DFIR Service Overview
Our services can be aligned to four response stages for which clients may often find themselves. These four stages include planning, prevention, response and validation. These informal stages represent common descriptors to what has provided drivers for which clients have engaged VerSprite for DFIR services.
Before the Compromise (Planning)
The adage of “not if but when” is real. Planning for how to respond to a compromise is key, particularly when addressing both likely and unlikely threat scenarios. Pre-compromise planning efforts around security incidents encompass the following:
- IR Policy Governance / Administrative Plan Reviews
- Do you have the right plan?
- Are there procedures supporting the plan?
- Readiness around DFIR Efforts
- Are we logging the right things to support forensic evidence reviews?
- Is the plan tested somehow?
- DFIR Retainers
- Pre-planning teams and workflows for a possible event.
- Reduce administrative headaches around paperwork
- Preliminary work to make a swift response to an incident
- Conversion to IR table top or other VerSprite service if the retainer is not used within a year.
Identifying Existing Compromises (Validation)
Compromises aren’t as evident within an organization as some may think. Subtle signs of compromise are often never reportedly by end users, who chalk up anomalies to network or system glitches, old hardware, etc. Compromise assessments help to address the following:
- Have I been hacked? / Am I currently compromised now?
- Am I buying a hacked company?
- Did a departing employee take company data (i.e. – proprietary software, financial data, client information, etc.)?
Responding to a Compromise (Response)
Execution is everything when doing proper response efforts. Being able to identify root cause analysis from forensic data is critical. Log analysis, drive forensics, interviews all need to be orchestrated around a timeline as well as a focus to understand varied objectives during the response phase, some of which include the following:
- 1.Detection & Identification
- a.Determining data compromise
- i.What type of data was compromised?
- ii.When was it compromised?
- iii.Who compromised the data?
- iv.Was the compromised data encrypted?
- b.Defining the affected scope
- c.Defining timeline around the compromise
- 2.Eradication & Quarantining
- 3. Post-Incident Review and Analysis
Scope of DFIR Efforts
The scope of our response efforts for any of the above mentioned services encompasses the following:
- Windows, Mac OS X & Linux
- Duplicate media
- Infrastructure logs (e.g. – network, proxy, directory service logs, etc.)
- Mobile phones
- Malware analysis
- Email forensics
- Memory captures from endpoints and distributed systems (physical & virtual)
- Time line creation
- Witness expertise
- Insider threats
- Ransomware recovery
- Intentional/ accidental deletion of files