The document discusses the need for real-time cyber forensics capabilities to enable effective incident response. It notes that over half of survey respondents use forensics to investigate incidents as they occur. However, many organizations feel their forensics policies and tools are outdated. The document advocates for an approach using continuous monitoring and recording of endpoint and server activity to provide security teams with the necessary visibility and intelligence to rapidly analyze and contain security incidents. It describes how the Bit9 security platform is able to automatically detect and block attacks in real-time through built-in policies and centralized access to forensic data across all systems.
The document discusses the need for real-time cyber forensics capabilities to enable effective incident response. It notes that over half of survey respondents use forensics to investigate incidents as they occur. However, many organizations feel their forensics policies and tools are outdated. The document advocates for an approach using continuous monitoring and recording of endpoint and server activity to provide security teams with the necessary visibility and intelligence to rapidly analyze and contain security incidents. It describes how the Bit9 security platform is able to automatically detect and block attacks in real-time through built-in policies and centralized access to forensic data across all systems.
The document discusses the need for real-time cyber forensics capabilities to enable effective incident response. It notes that over half of survey respondents use forensics to investigate incidents as they occur. However, many organizations feel their forensics policies and tools are outdated. The document advocates for an approach using continuous monitoring and recording of endpoint and server activity to provide security teams with the necessary visibility and intelligence to rapidly analyze and contain security incidents. It describes how the Bit9 security platform is able to automatically detect and block attacks in real-time through built-in policies and centralized access to forensic data across all systems.
The document discusses the need for real-time cyber forensics capabilities to enable effective incident response. It notes that over half of survey respondents use forensics to investigate incidents as they occur. However, many organizations feel their forensics policies and tools are outdated. The document advocates for an approach using continuous monitoring and recording of endpoint and server activity to provide security teams with the necessary visibility and intelligence to rapidly analyze and contain security incidents. It describes how the Bit9 security platform is able to automatically detect and block attacks in real-time through built-in policies and centralized access to forensic data across all systems.
ũũ Fifty-seven percent of recent but Incident Response Can’t Wait survey respondents use forensics to find and investigate incidents In a recent cross-industry study1, nearly 40 percent of respondents reported having as they are occurring. conducted between 26 to more than 500 forensic investigations over the past two years. ũũ More than two-thirds felt their Why? Fifty-seven percent said they needed to “find and investigate incidents as they are forensics policies and tools were occurring.” Businesses are increasingly experiencing advanced malware and zero-day neither up to date nor ready attacks; in fact, fifty percent of respondents in this study were specifically trying to track to respond. and remediate Advanced Persistent Threats (APTs). ũũ Rapid incident response relies on information from sensors that “Intelligence and digital forensics have a close-knit, nearly circular relationship. provide real-time cyber forensic information by continuously Artifacts discovered with forensic techniques can be used to identify attacks— monitoring all endpoints and especially those perpetrated by stealthy APT actors—much earlier and with servers. a higher degree of accuracy than without such techniques. Detecting attacks ũũ Whatever happens on endpoints earlier reduces the scope (and cost) of the subsequent incident response and and servers must also be continuously recorded, to forensic investigation.” provide the detail essential to — SANS Whitepaper, 2013 2 inform incident response. Yet more than two-thirds of respondents felt their forensics policies and tools were ũũ The most up-to-date intelligence on untrustworthy software neither up to date nor ready to respond. This solution brief will explore what IT needs to be continuously administrators and security teams need to improve incident response: using built-in delivered to your team. policies that prioritize and triage alerts with real-time cyber forensics information ũũ Bit9’s continuous monitoring that is generated automatically to help analyze and remediate incidents faster and and recording gives you visibility, more effectively. detection, response, protection and integration with network security tools—in a single solution.
