In the last post, we talked about the types of DFIR analysis techniques. Now, we’re going to focus on incident response analysis tools and their role in speeding up investigations.
The Role of Incident Response Analysis Tools
As we outlined before, we can’t fully automate the incident response analysis process because there are some decisions that the tool does not have full knowledge about. So, software in this phase has a supporting role: to make the incident responder (IR) more efficient.
It does this by serving three functions: displaying, interpreting, and fusing data.
Displaying the Data
Responders need to be able to look at the collected data before they can draw conclusions. Tools can generic like a simple text editor (if the collection tools produced text output) or specialized and optimized for pivoting around endpoint and network data.
To save time during your response, the software should be intuitive and allow responders to get as much context as possible about an artifact.
Interpreting the Data
A person or software needs to review the collected data and make threat-level suggestions (e.g., good, bad, or suspicious). It is much more efficient if software is involved with this process:
- There is a lot of data and human review is error prone. It’s easy to miss evidence and experienced responders are hard to find. Manual techniques do not scale.
- It’s more efficient for the software to review it first and identify which it thinks are suspicious or bad
- Software can make these judgments based on rules from past incidents and statistical methods. (For more on this, check out this post)
This kind of automation saves the responder time and reduces mistakes.
Fusing the Data
Often times, the responder needs to look in multiple storage locations to make conclusions. Analysis tools can merge these locations and provide a single perspective to help the human responder make judgments.
- User account information can be found in various registry and event logs.
- Tools can help to bring data from those locations into a single view
Or, perhaps you want to review the startup items for malware:
- One tool may have listed out the startup programs and their paths
- A second program may list metadata for each file along with timestamps
- A third program may show you malware scan results for each file based on path
You could manually jump to and from each list: the startup items, the metadata, and the malware results. But it’s more efficient if the analysis software matches up the collected data and merges it into a single UI view.
With the role of analysis tools covered, let’s look at the categories of tools.
Categories of Incident Response Analysis Tools
Fully Manual (Slow)
This free, DIY approach might be something a responder uses with manual collection tools.
In this approach, the responder could review dozens of text files in a text editor and make decisions based on their experience and memory of what is normal. The responder needs to manually fuse together data from multiple files, such as startup items, file metadata, and malware scan results.
Manual incident response analysis has quite a few drawbacks:
- This method is slow because of how much data can need review
- It’s rather error-prone because of how easy it is for an IR to miss critical details
- Finally, because each aspect of the collected data is analyzed in isolation, it can allow the attacker to blend in.
General Purpose Digital Forensics Tools
Another approach is to use general purpose digital forensics tools.
These are tools such as EnCase, FTK, or Autopsy that can be used to investigate everything from fraud to child exploitation. Organizations use them with intrusions because they already have licenses and people who are trained to use them.
These tools provide analytics and search capabilities but are not streamlined for any single type of investigation. So, while they may have some analytics over a purely manual approach, they don’t have the domain specialization that dedicated tools do.
For example, many of the general purpose tools parse various registry keys and files to show which programs were executed. But, not all show the startup items or integrate with malware scanning services. You may need to extract files from the disk image and perform additional manual analysis.
The biggest speed challenges for these tools during incident triage is that many of them are optimized for analyzing disk images, which are not frequently created during incident response. These tools are better for the occasional deep dive forensics investigations versus triage.
Endpoint Detection and Response (EDR) Tools (Fast)
EDR (or “Next Generation Antivirus”) tools have agents that run on endpoints and constantly collect and analyze data. The primary motivation for the analysis is to detect an incident in realtime and isolate the attack.
The same data used to detect (the “D” in EDR) an incident can also be used to respond (the “R” in EDR). An analyst can search the collected data to answer investigative questions.
The response capabilities of these tools vary. Some provide only basic remediation, while others allow you to follow a detailed timeline of events (some of which would be unknown if the agent were not there always watching).
EDR tools can provide for a fast response because they analyze and collect large quantities of data, but they also require resources that not all companies have. In addition, their pre-incident recording ability may not help consultants or law enforcement who show up and install the software after an incident has happened.
Dedicated Intrusion Forensics Tools (Fast)
Lastly, there are tools that were built just for intrusion forensics.
- Are more focused than general purpose tools and do not assume that they were installed before an incident
- Have their own collection tool or can import outputs from other tools
- Can also automate analysis and give you a graphical interface that allows you to review the fused data and pivot around.
Cyber Triage, for example, has its own collection tool for live computers. It analyzes the collected data to mark them as bad or suspicious, uploads for malware scanning, scans with Yara, shows results in a timeline or file explorer, and much more. (You can tag files to ensure you follow up with all clues). If you‘d like to try this approach, click here to request a free trial or evaluation.
These kinds of tools can save you time because they are optimized for incident response.
That concludes our overview of how to speed up incident response analysis. Our final post in this series covers our thoughts on accelerating scoping.
For more on speeding up incident response, check out the rest of our series: