Incident Response Is Not The Same As Forensics

Don’t get me wrong; if there’s a data breach, you need forensics. You’ll need everything incredibly well documented. You’ll need a proper chain of custody, and all that good stuff. That is to say, forensic analysis is most assuredly a skillset that responders should have.

That does not, however, mean that it’s a skillset that should be used for every incident. Far too many organizations use forensic analysis techniques for each and every piece of commodity malware, or even PUP/PUA stuff. This is a huge waste of time that could be far better spent doing a bit of threat research, professional development, etc.

Let’s say I get an incident escalation because an intrusion analyst observed traffic to a site known to be related to malware. Do I need to perform a full collection on the host? Do I have to build a timeline? All of this may be unnecessary. For the vast majority of commodity malware incidents I’ve ever worked, I can do a quick VirusTotal search on the domain, tie it to a specific malware family, and tie that to a known campaign. A little bit of open source research will generally show me the common infection vector, and give me a seed for a quick “hunt” to establish root cause. From there, because we know about the malware, we know its capabilities. Does it have a data exfiltration capability? If so, can we quickly and easily verify whether or not data was exfiltrated? If no data was exfiltrated, and no lateral movement occurred, we can remediate the victim host and move on. All told, at this point, we’ve probably spent an hour on investigation if no data exfil occurred. If, instead, we decide to go the forensics route, we may spend several days to get to the same point. We’re not talking about an hour of wasted time here, but days of wasted time. When you understand that the forensic investigation is the standard route in most organizations even for adware, you begin to understand just how idiotic this whole thing is.

So…yes, learn forensics. Ensure that your team is capable of forensic analysis. But also, train your teams in open source investigation, and correlative analysis. You’ll save yourselves a lot of time and money, and it’ll be well worth it.

Article Link: Incident Response Is Not The Same As Forensics – It's Biebs the malware guy!!