Source: SANS, 2013
Bit9 Solution Brief: Real-time Cyber Forensics for Incident Response 1
Attack Forensics at Your Cyber Forensics for Incident Response Fingertips—in Real Time When we hear “forensics” in the context of cyber security, most of us think about collecting information after a specific incident has Here’s a real-life account of an attempted attack occurred. We may use the information as evidence that will stand up experienced by a team, as viewed through the console of the Bit9 Security Platform. in court or analyze it to better understand how to improve defenses against a similar attack in the future. The goal of the attacker: to retrieve domain password cache, hashes and LSA secrets. But while these use cases for cyber forensics information are a necessary part of your security strategy, it’s even more critical to be The result: Failed attack on all fronts. able to deploy it for rapid, informed response to incidents that are 3:52:01 a.m. Two previously unknown files event-driven, as they occur. You need the ability to identify malware are dropped on a target system by a remote and advanced threats by gathering intelligence beyond recognition command-and-control attacker, using the of a known signature—and to protect against it by blocking or PWDumpX tool. containing it (destroying it outright may not be useful if you need it in Bit9 marks the files as untrusted, blocks their court). execution and then audits and reports the following: Cyber forensics information is needed in real time (in seconds and minutes, not hours or days), and not after the fact. 3:52:22 a.m. PWDumpX attempts unsuccessfully to start the blocked files. You probably employ an array of security solutions, some protecting endpoints/servers (such as antivirus), others monitoring your network: 3:52:23 a.m. PWDumpX performs cleanup, deleting the service configuration and all files. IPS/IDS, SIEM, and next-generation network security solutions with advanced capabilities for monitoring network activity and analyzing 3:59:49 a.m. The attacker regroups and Bit9 next suspicious files. detects the creation of a packed file, recognized by Bit9 from a different attack. The file is banned, The irony is that, with all these tools at work, chances are your team is audited and reported. getting both too much information—and not enough. These security 4:10:09 a.m. The attacker attempts a riskier solutions produce a high volume of different kinds of alerts. How do interactive session and command redirection to you know if they are actionable? How do you prioritize and scope modify an auto-start location through the task them? scheduler. At the same time as your team is being flooded with alerts, are they Bit9 automatically audits and reports the really seeing everything that’s happening on every Windows and Mac modification because of a rule that flags any changes to startup items. endpoint in your infrastructure? How far back can they see in order to understand the incident that’s happening right now? 04:13:37 a.m. Bit9 reports and blocks additional attempts by the attacker. The protocol for These are the kinds of questions cyber forensics information can attempted modification is a pop-up dialog box— answer—but only if you have a way to centralize control over which the remote attacker cannot see. the information and filter it for what will protect your company For another 30 minutes, the attacker tries other comprehensively—right now. approaches before giving up. All evidence is cleaned up by the end of the attack—but Bit9’s monitoring and recording has given the team all the information they need in real time— and automatically blocked the attack on all fronts.
Bit9 Solution Brief: Real-time Cyber Forensics for Incident Response 2
How Would You Rate Your Incident Response? Here’s a basic checklist to use in evaluating the quality and speed of your incident response when you suspect you are under advanced attack—whether the attack is at the beginning of its lifecycle or a piece of evidence suggesting advanced malware, advanced threats and zero-day attacks. • Can you see what’s happening on every single computer—both Windows and Mac endpoints, as well as servers and fixed-function devices? • For any suspicious file detected right now, how much information can you quickly pull up that can tell you its “genealogy” and what it’s been doing until this point in time? • Can you zero in on untrustworthy files, without wasting time reviewing trusted ones? • How up to date is your information on whether a file is untrustworthy? • How fast can you correlate suspicious activity detected by network security with what’s resident on endpoints? • Can you extract a suspicious file and send the potentially malicious code for analysis? When it comes to the effectiveness of your team: • Of the capabilities listed above, how much blood, sweat and tears does it cost your team to perform them— and how much is automatic? • To what degree can they manage incident response from a central location, rather than piecing together what may be happening from an array of sources?
Bit9: A New Generation Endpoint and Server Security Platform
Assessing Your Current Security Posture Prior to implementing a phased IP and client information protection plan, you should assess your current security environment for risk and value of all your assets.
