DFIR, Threat Hunting, and Navigating COVID-19 Lockdowns

Written by

While many COVID-19 stay-at-home orders have been lifted and significant numbers of employees tentatively head back to the office, we can’t hide from the fact that in most cases, it’s been almost five months since team members were on site with all their equipment and co-workers.

While for some, the main challenge has been a lack of social and professional interaction, for others, the enforced remote working of the last five months has hampered their ability to do their job to its fullest effect.

For those in security-related jobs, being away from key pieces of equipment and integral team members has had an impact, there is no doubt. When it comes to advanced digital forensics (DF), incident response (IR) and threat hunting, on the one hand being remote hasn’t had a huge impact on professionals in the field, yet on the other hand it has proven cumbersome at best and highly restrictive at worst.

The individual effect

We all know that R&D plays a huge role in the life of people who work in DFIR and threat hunting, with DFIR team members in particular spending a lot of their time sharpening their tools, so to speak. So how has the lockdown affected this?

The answer depends on how prepared team members were before the lockdown came into force. For example, those carrying out such R&D activities need to have a secure VPN connection. This may sound obvious, yet we find that VPN is always an afterthought for a lot of companies, with investment often made on a nice-to-have basis.

Also, a hardened laptop is also critical for those operating in DFIR R&D. For those who suddenly found themselves working from home overnight in March as a result of COVID-19, this raised questions about whether they could carry out their jobs on a personal laptop. The answer was most likely no.

Threat hunting throws up a different set of challenges for remote workers, given how bandwidth heavy it can be. Pulling up myriad data points and trying to do correlation, cross correlation, multi-dimensional cross correlation, and similar means strong bandwidth is a must, which is often not the case with residential WiFi. Given this, for those trying to carry out this kind of work on a residential WiFi setup, a level of isolation on the WiFi network is essential, so setting up WPA enterprise is important as it allows for additional security and a variety of network encryption.

From a security perspective, threat hunting is predominantly carried out on a threat hunting platform, most of which are SaaS based and so carry at least a basic level of access authentication automatically. Still, an identity access management solution is an important add-on in order to enable a further level of security.

This is also important because a significant number of threat hunting platforms are also integrated with threat intelligence platforms, which means they consume aggregated threat feeds across the world so that it will be easy to bring the global threat intelligence context and marry that with enterprise data. This makes this identity access management a key piece for these platforms and an essential addition for their secure usage.

Team work

One clear way the COVID-19 pandemic and resulting stay-at-home orders have significantly impacted the work of DFIR is because there is absolutely no scope for getting hands-and-feet support for those team members trying to deal with a security incident.

The majority of this activity has had to be conducted and organized remotely, and though there may have been a remote element to such work previously, it would likely have been in maximum two or three locations: the enterprise that got impacted by the breach, and one or two delivery centers where the incident responders would log in and perform this work remotely.

With the COVID-19 situation forcing the majority of team members to work from home across disciplines, suddenly this group of two to three locations became 50-plus locations because of the large number of different people who need to be involved in related crisis-management communications regarding the incident.

It's very difficult to facilitate all of those different interactions and enable timely communication, or experience the attention you would normally have with the hands-and-feet support we’re used to when it comes to incident response.

Alongside this, the work becomes more difficult as the cycles that are spent on it are significantly longer compared with the pre-lockdown days. This is compounded by the fact that hackers and intruders have sought to leverage the situation and expose vulnerabilities or conduct attacks that they know require hands-and-feet support that DFIR teams have not been able to give (or get) over the last three months.

What all of this means as many of us head back to the office is that we have to ensure we don’t find ourselves playing catch up when it comes to DFIR and threat hunting. Threat actors have made a concerted effort to exploit the impact of the Covid-19 pandemic, and will continue to do so as we head into another period of readjustment and potential uncertainty.

The good news is that teams can utilize the workarounds built during this period of enforced remote working and engage them in their everyday efforts, giving them a purview that they perhaps wouldn’t have had without having to manage a dispersed team functioning without everyday essential equipment.

What’s hot on Infosecurity Magazine?