes with callouts and standard persistence checks can quickly answer this. This is a key question as knowing if you are dealing with an active attacker vs an inactive one really helps you decide how to approach the engagement.
With all of the available artifacts, terabytes of data and interesting logs its easy to get lost while doing forensics or responding to an incident. But knowing the key questions, “How did they get in?”, “Where did they go?”, “What did they take?” and “Are they still here?”, will really help keep your investigation focused and allow you to go through large amounts of data very quickly. When every second counts during an IR, answering the important questions first results in a happy counsel and a grateful client.