In this series, I will be discussing how to handle an incident with the speed and precision of a DFIR warrior. With a rapid triage mindset, you’ll be able to assess the situation quickly and efficiently, just like a Jiu-Jitsu practitioner sizing up their opponent before delivering a devastating submission. You will have the tools to identify the type and severity of the attack, isolate the affected systems, and implement countermeasures to contain the damage—all in a fraction of the time it previously took you.
Part 1 of this series focuses on three (3) critical components that are often forgotten once an incident has been declared: following an incident triage process, centralized incident analysis document preparation, and ongoing communication requirements.
This Incident Response rapid triage process will incorporate the following aspects:
- Incident setup preparation
- Centralized analysis documentation
- Incident communication and reporting
- Critical incident objectives
- Key security solution access
- Windows system processing
- Windows event log
- $MFT and $UsnJrnl journal
- Registry hives
- Memory image
- Network data processing
- Proxy\web filter
Disclaimer: This process does not cover all triage aspects when responding to an incident scenario, but from my experience, it does focus on the most critical components during the first few hours of the Incident Response.
This process does not utilize any paid tools and does not take into consideration a centralized DFIR collaboration setup or anything high-speed. The targeted audience for this blog post is analysts utilizing local tools or portable forensic virtual machines. A scenario to envision: an Incident Response consultant blindly jumping into a compromised network and either working onsite exclusively out of their go-bag or working completely remotely and visually disconnected from the client environment. That being said, this process could also be used as a stepping stone to build out a significantly more robust incident triage playbook that could be used by any organization’s Incident Response team.
So, whether you’re a seasoned DFIR pro or just starting out within Incident Response, hopefully you will uncover some useful insights.
Let’s do this!
The process outlined is not a deep-dive forensic analysis and should be considered how an analyst can derive expedient analysis output from a handful of critical system forensic artifacts and network log data. Once this initial triage has been completed, the analyst can assess whether deeper forensic investigation is required.
All the identified processing tasks below can be run in parallel with one another in the background as the analyst works on various other investigational tasks. These initial steps will quickly identify ‘low-hanging fruit’ IOCs and provide key pivot points to work from. These can be correlated with and compared to other data points acquired from live forensic tool output. These data points can also be used for targeted threat hunting across the environment, especially in cases where remaining client systems were not initially targeted by a live forensic collector or any endpoint security agent.
Additional details about these tools can be found in the Tool References section. This is by no means a complete list of tools that can be utilized during an incident, but I have found them to be extremely useful and reliable on the vast number of incidents I have worked.
Incident Setup Preparation
Setting up for an incident is paramount and must not be overlooked, no matter how stressful the incident scenario is.
Centralized Analysis Documentation
The first crucial step in any Incident Response scenario is to make sure centralized documents are created and ready for all analysis output. Once the analysis train kicks into high gear, it will become arduous and almost impossible to aggregate the volume of forensic output from multiple teams and analysts during the actual incident analysis activities.
The two documents below will provide aggregated real-time incident analysis documentation capabilities.
- Spreadsheet-of-Doom (SOD), which contains the following:
- Incident summary
- Compromised systems
- Compromised accounts
- Compromised email addresses
- Incident timeline
- Key file and hash information
- Master finding document
- This document will contain all the low-level analysis output that can be used for daily status reports and end-of-incident report creation.
Incident Communication and Reporting
Without proper incident communication and ongoing reporting, an incident can quickly get out of control.
The following critical steps should be established before proceeding with any analysis:
- Assign incident Lead to oversee all incident activities
- Establish communication cadence to keep all stakeholders abreast of incident progress
- Determine if daily status report is required or if end-of-incident report is sufficient
Rapid triage is crucial for managing and prioritizing effective Incident Response actions. Proactive planning allows for timely response actions which are crucial in containing and eradicating threats, minimizing downtime, and reducing damage from an incident. Successful incident preparation starts off with having the right incident triage processes in place, centralized analysis documentation created, and the incident communication cadence established.
Part 2 of this series will guide you through the process of conducting a detailed assessment of the incident and then lead into Windows endpoint artifact processing.