Know what’s running on Detect advanced threats A full audit trail Stop all untrusted Network and endpoint every computer in real and zero-day attacks in accelerates analysis and software from executing. security working time. real time. response. Implementing a together for real-time From a single console, Detects advanced When you suspect you proactive, trust-based response and protection get immediate threats, zero-day attacks have a threat incident, security solution enables Bit9 integrates with visibility into the files, and other malware that ensure you have the you to define the FireEye and Palo Alto executions and critical can evade blacklisting information you need to software you trust to Networks to extend their system resources on and signature-based analyze, scope, contain run in your organization. visibility and protection every machine under detection tools. and remediate the Everything else is denied to your endpoints and protection. Combine real-time problem. by default. servers. sensors, Advanced Threat When these five Indicators (ATI), and a capabilities are applied in Software Reputation concert, an enterprise’s Service to proactively application infrastructure detect advanced threats is strengthened and and malware. able to safeguard itself against the harmful effects of today’s advanced threats.
Bit9 Solution Brief: Real-time Cyber Forensics for Incident Response 3
What Does Informed Incident Response Look Like? To improve the quality and speed of your incident response, you need a real-time sensor that continuously monitors your endpoints, servers and fixed-function devices. But there’s a companion piece of functionality that’s essential: The activity on resources being monitored must also be recorded. Together, they give your team the kind of cyber-forensic information your team can use to rapidly and effectively respond to events in real time: • When the team receives an alert from any security tool, they know whether it involves a file already verified as trustworthy—or whether it should be given priority in incident response. • They know instantly where else it resides across the infrastructure—every single endpoint, server and fixed- function device. • They have full forensics on the file from a central console: its creator, where it entered and migrated, whether it executed, whether it has deleted itself, etc. • They have the power to select a suspicious files—on demand or automatically—for detonation and further analysis, for example, through integration with next-generation network security solutions. • Updated intelligence keeps your team current for continuous improvement during incident response—and after-the-fact forensic analysis. Bit9’s new-generation endpoint and server security platform delivers all of these capabilities.
Bit9 Solution Brief: Real-time Cyber Forensics for Incident Response 4
Bit9’s Endpoint Sensor and Continuous Monitoring Within hours, teams installing Bit9 for the first time will see any malware currently resident across the infrastructure—on every endpoint, server and fixed-function device. From one console and with one click, you’ll immediately see the following information for every computer in your enterprise—whether it’s running Windows or Mac OS X, in your enterprise: File information: Real-time file tracking provides a live inventory of anything that executes on any of your computers, with a full audit trail of what created it, when it was created, what it did, if it deleted or changed itself, and more. File trust ratings: Immediately see the Bit9 trust rating for every file. Has it been seen before? Is it malicious? Can you trust it? File propagation: Track—in real time—where files were first seen, if they propagated to other machines, if they executed, etc. Critical system resources: Bit9 gives you real-time visibility into all of your critical system resources. You’ll see suspicious process behavior, unauthorized memory changes, suspicious changes to your registry and files, unauthorized USB devices and more.
Bit9 Continuous Recording: “Go Back in Time”
Bit9’s sensor has built-in record and replay capabilities that enable you to look back in time to see past process, file, registry and memory activity as well as policy auditing and enforcement actions—a kind of DVR for the endpoint. The level of detail recorded varies over time. Sticking with the DVR analogy, the frame rate is highest for activity in the recent past since information resides in caches (hours), in persistent message queues (days), persistent state (weeks), and in the event and file activity reported to the server (months). When captured within days, the fidelity of this recording makes it possible to construct a fairly complete picture of what happened, reducing the time it takes to respond to a threat from days to minutes.
Keeping Cyber Forensics Information Current—Continuously
Malware used in advanced attacks proliferates daily—and morphs constantly. New and enhanced trustworthy software also appears daily. The continuously updated, cloud-based Bit9 Software Reputation Service (SRS), integrated with the Bit9 Security Platform, helps your team isolate untrusted software and determine the trust rating for any file when performing incident response and cyber forensics. Leveraging the Bit9 Software Reputation Service (SRS) for Cyber Forensics can triage any computer in minutes, dramatically reducing the time it takes to perform a comprehensive cyber-forensics and incident response investigation from days to just hours.
Bit9 Solution Brief: Real-time Cyber Forensics for Incident Response 5