As we saw in the first post of the series, the IR (incident response) process in case of attacks using ransomware is fundamental, relying on the work of several groups that, providing different roles, form a single working team to help the affected company recover in the shortest possible time.
Our NextDefense services include a specific branch in their proposal to cover these types of services.
In this second post of the series, we are going to review the role played by the members of Telefónica Tech’s DFIR (Digital Forensics and Incident Response) services team within the global IR process.
DFIR team composition
The team is made up of a group of multidisciplinary professionals, mostly senior profiles, whose professional career has always been linked to security in any of its specialities.
This diversity of roles makes it possible to be prepared for any evolution in attackers’ techniques, tactics, offensive procedures and anti-forensic methods, regardless of the specific characteristics of the actor and the attack.
In the case at hand, security incidents using ransomware, it is necessary to combine resources from different groups:
- Threat Hunting (occasionally combined with EDR monitoring services)
- Threat Intel (Threat intelligence)
Within these disciplines, DFIR has three distinct roles that are involved in very specific ways within the IR process:
- Incident Handler (IH): He/she coordinates the security incident, liaising between the client and the different teams to keep track and facilitate communication, assigning tasks to the different parties and ensuring that the whole IR process evolves in the right way.
- Forensic Analyst: This is the specialist with the capacity to carry out investigations (local and remote) on any system or support with information, and whose purpose is to obtain evidence that allows progress to be made during the investigation.
- Malware Analyst: The specialist who performs static and dynamic analysis on viruses and other malicious artefacts that may be found on the computers processed by the forensic analyst, the role threat-hunter or by the customer himself.
Preparing the IR process
When a new incident response process is initiated, the DFIR services team organises the work and prepares to perform the first tasks. Cloud spaces are created (to be used for evidence sharing) and also used to analyse the ransom note itself, the extension of the encrypted files and even which corporate domain the affected company has. Waiting for the initial meeting with the client, the assigned people internally review the available information and prepare all the content for these first steps with the client. This first working meeting will be one of the most important.
All this preparation before the first meeting is used to review the knowledge one might have about the specific actor: whether he usually exfiltrates data, which entry route he usually uses, which tools he deploys and even if the company has exfiltrated credentials in black markets. The first day of the process and, in particular, the first meeting, are crucial.
Start of response
Once the first meeting takes place and the actual response process begins, initial work streams are created for all groups (including the client and third parties), tested at each incident and improved at the end of each incident. Some examples are:
- The Incident Handler will take control of the process and start organising all the working groups, activities, meeting plan, etc.
- The Threat Intel team will request a series of data from the customer to produce actionable cyber security intelligence (to be discussed in the next post).
- The forensic analyst will collect all events/objects that may harbour information from the attacker. This will produce the first IOCs (Indicators of Compromise) that will allow e.g., blocking to start the containment and eradication phases of the threat. If malware elements are present, a malware analyst will be added to the team to perform the corresponding tasks.
- The Threat Hunting group (often in combination with other Telefónica TECH monitoring services) will support the deployment (when necessary) of an EDR platform, carrying out alert analysis and threat research on this platform. Specifically, in the last post of the series we will see the work of this team.
Performance during the IR process
The incident response process follows a routine of meetings (more executive) or checkpoints (more technical) throughout the work period (a couple of weeks, on average). In these meetings, the joint working team (customer, Telefónica TECH team and possible third parties) will review the work in progress, sharing knowledge and assigning new tasks to everyone (being reviewed at each checkpoint).
The forensic profiles of the DFIR team will work intensively in this iterative process and throughout the agreed work period: they will carry out their investigations with the different types of evidence available, they will rely on malware analysts (if necessary) and they will gradually create the incident narrative that will be explained to the client at the next checkpoint. They will identify and communicate the IOCs found to the different groups to support containment and eradication, while tracing the timeline that will be reflected in the report that will be delivered to the client together with the identification of the first system found to be compromised (becoming “patient 0”), the entry vectors used to enrich the recommendations that will serve as points of improvement of the affected infrastructure and everything relevant to the network (and the attacker) that must be communicated to the client.
Subsequently, and only in cases where there might be a publication of information (not all ransomware attacks involve data exfiltration), threat intelligence analysts will try to monitor their Hall of Shame (usually public boards where exfiltrated information is disclosed) in order to assist customers in the most important aspects concerning data privacy and GDPR, among other actions. This block of activity will be explained in the next post in the series.
In short: the work of the DFIR group within a ransomware incident, as we understand it at Telefónica TECH, is a constant process of investigation and exchange of knowledge of forensic and malware analysts with other groups (threat intelligence and Threat Hunting, above all). In each action, the client and the other roles and groups will learn about the progress achieved in DFIR thanks to the intermediation of the Incident Handler (perhaps a new IOC or the identification of patient 0) and in turn, these groups will be able to extend the information to the DFIR specialists to refine the next steps of their investigation.
Completion of forensic and malware analysis work
When the investigation work in an IR process is completed, a final investigation report is generated and follows a structure that is regularly revised to ensure maximum usefulness to the client. Regardless of the country/region of the incident or the language used, the report always has the same format and structure.
In some cases, clients request an advance version of the report to share with law enforcement, insurance companies, auditors, partners, suppliers or customers.
To provide peace of mind, once the final investigation report has been shared with the client, the IR process usually continues with an agreed 24×7 monitoring of the EDR where the entire team may be reactivated.
In these final stages of the IR process, a final meeting will be held with the client where the report delivered will be reviewed in detail, resolving any doubts that may have arisen and explaining the most important aspects of the narrative of both the incident and the recommendations.
As we have seen, the incident response process of Telefónica TECH’s DFIR team works in a fast and organised way, following a specific methodology followed by all the groups, to cover all the phases of the IR process. These roles and their methodology are key to resolving this type of incidents.