Bit9 Solution Brief

Real-time Cyber Forensics for Incident Response

Key Takeaways Hindsight is 20/20—

ũũ Fifty-seven percent of recent but Incident Response Can’t Wait
survey respondents use forensics
to find and investigate incidents In a recent cross-industry study1, nearly 40 percent of respondents reported having
as they are occurring. conducted between 26 to more than 500 forensic investigations over the past two years.
ũũ More than two-thirds felt their Why? Fifty-seven percent said they needed to “find and investigate incidents as they are
forensics policies and tools were occurring.” Businesses are increasingly experiencing advanced malware and zero-day
neither up to date nor ready attacks; in fact, fifty percent of respondents in this study were specifically trying to track
to respond.
and remediate Advanced Persistent Threats (APTs).
ũũ Rapid incident response relies
on information from sensors that
“Intelligence and digital forensics have a close-knit, nearly circular relationship.
provide real-time cyber forensic
information by continuously Artifacts discovered with forensic techniques can be used to identify attacks—
monitoring all endpoints and especially those perpetrated by stealthy APT actors—much earlier and with
servers.
a higher degree of accuracy than without such techniques. Detecting attacks
ũũ Whatever happens on endpoints earlier reduces the scope (and cost) of the subsequent incident response and
and servers must also be
continuously recorded, to
forensic investigation.”
provide the detail essential to — SANS Whitepaper, 2013 2
inform incident response.
Yet more than two-thirds of respondents felt their forensics policies and tools were
ũũ The most up-to-date intelligence
on untrustworthy software
neither up to date nor ready to respond. This solution brief will explore what IT
needs to be continuously administrators and security teams need to improve incident response: using built-in
delivered to your team. policies that prioritize and triage alerts with real-time cyber forensics information
ũũ Bit9’s continuous monitoring
that is generated automatically to help analyze and remediate incidents faster and
and recording gives you visibility, more effectively.
detection, response, protection
and integration with network
security tools—in a single
solution.

Source: SANS, 2013

Bit9 Solution Brief: Real-time Cyber Forensics for Incident Response 1

Attack Forensics at Your
Fingertips—in Real Time
Here’s a real-life account of an attempted attack
experienced by a team, as viewed through the
console of the Bit9 Security Platform.
The goal of the attacker: to retrieve domain
password cache, hashes and LSA secrets.
The result: Failed attack on all fronts.
3:52:01 a.m. Two previously unknown files
are dropped on a target system by a remote
command-and-control attacker, using the
PWDumpX tool.
Bit9 marks the files as untrusted, blocks their
execution and then audits and reports the
following:
3:52:22 a.m. PWDumpX attempts unsuccessfully
to start the blocked files.
3:52:23 a.m. PWDumpX performs cleanup,
deleting the service configuration and all files.
3:59:49 a.m. The attacker regroups and Bit9 next
detects the creation of a packed file, recognized
by Bit9 from a different attack. The file is banned,
audited and reported.
4:10:09 a.m. The attacker attempts a riskier
interactive session and command redirection to
modify an auto-start location through the task
scheduler.
Bit9 automatically audits and reports the
modification because of a rule that flags any
changes to startup items.
04:13:37 a.m. Bit9 reports and blocks additional
attempts by the attacker. The protocol for
attempted modification is a pop-up dialog box—
which the remote attacker cannot see.
For another 30 minutes, the attacker tries other
approaches before giving up. All evidence is
cleaned up by the end of the attack—but Bit9’s
monitoring and recording has given the team
all the information they need in real time—
and automatically blocked the attack on all
fronts.
Cyber Forensics for Incident Response
When we hear “forensics” in the context of cyber security, most of
us think about collecting information after a specific incident has
occurred. We may use the information as evidence that will stand up
in court or analyze it to better understand how to improve defenses
against a similar attack in the future.
But while these use cases for cyber forensics information are a
necessary part of your security strategy, it’s even more critical to be
able to deploy it for rapid, informed response to incidents that are
event-driven, as they occur. You need the ability to identify malware
and advanced threats by gathering intelligence beyond recognition
of a known signature—and to protect against it by blocking or
containing it (destroying it outright may not be useful if you need it in
court).
Cyber forensics information is needed in real time (in seconds and
minutes, not hours or days), and not after the fact.
You probably employ an array of security solutions, some protecting
endpoints/servers (such as antivirus), others monitoring your network:
IPS/IDS, SIEM, and next-generation network security solutions with
advanced capabilities for monitoring network activity and analyzing
suspicious files.
The irony is that, with all these tools at work, chances are your team is
getting both too much information—and not enough. These security
solutions produce a high volume of different kinds of alerts. How do
you know if they are actionable? How do you prioritize and scope
them?
At the same time as your team is being flooded with alerts, are they
really seeing everything that’s happening on every Windows and Mac
endpoint in your infrastructure? How far back can they see in order to
understand the incident that’s happening right now?
These are the kinds of questions cyber forensics information can
answer—but only if you have a way to centralize control over
the information and filter it for what will protect your company
comprehensively—right now.
Bit9 Solution Brief: Real-time Cyber Forensics for Incident Response 2
 How Would You Rate Your Incident Response?
Here’s a basic checklist to use in evaluating the quality and speed of your incident response when you
suspect you are under advanced attack—whether the attack is at the beginning of its lifecycle or a
piece of evidence suggesting advanced malware, advanced threats and zero-day attacks.
• Can you see what’s happening on every single computer—both Windows and Mac endpoints, as well as
servers and fixed-function devices?
• For any suspicious file detected right now, how much information can you quickly pull up that can tell you its
“genealogy” and what it’s been doing until this point in time?
• Can you zero in on untrustworthy files, without wasting time reviewing trusted ones?
• How up to date is your information on whether a file is untrustworthy?
• How fast can you correlate suspicious activity detected by network security with what’s resident on
endpoints?
• Can you extract a suspicious file and send the potentially malicious code for analysis?
When it comes to the effectiveness of your team:
• Of the capabilities listed above, how much blood, sweat and tears does it cost your team to perform them—
and how much is automatic?
• To what degree can they manage incident response from a central location, rather than piecing together
what may be happening from an array of sources?

Bit9: A New Generation Endpoint and Server Security Platform

Assessing Your Current Security Posture
Prior to implementing a phased IP and client information protection plan, you should assess your
current security environment for risk and value of all your assets.

Visibility: Detection: Response: Protection: Integration:

Know what’s running on
every computer in real
time.
From a single console,
get immediate
visibility into the files,
executions and critical
system resources on
every machine under
protection.
Detect advanced threats A full audit trail Stop all untrusted Network and endpoint
and zero-day attacks in accelerates analysis and software from executing. security working
real time. response. Implementing a together for real-time
Detects advanced When you suspect you proactive, trust-based response and protection
threats, zero-day attacks have a threat incident, security solution enables Bit9 integrates with
and other malware that ensure you have the you to define the FireEye and Palo Alto
can evade blacklisting information you need to software you trust to Networks to extend their
and signature-based analyze, scope, contain run in your organization. visibility and protection
detection tools. and remediate the Everything else is denied to your endpoints and
Combine real-time problem. by default. servers.
sensors, Advanced Threat When these five
Indicators (ATI), and a capabilities are applied in
Software Reputation concert, an enterprise’s
Service to proactively application infrastructure
detect advanced threats is strengthened and
and malware. able to safeguard itself
against the harmful
effects of today’s
advanced threats.

Bit9 Solution Brief: Real-time Cyber Forensics for Incident Response 3

What Does Informed Incident Response Look Like?
To improve the quality and speed of your incident response, you need a real-time sensor that
continuously monitors your endpoints, servers and fixed-function devices.
But there’s a companion piece of functionality that’s essential: The activity on resources being
monitored must also be recorded.
Together, they give your team the kind of cyber-forensic information your team can use to rapidly and
effectively respond to events in real time:
• When the team receives an alert from any security tool, they know whether it involves a file already verified
as trustworthy—or whether it should be given priority in incident response.
• They know instantly where else it resides across the infrastructure—every single endpoint, server and fixed-
function device.
• They have full forensics on the file from a central console: its creator, where it entered and migrated, whether
it executed, whether it has deleted itself, etc.
• They have the power to select a suspicious files—on demand or automatically—for detonation and further
analysis, for example, through integration with next-generation network security solutions.
• Updated intelligence keeps your team current for continuous improvement during incident response—and
after-the-fact forensic analysis.
Bit9’s new-generation endpoint and server security platform delivers all of these capabilities.

Bit9 Solution Brief: Real-time Cyber Forensics for Incident Response 4

Bit9’s Endpoint Sensor and Continuous Monitoring
Within hours, teams installing Bit9 for the first time will see any malware currently resident across the
infrastructure—on every endpoint, server and fixed-function device. From one console and with one
click, you’ll immediately see the following information for every computer in your enterprise—whether
it’s running Windows or Mac OS X, in your enterprise:
File information: Real-time file tracking provides a live inventory of anything that executes on any of
your computers, with a full audit trail of what created it, when it was created, what it did, if it deleted or
changed itself, and more.
File trust ratings: Immediately see the Bit9 trust rating for every file. Has it been seen before? Is it
malicious? Can you trust it?
File propagation: Track—in real time—where files were first seen, if they propagated to other
machines, if they executed, etc.
Critical system resources: Bit9 gives you real-time visibility into all of your critical system resources.
You’ll see suspicious process behavior, unauthorized memory changes, suspicious changes to your
registry and files, unauthorized USB devices and more.

