The butler did it? Finding out who did what in Incident Response

One of the greatest challenges in modern day IT is investigating serious incidents. Business critical functions must be recovered quickly and in a cost-effective manner, all whilst determining the root cause of the problem. 

Unfortunately, the simple question of “who did what?” is often the most critical and most difficult to answer. Following an incident, management will want to discover the root cause as soon as possible. This leaves security teams to analyse thousands of log entries, a time-consuming and resource-intensive exercise. Incidents that involve a privileged account can be even more challenging as privileged insiders or external attackers in possession of hijacked credentials can modify or delete logs to cover their tracks. 

The hijacking of privileged accounts has become a common technique for cyber-criminals. They steal the credentials of a privileged employee and, acting as a legitimate user, gain unlimited access to customer data and underlying infrastructure. 

Sophisticated, well-funded cyber criminals target privileged accounts because the access they provide makes it possible to steal data on a massive scale, disrupt critical infrastructure, and install malware. Attacks can unfold over a period of months, allowing intruders to perform reconnaissance, escalate privileges, cover their tracks and finally exfiltrate data. Research indicates such attacks take months or even years to discover. 

Human error can also present a challenge. As an example, in the event an inexperienced administrator accidentally misconfigured a core firewall, quick resolution and remediation could be an overwhelming task. IT staff often use shared accounts such as “administrator” or “root”, making it extremely difficult to determine who did what. And this can easily start the blame game between parties.    

One way to combat these issues is to collect relevant and reliable data on these user sessions. Tools like Advanced Privileged Access Management (PAM) solutions can help by providing consumable information about privileged access. Being able to easily reconstruct and analyse user sessions can reduce both the time and cost of investigations. 

PAM solutions can be a great help, but it’s also important to have an incident management process in place to ensure a swift system of assessment. 

The Incident Management Process 

Thankfully there are step-by-step processes for incident management outlined by ISO 27002, the NIST and the CERT/CC. These encourage a consistent approach, for those organisations under compliance pressure. These businesses are expected to regularly define, and in the case of a security event, execute an incident response procedure. They must show that they are capable of taking action when critical assets are endangered. 

To take an example, the CERT/CC concept has four components. First, an incident is reported or otherwise detected (detection). Second, the incident is assessed, categorized, prioritized and is queued for action (triage). Thirdly, research on the incident, what has happened, who is affected and so on (analysis). Finally, actions are taken to do all that is necessary to resolve the incident (incident response). 

Identifying data sources 

Finding the sources of data and evidence is the first step in any forensic process. This might include security logs, operations logs and remote access logs that have been created on servers. Client machines, operating systems, databases, network and security devices might also be included. These are the most common data sources you’ll find. There may be some additional sources in the form of configuration files or information ticketing systems. Investigations that involve privileged accounts could also include session recordings, these playable audit trails can be very useful in uncovering what has happened. 

Acquiring the data 

With the data in sight, the analyst must then acquire it. Some log management tools will centrally collect, filter, normalise and store log data from a wide range of sources making this far easier. For cases involving privilege misuse, data must also be collected from privileged session recording tools. 

With all the data to hand, it must be verified to ensure its integrity. For any cases that might involve the law, it is vital that the data hasn’t been tampered with, and that that can be proved. Advanced forensic tools can protect against tampering through the use of encrypted, time-stamped and digitally signed data.   

Examination 

With the data verified it can now be examined. Each piece of data must be examined to extract the relevant information. Some forensic tools provide free search, which can aid in quick navigation to a specific point in time, like when the event occurred. By combining log data with session metadata, the examination of privileged account incidents can be sped up dramatically. 

Analysis 

Now the most pertinent information has been extracted, analysis can begin. Any forensic investigation must be systematic in its approach, in this way the correct conclusions can be drawn from the available data. Or, that no conclusion can be drawn. 

Privileged user behaviour can be analysed by certain tools to provide alerts if their behaviour is outside their normal operating parameters. This can provide the full context of suspicious activity when combined with replayable audit trails. These can show logins, commands, windows, text entered from any session. All of this is incredibly valuable information for an analyst. With all of these elements, a complete timeline of events can be created. 

Reporting 

Finally, with all data collected, verified and analysed the process of presenting the results can begin. This can be a laborious process; however, some advanced forensic tools will generate custom reports automatically streamlining the entire process. 

Solving the problem

To increase incident management efficiency adding information sources that can detect and analyse privileged user threats is essential. However, rapid investigations and making quick, informed decisions can be challenging and require data in real-time about the context of a suspicious event. In these scenarios, an access management tool providing risk based scoring of alerts, fast search, and easily interpreted evidence can help. 

Advanced Privileged Access Management technologies can meet these expectations - they provide secured privileged access to critical assets and meet compliance requirements by securing, managing and monitoring privileged accounts and access. Alongside a robust incident management process and business can be prepared for when an incident occurs. 

Csaba Krasznay, Product Evangelist at Balabit 

Image Credit: Balefire / Shutterstock