Skip to content

Introducing Sniper Incident Response

The Problem and the Solution

The current method of doing forensics is slow and outdated. One at a time triage or disk forensics may work okay when you only have a handful of endpoints, but what about when there is 100, 500 or thousands? How do you get through that much data quickly? That’s where Sniper Incident Response comes in.

Sniper Incident Response is the key to getting fast results on a case.

Every engagement I have worked, counsel has had the same questions. I like to call these The Big 4

  1. What did they take
  2. Are they still here?
  3. Where did they go?
  4. How did they get in?

Using the Sniper Forensics methodology invented by Chris Pogue, we can adapt his idea to IR as well and

  • Prioritize answering The Big 4 questions to drive the case
  • Task analysts with answering these questions
  • Sweep multiple hosts at once to drive investigation forward and get quick wins

Planning

Every successful engagement needs a plan of some sort. Using a investigation plan that focuses on The Big 4 can dramatically speed up your investigation. Having a plan in place keeps the investigation focused

  • What are the goals for the investigation? Write them down
  • Focus on the questions counsel needs answers for
  • What do those answers to the Big 4 look like? Have clear criteria for answering them
  • If an answer can’t be found, show negative evidence

Focus on triage collection and analysis from your critical assets first. Almost every case I have worked the threat actor targets Domain Controllers, File Servers and Remote Access Servers. Look at those systems for artifacts related to the questions you are trying to answer. Doing this, will get you results fast and you will end up with a happy client and a happy counsel.

Once you have your plan in place its time to focus on the next steps. Triage. Its important to remember that triage does not equal forensics. These are 2 different skills that are utilized in very different situations. Triage focuses on fast analysis looking for quick wins that can drive the case forward. Forensics is in depth analysis of a system. Your first 48 hours of engagement should be almost entirely focused on triage collection and analysis. The first few days of a case can yield tons of excellent artifacts and build momentum for the rest of the case.

Just like having an Investigation Plan, its important to have a Triage Plan as well. Focus on those critical assets and answering The Big 4 questions

Next up in this series, we will look at finding quick wins for each of these questions.