Being hacked is the nightmare of every single company, regardless of whether it is a private or public sector. Being able to rely on stable team with experience is priceless during such times. To introduce the LIFARS’s digital forensics and incident response (DFIR) team, we have decided to make an insight to teams’ structure. Working in cyber security is not a regular job. Often, you must deal with novel approaches and tactics of threat actors. What is the driving force behind Zuzana Vargova, LIFARS digital forensics analyst?
Note: The first part of this interview is available here.
LIFARS: What challenges you need to overcome when performing digital forensics?
Zuzana Vargova: Various issues may arise during the investigation. We can get evidence in unusual format and need to convert it before further processing. Also, some evidence may be incomplete. In some cases, the evidence could be acquired too late and without data about the time of an attack. The latter happens quite often – we get, for example, event logs from domain controller, but they cover only last 2 days. If the attack occurred weeks before the acquisition, such evidence is practically useless.
When it comes to logging, we encounter different auditing strategies. Some companies decide for more holistic approach, which is beneficial for investigation. On the other hand, some companies go for less logging. This approach can result in less data available for analysis.
Every company has different strategy for backing up data, different set of security tools installed, and different log retention periods. This means that in every case we must adapt our methodology a little to reflect current situation.
The level of certainty is sometimes an issue as well. For example, in some cases it is difficult or impossible to tell what actions for impersonating a regular user the threat actor took, and what is legitimate activity. Client’s cooperation may be needed to confirm – which brings us back to the company’s need to know its network, its employees, and their habits.
LIFARS: What types of digital forensics evidence are there?
Zuzana Vargova: There are quite a few. But first, let me tell you what kinds of digital forensics we do at LIFARS, as each of them will have corresponding set of evidence.
Most often we perform disk forensics. Evidence consists of hard drives from server, computers or notebooks, or logical images of disk drives or disk partitions, exports of event logs, registry keys etc.
When doing network forensics, we rely on network logs, packet captures, various logs and data provided by networking devices, VPN, proxies etc.
When investigating email-related incidents, we acquire exports of affected mailboxes, as well as any logs related to email client or service (Outlook, Office 365, …).
In memory forensics, analysis focuses on RAM memory. Therefore, image of computer’s RAM is usually the main evidence.
There are other types of forensics, such as database or mobile device forensics – each is based on other evidence sources.
LIFARS: You had the chance to work with clients in the public sector and also with the private sector across all kinds of sectors. Does the threat landscape differ?
Zuzana Vargova: Based on recent breaches, I would say that the threat landscape differs – but not that much. Look at SolarWinds supply chain compromise. Large number of private and public entities was affected, all were attacked using the same vector.
In general, public sector will more likely be a target of nation-state threat actors, espionage, hacktivism and so on. On the other hand, private sector appears to be more likely victim for ransomware gangs or intellectual property theft. Stealing of sensitive data can be lucrative – whether from public institutions or commercial ones.
This is a topic for a longer discussion.
LIFARS: Can you name top three most prevalent cyber threats that are in your opinion universal for companies of all sizes?
Zuzana Vargova: Malware and ransomware affect everyone. Phishing and other social engineering attacks are often used as initial infection point. Finally, data breach is lucrative, as even a small company can possess some valuable data. I would add the fourth one – supply chain compromise. This type of threat was known for a long time, but it was brought to bright light in December 2020 after SolarWinds attack disclosure.
LIFARS: What motivates you to enter each engagement with clear mind?
Zuzana Vargova: Every engagement is a bit different. Even when you investigate two RYUK ransomware breaches, there are subtle differences. This makes you curious and eager to spot those details.
Often you come across something that you are not familiar with – different evidence type, different threat actor’s tactic, so you constantly learn something new – which is great. Cooperation with our team is motivating as well. We have many talented individuals to discuss and develop new approaches to investigation.
Finally, in the end you help someone to run their business again and provide services to their customers. LIFARS has also helped with legal investigations which eventually resulted in indictments of the culprits. It is good to know that your work has some impact.