Responding to and recovering from a cyber security incident is often one of the most challenging events an organization will face. The challenge is often exacerbated by immense pressure to eliminate the threat, possible production downtime, and generally a large degree of unknown factors.
Morphick is often engaged during incidents where our purpose is simply to guide the process rather than independently complete the process. While counterintuitive, our primary task during professional services can be akin to air traffic control.
We’re responsible to identify:
- The questions that need answered
- The most likely source of information that may answer those questions
- The person/people most suitable to collect and analyze the information to answer the questions.
We then apply our subject matter expertise to determine if the questions were completely answered and generate recommendations to prevent reoccurrences of the issue.
Many of our customers are willing to provide their entire security team to use at our disposal during an engagement. This presents a wildly differing skillset level and capability. Some analysts are at home on a command prompt with raw text-based logs. Others feel comfortable inside one of the litany of vendor toolkits available. We take pride in the fact that the result of an investigation can be as collaborative as desired.
There is no “correct” or “most appropriate” toolkit or tool chain to facilitate incident recovery; there are only tools that facilitate and support an analyst’s responsibility to make effective judgments under pressure. A capable analyst unable to wield a “correct” tool is of little use to a response effort.
There is a general recurring trend to the process. In most events, we identify the following sequence:
- Is the controlled asset(s) compromised?
- Forensics of the asset itself (augmented by centralized log analysis)
- Corporate digital forensics personnel using industry standard tools
Our threat intelligence team writes the vast majority of our host-based signatures as YARA rules. We’ve observed that customers excel at their ability to collect, process, and analyze controlled assets using Encase® Forensic from Guidance Software, but have limited ability to apply our threat intelligence to triage the input.
We found ourselves stuck between asking our customers to pull potential malware out to the host operating system to manually scan with the command line YARA executable versus requesting they allow us to carefully and securely manage the triage and post processing.
In practice, we found ourselves as the bottleneck in triaging large numbers of potentially compromised hosts while perfectly capable forensic investigators employed by our customers were left to their own accord. We sought to force-multiply our customer’s ability to carefully triage potentially compromised hosts using Morphick’s applicable threat intelligence in the form of YARA rules. In doing so, we increase the utilization of customer personnel, decrease billable hours, and most importantly, pave the road to recovery faster.
Rather than pull potentially malicious software to the host operating system and risk an accidental click, we’ve built an EnCase® EnScript® to pass selected files securely though an in-memory pipe for YARA scanning.
For ease of transfer during an incident, our threat intelligence team provides a single compiled YARA rule as a .yarac file. Armed with that yarac file and this plugin, we go to work triaging candidates for further inspection.
First, the investigator must provide the path to the case information panel pointing to the yarac file delivered from the Morphick Threat Intelligence team.
Next, the investigator would select all files that they wish (or are directed) to scan using the provided YARA signatures. Generally, our threat intelligence team provides an estimate on the most likely places we’d find any particular flavor of malware. Restricting the scan to those locations dramatically decreases the amount of time required for the scan.
With the files selected, the investigator may begin the YARA scanning of the files selected in the case.
Following the completion of the scan, a bookmark folder will be added to the case bookmarks indicating the result of the YARA scan, and the time in which it took place.
The bookmark itself will show files that match the provided YARA signature and can be flagged for additional review or individually exported to secure containers for further investigation.
We’ve found that many of our customers are overjoyed to partner in the identification and recovery process because arriving at conclusions and recommendations together rather than the client merely acting as a collection conduit gets everyone engaged and educated. This plugin exemplifies the spirit of our goal to be collaborative partners with our customers during professional services engagements to the extent desired.
