Being hacked is the nightmare of every single company, regardless of whether it is a private or public sector. Being able to rely on stable team with experience is priceless during such times. To introduce the LIFARS’s digital forensics and incident response (DFIR) team, we have decided to make an insight to teams’ structure. Working in cyber security is not a regular job. Often, you must deal with novel approaches and tactics of threat actors. What is the driving force behind Zuzana Vargova, LIFARS digital forensics analyst?
LIFARS: Hi Zuzana, can you introduce yourself to our readers? What do you do in LIFARS?
Zuzana Vargova: I’m working in Digital Forensics and Incident Response department (DFIR). I focus on forensic analysis of Windows systems. This includes investigation of breaches, identifying attack vectors used by threat actors, investigation of persistence and lateral movement, data exfiltration analysis and other.
LIFARS: Can you tell us about your beginnings in cybersecurity? What made you what you are today?
Zuzana Vargova: I have studied Applied Informatics at Faculty of Electrical Engineering and Information Technology of Slovak University of Technology in Bratislava. I have decided to specialize in Security of Information Systems – mostly because I was not determined to become a full-time developer, and math and cryptography was not big issue for me at that time.
After finishing the university, I have started working for governmental CSIRT team. For first couple of years, I worked as a penetration tester – that means, security testing of various web sites hosted by governmental bodies. Later I worked on internal on-site penetration tests of infrastructures. From offensive side of security, I transitioned to digital forensics about 3 years ago, with most of my experience in the field gained in past year here at LIFARS.
LIFARS: Why is incident response and digital forensics important to companies?
Zuzana Vargova: Incident response occurs when the company is attacked. It consists of multiple steps. For example, incident response team identifies infected systems, mitigates further spread of an attack as much as possible, monitors attacker’s activity and in the end eradicates the threat.
Digital forensics usually happens after the initial phase of incident response – when some of the infected systems are identified. These systems are then forensically analyzed to gain deeper insight into what happened, or what is happening. It helps companies to determine what opened the doors to the threat actors and what damage they might cause. These data are important for the company to determine next steps. For example, if sensitive or regulated data were exfiltrated, legal steps may be necessary. Findings from forensic analysis may also be used to prevent similar attacks in the future by remediating security weaknesses that led to the initial compromise.
LIFARS: What are some general misconceptions about digital forensics?
Zuzana Vargova: I don’t think that I’ve came across any widespread general misconception. Non-technical people may not be sure what to expect from forensic investigation. Sometimes it is difficult to explain what information we can gain from the evidence, and what is beyond our possibilities.
LIFARS: Let’s say a company gets hacked. What is the first thing they should do and what is the process that should follow?
Zuzana Vargova: In the first place, company must be able to detect that it is hacked.
When a breach occurs, it is crucial to react appropriately and in timely manner. This is easier said than done. But first of all – don’t panic.
First steps differ depending on what the company has in their arsenal. Do they have SIEM? Is any EDR (Endpoint Detection and Response) solution installed on the systems?
After identifying an incident and finding out which systems were affected, it’s time to contain. Company should isolate affected hosts –disconnect from the network if possible, limit options for lateral movement by changing administrative credentials as well as any compromised account’s credentials. Patching and updating systems can take place as well. However, before company performs such modifications on affected systems, it is important to collect evidence. If company reinstalls systems prematurely, no data will be preserved for forensic investigation. Keep in mind that some pieces of evidence are fragile and volatile – when they are not collected early during the attack, they may be lost forever. Examples are RAM or quickly rotating event logs.
In the later stages of IR, the team removes malware and other traces of threat actor from the infrastructure and reinstalls affected systems as necessary. After that, the team restores compromised data from backups (yeah, backups should be crucial component of company’s IT security policies) etc.
Finally, intelligence gained during the incident should be used to strengthen company’s security posture. Learn from the attack and make sure that next time, threat actor won’t be able to use the same entry point and same tactics.
LIFARS: What would you recommend to security administrators or CISOs that would make your work easier in case of an incident? What are the most common mistakes they usually do?
Zuzana Vargova: Company must have certain level of security maturity to respond to an incident. It is critical to have a war plan ready before attack occurs, not to develop strategies after it happens. Of course, it is not possible for every company to have on-site incident response team – that is what are we here for.
It is always necessary to assign certain employees to communicate with us, to perform evidence acquisition or to provide us access to acquire data ourselves etc. It is important when the company performs IR themselves and engages LIFARS only for forensics, and also if it uses our incident response team. Assigned individual(s) should be from IT department, preferably ones who knows company’s network and are able to answer questions related to the infrastructure.
As I’ve mentioned already, it is important to act fast and calm. Try to gather evidence as soon from the attack as possible. The more time elapses, the less data will be left to analyze.
Note: The second part of this interview is available here.