Network security incident investigation is a key component of modern enterprise network security system construction. In order to prevent network attacks, it is far from enough to only focus on the application effect of security tools, because security incidents happen all the time. Only when the security team fully understands the whereabouts and attack paths of attackers, can they better prevent more attacks from happening.
It doesn't seem complicated to do a good job in network security incident investigation, as long as the operation data of the enterprise IT system is collected, and then the abnormal situation in it can be analyzed. However, there are many uncertainties hidden behind this seemingly simple task. In the investigation of network security incidents, it is necessary to adopt legal and compliant investigation methods, use appropriate technologies and tools, and also need to configure some non-professional skills, such as analysis ability, communication ability and teamwork ability, in order to ensure the accuracy of the investigation results. Validity and Compliance.
The significance of network security incident investigation
With the digital development of enterprises, various types of network security incidents will be encountered, and not all incidents need to be fully investigated. Preparedness for emergency response. The main application scenario of network security incident investigation is network attack and defense confrontation. Security incidents generated in high-intensity confrontation require enterprise security investigators to conduct in-depth investigation and analysis. The difficulty of investigation is also difficult to compare with traditional network virus attack incidents.
Security incident investigation and traditional threat detection both need to rely on a powerful threat intelligence library and discovery rules, but the biggest difference is that threat detection is to detect abnormal situations in time and send out alarms, while incident investigation is to analyze the abnormal behaviors found. Comprehensive investigation and analysis, and corresponding suppression and repair.
Take the investigation of ransomware attacks as an example, which has become a common security risk faced by enterprise organizations. However, when many companies investigate ransomware attacks, they focus on how to decrypt and recover data, which is very wrong. Enterprises should fully understand how the system was invaded by ransomware, and comprehensively investigate the paths of various threats including phishing, software vulnerabilities, weak passwords, and malicious insiders, so that it is possible to completely eliminate the illegal control of their own business systems by ransomware attackers , and fundamentally prevent the recurrence of such incidents.
Many customers are less concerned with the specifics of the attack, such as the source or the hacking group behind it. They are primarily concerned with restoring business processes and ensuring that such malicious behavior never happens again. At the same time, investigators can reverse engineer malware code to glean valuable data that could indicate the hacker's origin. In a typical incident investigation scenario, the data collection and analysis cycle can be used to represent the progress of the investigation. After each new iteration, the enterprise will have a more accurate understanding of the next step in network security construction.
Prepare for incident investigation
The investigation of network security incidents is usually divided into the stages of collecting clues, data analysis, and report summary. Among them, collecting clues is a very critical preparation. Only when enough attack evidence is obtained can the attacker's whereabouts and attack path be analyzed more accurately.
When a serious network security incident occurs, investigators should first set the priority of disposal tasks according to the damage status of the assets and the characteristics of the attack methods, so that they can make quick decisions when necessary, and use the exclusion method when necessary. Discover the truth about being attacked.
When the security incident investigation process is started, security analysts should understand the incident-related information as comprehensively as possible, which requires them to be fully familiar with their roles and responsibilities in their daily work. The rapidly changing IT environment often requires analysts to update their skill sets synchronously in real time, such as understanding cloud computing, big data, etc. When investigating security incidents, analysts should be able to quickly identify the operating status of all assets they are responsible for, and actively participate in the vulnerability management and scanning discovery process.
The quantity and quality of security incident information collected will determine the outcome of incident investigations, helping analysts understand exactly the extent of the threat they face and the likely consequences. It should be pointed out that since many attack groups have begun to use the "attack as a service" Saas business model, it is not difficult to accurately understand these attack techniques. However, in some sensitive scenarios (such as attacks on key infrastructure sectors such as energy), security analysts need to pay attention to whether there are more unconventional attack methods.
In many cases, analysts can be confronted with insufficient information, time, and lack of authority, and can throw investigations into a state of confusion and panic. In this case, a well-trained incident investigation team must articulate its expertise, gain the understanding and support of the business, and drive the incident investigation forward.
Responsibilities of Investigators
Investigators of network security incidents have access to a large amount of incident information, and how to keep it confidential is an extremely sensitive issue, and investigators should be fully aware of this. They need to understand that if a company suffers a data breach, it could lead to business collapse and legal consequences. Therefore, investigators should never knowingly cause such harm.
For those involved in incident investigations, they should only pay attention to and collect data necessary to complete their own investigation tasks, usually including logged-in user accounts, programs that have been launched, and program startup time. Unless specifically required, investigators should not collect sensitive information involving customers who fear disclosure. It is worth mentioning that all information collected during the investigation is properly stored under strict security protocols. After a specified period of time, the data is deleted.
There are also concerns that investigators may share information about the incident with others. In fact, all members of the investigative team are under no obligation to provide third parties (including the police) with information about the incidents under investigation, as it is up to the managers of the victimized companies and the actual victims to decide whether to report such incidents.
Furthermore, the work and actions of investigators are not aimed at disrupting and punishing the information security sector. It is not always appropriate to fire security personnel for possible negligence following an incident. While this sometimes happens, no security system is perfect and there are bound to be loopholes. Accountability for security incidents has nothing to do with security incident investigations, it is a decision that needs to be made by the management of the enterprise.
In the incident investigation report given by investigators, complete information on the incident process should be included. If the incident occurred due to an unresolved, pre-existing and well-known vulnerability, the full extent of the vulnerability found must be attached to the report. Investigators must not withhold such information.
legal challenges
Since network security has become a part of national security, many network attack incidents cannot be effectively resolved by enterprises alone. In many cases, enterprises need to choose to cooperate with the judiciary, and even hand over the final disposal of the incident to the court for judgment.
Because judicial information is public, doing so could make a security incident public, which could pose a reputational risk to the business. Therefore, some companies deliberately concealed the investigation of network security incidents due to concerns about goodwill, thereby delaying the handling of the matter, resulting in greater security hazards.
Therefore, if certain security incidents need to be resolved through the judicial process, enterprise management should make a decision as soon as possible, which requires a comprehensive risk assessment. In this case, it is best for businesses not to make any changes to the network infrastructure without authorization, but to seek advice from a law firm immediately. Professional lawyers provide counseling services and recommend appropriate courses of action.
Another legal risk challenge in the investigation of cybersecurity incidents is how to ensure that the process of copying, deleting or overwriting data is properly controlled and documented. If evidence collection was not done correctly or violated legal requirements, courts may challenge the validity of the data in litigation and refuse to use the data