DFIR, Threat Hunting, And Navigating COVID-19 Lockdowns

By Vikram Chabra, Netenrich

While many COVID-19 stay-at-home orders have been lifted and significant numbers of employees tentatively head back to the office, we can’t hide from the fact that in most cases, it’s been three months since team members were on-site with all their equipment and co-workers. While for some, the main challenge has been a lack of social and professional interaction, for others, the enforced remote working of the last three months has hampered their ability to do their job to its fullest effect.

For those in security-related jobs, being away from key pieces of equipment and integral team members has had an impact, there is no doubt. And when it comes to advanced digital forensics (DF), incident response (IR), and threat hunting, on the one hand being remote hasn’t had a huge impact on professionals in the field, yet on the other hand it has proven cumbersome at best and highly restrictive at worst.

The Individual Effect

We all know that R&D plays a huge role in the life of people who work in DFIR and threat hunting, with DFIR team members in particular spending a lot of their time sharpening their tools, so to speak. So how has the lockdown affected this?

The answer depends on how prepared team members were before the lockdown came into force. For example, those carrying out such R&D activities need to have a secure VPN connection. This may sound obvious, yet we find that VPN is always an afterthought for a lot of companies, with investment often made on a nice-to-have basis. However, workers whose jobs are directly related to IT, and DFIR, need to opt for a VPN service, without exception.

A hardened laptop is also critical for those operating in DFIR R&D. For those who suddenly found themselves working from home overnight in March because of COVID-19, this raised questions about whether they could carry out their jobs on a personal laptop. The answer was most likely no because the personal laptop usually doesn’t have the essentials, such as endpoint security, firewall or browser extensions, installed.

Threat hunting throws up a different set of challenges for remote workers, given how bandwidth heavy it can be. Pulling up myriad data points and trying to do correlation, cross-correlation, multi-dimensional cross-correlation, and similar means strong bandwidth is a must, which is often not the case with residential WiFi. Given this, for those trying to carry out this kind of work on a residential WiFi setup, a level of isolation on the WiFi network is essential, so setting up WPA enterprise is important as it allows for additional security and a variety of network encryption.

From a security perspective, threat hunting is predominantly carried out on a threat hunting platform, most of which are SaaS-based and so carry at least a basic level of access authentication automatically. Still, an identity access management solution is an important add-on to enable a further level of security. This is also important because a significant number of threat hunting platforms are also integrated with threat intelligence platforms, which means they consume aggregated threat feeds across the world so that it will be easy to bring the global threat intelligence context and marry that with enterprise data. This makes this identity access management a key piece for these platforms and an essential addition for their secure usage

Teamwork

One clear way the COVID-19 pandemic and resulting stay-at-home orders have significantly impacted the work of DFIR is because there is absolutely no scope for getting hands-and-feet support for those team members trying to deal with a security incident.

Most of this activity has had to be conducted and organized remotely. And though there may have been a remote element to such work previously, it would likely have been in maximum two or three locations: the enterprise that got impacted by the breach, and one or two delivery centers where the incident responders would log in and perform this work remotely. But with the COVID-19 situation forcing the majority of team members to work from home across disciplines, suddenly this group of two to three locations became 50-plus locations because of the large number of different people who need to be involved in related crisis-management communications regarding the incident.

And it's very difficult to facilitate all of those different interactions and enable timely communication or experience the attention you would normally have with the hands-and-feet support we’re used to when it comes to incident response.

Alongside this, the work becomes more difficult as the cycles that are spent on it are significantly longer compared with the pre-lockdown days. This is compounded by the fact that hackers and intruders have sought to leverage the situation and expose vulnerabilities or conduct attacks that they know require hands-and-feet support that DFIR teams have not been able to give (or get) over the last three months.

About The Author

Vikram Chabra is the head of the cybersecurity practice at Netenrich.