Bit9 Continuous Recording: “Go Back in Time”

Bit9’s sensor has built-in record and replay capabilities that enable you to look back in time to see past
process, file, registry and memory activity as well as policy auditing and enforcement actions—a kind
of DVR for the endpoint.
The level of detail recorded varies over time. Sticking with the DVR analogy, the frame rate is highest
for activity in the recent past since information resides in caches (hours), in persistent message queues
(days), persistent state (weeks), and in the event and file activity reported to the server (months).
When captured within days, the fidelity of this recording makes it possible to construct a fairly
complete picture of what happened, reducing the time it takes to respond to a threat from days
to minutes.

Keeping Cyber Forensics Information Current—Continuously

Malware used in advanced attacks proliferates daily—and morphs constantly. New and enhanced
trustworthy software also appears daily.
The continuously updated, cloud-based Bit9 Software Reputation Service (SRS), integrated with the Bit9
Security Platform, helps your team isolate untrusted software and determine the trust rating for any file
when performing incident response and cyber forensics.
Leveraging the Bit9 Software Reputation Service (SRS) for Cyber Forensics can triage any computer
in minutes, dramatically reducing the time it takes to perform a comprehensive cyber-forensics and
incident response investigation from days to just hours.

Bit9 Solution Brief: Real-time Cyber Forensics for Incident Response 5

Additional Bit9 Resources
Below are some key resources to help you get
started with the assessment of your current
security environment.
ũũ Read the White Paper:
The SANS Survey of Digital Forensics and
Incident Response, (SANS Analyst Program)
ũũ Read the Blog:
The Sophisticated Cyber Attacker
ũũ View the eBook:
Advanced Threat Watch: Looking Ahead
ũũ Watch the Video:
Bit9 Explained in 2 Minutes
ũũ Read the Blog:
Anatomy of a Server Attack
ũũ View the eBook:
Detecting and Stopping Advanced Threats
ũũ View the Assessment Center:
Self-Assessment and Trust-Assessment Tools
About Bit9
Bit9 is the leader in a new generation of endpoint and
server security based on real-time visibility and protection.
Bit9 is the only solution that continuously monitors and
records all activity on endpoints and servers and stops
cyber threats that evade traditional security defenses.
Bit9’s real-time sensor and recorder, cloud-based services,
and real-time enforcement engine give organizations
immediate visibility to everything running on their
endpoints and servers; real-time signature-less detection
of and protection against advanced threats; a recorded
history of all endpoint and server activity to rapidly
respond to alerts and incidents; and real-time integration
with network security devices such as FireEye and Palo
Alto Networks. 1,000 organizations worldwide—from 25
Fortune 100 companies to small businesses—use Bit9 to
increase security, reduce operational costs and improve
compliance.
©2013 Bit9, Inc. All rights reserved. Bit9 is a registered
trademark of Bit9, Inc. All other trademarks and registered
trademarks are the property of their respective owners.
Bit9 reserves the right to change product specifications or
other product information without notice.
266 Second Avenue, Waltham, MA 02451 USA
P 617.393.7400 F 617.393.7499 www.bit9.com
Bit9 Integration with Leaders in Network Security
Bit9 integrates with leading next-generation network security solutions
to provide network-to-endpoint visibility into the entire life cycle of
an attack—whether it originated on the network or endpoint. This
integration provides a holistic view of your entire ecosystem and allows
security and IT staff to:
• See and combine real-time, continuous endpoint/server monitoring and
recording with network detection to automatically prioritize alerts.
• See all endpoints/servers affected by malware detected by network
monitoring.
• See and retrieve any file on any endpoint/server to automatically submit for
detonation and analysis.
This level of network-to-endpoint visibility delivers significant benefits to
your security and IT teams.
First, operational effort is reduced. Teams can filter non-actionable alerts
discovered on the network through endpoint correlation and isolate the
root cause of malware discovered on systems.
In addition, incident response time is accelerated with immediate
visibility of all infected systems for malware discovered on the network.
Finally, your overall security is improved. You are protected against
advanced attacks designed to evade traditional security technologies
with the highest level of security for systems both within and outside
your perimeter.
Summary
The ability to apply cyber-forensics information to incident response
ultimately means better, faster protection and more effective use of the
time and talents of your team. One Bit9 customer has estimated savings
of $91/endpoint/year in incident response and remediation costs.
Essential to improving incident response are Bit9’s real-time sensor for
continuous monitoring and recording and Bit9 integration with leaders in
network security. They provide the cyber forensics information you need
in real time and are updated continuously through Bit9 SRS.
Bit9’s new-generation endpoint and server security platform gives you an
industry first in visibility, detection, response, protection and integration
with network security tools—in a single solution.
1
Henry, Paul, Jacob Williams and Benjamin Wright, “The SANS Survey of Digital
Forensics and Incident Response,” SANS Analyst Program, July, 2013.
SANS Analyst Program, July, 2013.
2
Bit9 Solution Brief: Real-time Cyber Forensics for Incident Response 6