Digital forensics

What Happens on the Endpoint Stays on the Endpoint

Liviu Arsene
February 25, 2019 by
Liviu Arsene

When attacks bypass endpoint security, it can often take months for enterprises to discover them. Some security reports even estimate that it requires U.S. companies an average of 191 days to detect a data breach, enabling threat actors to stay undetected within infrastructures for a very long time.

Today, companies are continuously seeking ways to modernize endpoint security in order to detect threats faster and ensure effective response across complex infrastructures. Attack forensics is just one element of improving endpoint detection and response. Another critical factor is complete visibility. Intelligence-gathering on what happened before, during and after an attack has never been more vital, not only for the sake of better protecting infrastructures, but also because new laws and legislation such as GDPR require organizations to provide thorough reporting of data breaches.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Traditional endpoint security is focused on identifying and blocking malware and other potential threats. This means it is ill-equipped to provide IT and security teams the visibility required to backtrack security incidents that were not directly associated with malware.

Best Practices for Deploying Cyberattack Forensics

Attack forensics on endpoints should include a well-laid-out plan of policies and procedures that enable security engineers to understand the value of forensic investigation data and what characteristics of the data should be relevant. Effective attack forensics teams have procedures in place to prepare endpoints for evidence retrieval, to authorize the right personnel to retrieve that data and to direct where to store and document the evidence. To illustrate: This means making sure that logs are stored in secure locations, defining who gets to access those logs and determining how those logs are actually stored.

Assessing the evidence is also vital. Investigators need to understand what data is relevant to their investigation, from which systems and platforms they derive and how to preserve the relevant data. Security engineers also need to ascertain the source and integrity of the evidence before actually using it in the investigation. This means that everything from information about open ports, LAN or WAN network traffic or even running processes can be considered potential evidence in an investigation, underscoring the need for security engineers to have a clear picture of the potential signs of a data breach.

While capturing evidence is a key aspect of the forensic investigation, properly analyzing and examining the information is vital. Data that’s tagged with dates and times, as well as files that have been tampered with or encrypted, can help investigators paint a more accurate picture of the attack. Sometimes, lawyers may be brought in for assistance in order to assess various nuances of the found information and how it can be used as evidence.

For example: A timestamp for new files located on an endpoint might indicate the approximate time a threat might have infiltrated the organization. Using that timestamp, investigators can go further back in time by analyzing other relevant data, such as network traffic which occurred before, during and closely after that specific timestamp.

Cyberattack forensics is all about documenting and reporting. The most effective forensics teams have tools in place to do all that automatically and issue an alert when signs of a potential data breach are recorded. While forensic expertise and know-how are mandatory during investigations, automation tools that augment the defensive capabilities of security solutions and are tightly integrated with them can help security engineers defend against a potential current data breach or to recreate the scene of the crime from past data.

The Importance of Complete Visibility

Complete visibility into a data breach involves far more than just identifying the malware or tools used in exfiltrating data or gaining persistency on the victim’s machine. Visibility on an endpoint means enabling IT and security teams to access a full timeline of events prior to compromise, or access events not usually considered malicious by traditional endpoint security tools.

For instance, endpoint security solutions only provide reports based on when threats were detected as well as the type of threat — such as ransomware or various Trojans — but cannot go back in time to provide details on how it reached the endpoint. The threat might have been delivered by attackers abusing remote desktop protocol credentials to directly execute on the endpoint. However, IT and security teams will have no clue about it, as most endpoint security solutions only detect the malware and not how it was planted or executed.

The previous example illustrates the value of endpoint detection and response solutions that issue security warnings that could indicate a data breach. These warnings could be in response to things such as users logging into endpoints during off-hours, remote desktop sessions that use lost or stolen authentication credentials and users who try to access information and data that’s not within their access privilege.  

The value of maintaining a history of everything that led up to the attack can’t be quantified. However, this critical insight allows IT and security teams to perform a postmortem investigation that often reveals the initial point of compromise attackers used to gain a foothold in the organization. It also offers a bigger picture of the threat actor’s attack pattern and intent. For instance: By following attacker’s footsteps, security teams can learn which areas they usually focus on once they breach an infrastructure, what techniques they use to elevate privileges and what tools they use to move laterally across the infrastructure while covering their tracks.

Avoiding Common Pitfalls

Some of the common “misses” from security teams collecting forensics usually involves not having access to the best equipment for the job. For instance: While security solutions are great at stopping malware and advanced threats, they’re not equipped to log user activity during off-hours or log remote desktop sessions with stolen credentials. This means that when building a security strategy that includes the forensic capabilities necessary to investigate potential data breaches, security engineers should consider how to best integrate next-generation endpoint detection and response capabilities. This will give them richer insight and detailed views of the entire attack chain.

Why? Because having access logs and correlating them with the security solution might reveal both vulnerably and security blind spots that were unknown until the time of investigation, while at the same time help security engineers identify what tools threat actors used after the initial point of compromise. When disparate solutions for security and EDR tools are used, this directly translates into increased overhead in terms of managing multiple consoles, increased analysis time by having security engineers manually correlate data from the two and potentially not having a complete overview of the exact timeline of events.

Since time is of the essence during forensic investigations, it is particularly beneficial to have an integrated security platform that encompasses both security and EDR under the same proverbial umbrella. This is because it can help enterprises learn from these investigations and set up alerts for future data breach attempts that could leverage the same tools.

How to Leverage Attack Forensics to Defend Against Future Attacks

It’s crucial to develop attack visibility that indicates the root cause of the attack. Events that occurred after the attack and the action taken to neutralize the attack are invaluable when building new defenses and upgrading incident-response plans to counter similar future attacks.

Forensic evidence provided by an integrated endpoint protection platform (EPP) and endpoint detection and response (EDR) solution may help IT and security teams identify security blind spots. Everything from authentication credentials that were not disposed of after an employee left the organization to unpatched endpoint applications to Internet-exposed services could easily be revealed by an EDR solution.

Next-generation endpoint and detection solutions go the extra mile by incorporating machine-learning algorithms that can perform alert triage. This is so overburdened and understaffed IT and security teams can focus on potential security incidents that have a high likelihood of indicating an in-progress or attempted data breach.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Tight integration between EPP and EDR means organizations can have a complete picture and timeline of events. This is vital to ensuring business continuity (by swiftly identifying or containing a potential breach) and ensuring that any financial or reputational fallout caused by regulatory or compliance issues is minimized due to a comprehensive incident report.

Liviu Arsene
Liviu Arsene

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.