什么是数字取证和事件响应(DFIR)? 

DFIR是收集数字法医证据的过程, 搜寻可疑活动, 并持续监视端点事件. 更深入一点,安全专家Scott J. 罗伯茨 定义DFIR 作为“一个多学科的专业,专注于识别, 调查, 纠正计算机网络剥削."

从过程的角度来看, an 事件响应 和 investigation plan that leverages comprehensive forensics will include responsibilities such as investigation, 分析管理, 威胁检测, 通信, 以及研究结果的记录.

Subsequent remediation 和 cleanup typically includes removing attacker remote-access capabilities, 恢复优先级的业务流程和系统, 保护受损用户的账户.

Contained in the minutiae of those processes are the following key components of a DFIR framework:

  • Muti-system取证: One of the hallmarks of DFIR is the ability to monitor 和 查询 all critical systems 和 asset types for indications of foul play. 
  • 袭击的情报发现可疑的网络活动意味着知道要寻找什么. 这意味着培养像攻击者一样思考的能力, 不仅仅是修复您自己系统中的漏洞, 但也能发现剥削的迹象. 
  • 端点的可见性: Security teams need visibility into corporate networks 和 the seemingly endless complex system of 端点 — then they need a way to clearly organize 和 interpret data gathered from them.

DFIR在网络安全中的作用

在更大的网络安全实践框架内, DFIR serves to obtain a finely detailed look at how a breach occurred 和 the specific steps it will take to remediate that particular incident. Let’s dive deeper into the separate functions that make up a holistic DFIR practice.

事件侦测及应变 

Detecting compromised users affected by a breach is the first step to gaining visibility into what occurred 和 crafting a timely response to ensure attackers are purged from the network, 漏洞得到了控制和修复, 剩下的 可利用的漏洞 矫正. 从那里, 可以进行深思熟虑的调查, one that can identify evolving attacker behavior 和 more accurately spot it in the future.

法医调查

An investigation into a specific breach is never going to look like the investigation that came before it. 定制应对威胁的情境方法是非常必要的, 这种威胁是否即将发生或已经发生. 展开调查时, 安全团队可能会对受影响的资产执行数据分析。, 获取浏览器历史工件, 事件日志, 目录中的文件, 登记箱.

威胁情报与分析

采集过程中最关键的一步 威胁情报 is ensuring the data are tailored to each 和 every function in a security organization. 一旦付诸实践, 情报周期 通过收集会产生结果吗, 分析, 并传播给组织中的相关利益相关者. This process presupposes a heavy emphasis on automated analysis that can quickly search through data 和 surface relevant insights.

恶意软件分析和逆向工程

在分析电位 恶意软件 在网络上, 安全小组会提交可疑样本, 在一连串的分析中进行分析, 然后根据风险评分对威胁进行分类. 这有助于分清轻重缓急. 这是需要立即关注的事情还是可以等待? 在这个分析阶段, reverse engineering 恶意软件 can help teams find the best way to underst和 its ultimate target 和 quickly eradicate it.

事件控制和恢复

一旦入侵范围和受影响的资产完全确定, 应用程序, 用户也得到了控制, a 安全运营中心(SOC) will launch a predetermined plan to restore normal business operating processes. Documentation is key to disaster planning so teams can underst和 the various components of the backup system. 维护一个自动化的, offline backup can further help the process of recovering from a 恶意软件 attack.

数字取证如何用于事件响应? 

数字取证应用于 事件响应 通过融入这个过程. 每个安全专家都知道, 仅仅对事件做出反应并解决问题是不够的, you have to know exactly what happened 和 how it happened so that systems can be calibrated for that attack path 和 surface customized alerts the next time that behavior is spotted.

如果有人问,“什么是数字取证?”, we would more pointedly want to have a discussion on multi-system forensics (briefly mentioned above). 这是, the ability to monitor 和 查询 critical systems 和 asset types all along a network for indications of suspicious behavior. 让我们更细致地看看这个过程需要做些什么:

  • 收集: Perform targeted collections of digital forensic evidence across 端点.
  • 监控: Continuously monitor for endpoint events like logs, file modifications, 和 process execution. 
  • 亨特: Find 和 access a reliable library of forensic artifacts 和 search for suspected 恶意软件-related activities on your network, 根据您的需要定制特定的威胁搜索需求.

数字取证应该使威胁响应者和猎人能够收集, 查询, 并监视端点的几乎任何方面, 端点组, 或者整个网络. The practice can also be used to create continuous monitoring rules on an endpoint as well as automate server tasks. 具体用例包括:

  • 客户机监视和警报(检测)DFIR工具可以收集专注于检测的事件查询, allowing practitioners to autonomously monitor an endpoint 和 send back prioritized alerts when certain conditions are met.
  • 主动寻找指示器(威胁情报): This indicates artifact collection at scale from many systems that can then be combined with threat-intelligence information – such as hashes – to proactively hunt for compromises by known bad actors. 
  • 将事件持续转发到另一个系统:监视查询可用于简单地转发事件.
  • 收集用于在另一个系统上分析的批量文件(数字取证): The DFIR tool will collect bulk files from an endpoint for later analysis by other tools.
  • 解析端点上的指示符(数字取证)工件用于直接解析端点上的文件, 快速返回可操作, 高价值的信息,无需冗长的后期处理.
  • 主动寻找跨多个系统的指标(事件响应): The DFIR tool can simultaneously hunt for artifacts from many 端点.

为什么DFIR是网络安全计划中的关键工具? 

DFIR is a critical tool in a cybersecurity program because it helps to more accurately 和 granularly reveal the methodology 和 path that an attacker is looking to take or has already taken to breach a network.

It’s in the best interest of a business 和 its security program to go beyond response 和 calibrate preventive measures to recognize the same or similar behavior in the future.

DFIR的好处是什么? 

DFIR的好处怎么说都不为过, as the goal of breach investigation is visibility so that security teams can gain insights from what happened 和 create a stronger program.

  • 更快的恢复: Surfacing more relevant alerts – based on either past incidents or library artifacts – means that DFIR practitioners can work faster to respond to 和 recover from an incident.  
  • 更强的安全态势: In more accurately being able to respond to threats 和 investigate them, 组织的整体健康和安全状况开始改善. 一个外部 DFIR服务 program can also help to further add value by conducting more in-depth investigations, giving time back to internal practitioners to focus on other goals 和 priorities. 
  • 数据共享功能: A modern DFIR solution will include accurate reporting of every action taken in the response to a threat or incident. This means those reports 和 critical insights can easily be shared with any 和 all interested stakeholders.  
  • 巴特猜测他们是怎么进来的? 到底谁是行凶者? 他们的动机是什么?? Thorough DFIR capabilities should be able to provide clear answers to these questions, 毫无疑问,已经发生了什么,接下来会发生什么.

阅读更多关于DFIR的信息

最新的Rapid7博客文章