DFIR intro

Handle the attack and initiate DFIR

What do you do in case your company was exposed to a cyberattack? On this website, you will find inspiration, to handle and report the incident.

• DFIR intro
  • Handle the attack and initiate DFIR
  • Lydfil
  • What is it ?
  • Where to start
  • What do you need to have ready (physically and practically)?
  • Preparation of digital technologies
  • Writeblock capabilities
  • Software
  • Hardware
  • Files for your inspiration to the prepreation

Lydfil

You can download the following as an audio file in 8:37 minutes

emergency handeling final (MP3, 7.90 MB) (Danish)

What is it ?

Here I will come up with my suggestions on how to prepare for an event.

(UPDATE - 29-01-2022 siden er lavet i punktform, det er ønsket at uddybe senere)

Where to start

Do you have no security in place at all. Then call a friend! I actually mean that 100% seriously. You probably would not start an expedition to Mt. At the top from day 1 without preparation, which you probably would not do without a few good pieces of advice.

Find out what you are most dependent on in your business. For example, it could be your website, without it there is no sale No matter what you have going on, make sure you get on with it. The [CIS controls] (https://www.cisecurity.org/) are a good place to start.

What you can learn here is how to do a risk assessment (based on CIS-RAM) and look at what controls they recommend. From there, you can start planning your protection.

My recommendation is that you look in the direction of the [CREST procurement guide] (https://www.crest-approved.org/wp-content/uploads/CSIR-Procurement-Guide-1.pdf) to deal with cyber attacks. This is because you need to have a very basic plan for what you want to do, whether your plans are in place or not. This is equivalent to investing in a fire blanket and a fire extinguisher, even if you have not set up escape plans and alarms.

What do you need to have ready (physically and practically)?

1. Overall IT Security Plan + What Users May and May Not (Acceptable Use Policy)
2. Event management for crashes and safety incidents. Define when it is an event and a security event?
3. Documents that contain telephone numbers and escalation schedule for incidents, so as to minimize doubts
4. Establishment of "War room" and who is on which items. War room is the meeting room where those who handle the situation are stationed. Here is an updated list outside the room recommendable, so there is no doubt about who to contact)
5. The data protection officer must be involved and informed in the event of personal data loss and keep in touch with [the Danish Data Protection Agency] (https://www.datatilsynet.dk/sikkerhedsbrud/anmeld-sikkerhedsbrud)
6. A room where all data including the information is collected (where only authorized personnel who have access, in case of insider threat)

In addition, a task distribution, so that there is someone who facilitates the practical. Food, drink and other necessities are often something you overlook and mean a lot to those who work hard. It may be necessary to have some that can run after missing items like Hard Drives, USB drives or the like if one is missing. Then technicians or managers should not let go of what they are working on and thereby waste valuable time.

Preparation of digital technologies

1. Computer hardware such as laptop, USB storage, Hard drives.
2. Software such as virtualization, screenshots, software for securing online data (OSINT tools). mm.
3. Jumpbag (See below)
4. Analysis lab for Malware, logs and network traffic etc.

Writeblock capabilities

In order to be able to secure correctly, it is important to be able to be write-protected correctly. So that you do not write data to the disk you are securing. This contaminates the evidence. Write protection can be achieved in several ways. Below are a few examples of how to achieve write protection for your task.

Software

Software write protection, it can see via a live boot image, such as caine or paladin. It is intended that the system is installed on a USB and thereby you can boot your PC from this USB and achieve write protection. It costs nothing to download and use.

Software write protection can also be achieved by software you install on your PC. An example of this is Safe block (Link here). Which, however, costs some money. It allows you to write-protect all the devices you connect to the system. Which means you have sata and USB in one function. It gets a little cheaper in purchasing, compared to hardware equipment.

The website digitalforensics.com has made a good list of equipment. [Read more here] (https://www.digitalforensics.com/blog/software-write-blockers-overview/)

Hardware

Hardware write protection is an electronic device that is inserted between the hard disk and the computer and thereby achieves write protection.

It is often a device that works via the USB port. It is quite simple to use and there is no speed reduction if you use USB 3.x

They can be used for all operating systems and secure via FTK (win 10) and DD (Linux / Mac). It is a one-time investment you have to make.

Below are 2 examples of write protection from Weibetech.

Weibetech has a function such as reading out the serial number and product name. Weibetech FUD 5.5 costs around 3,000 to 4,000 Danish kroner

The top of the pop here at the time of writing is Tableau from guidance software. It has made a line up of different solutions where adapter boxes can be connected with their own cable. The price is here on the friendly side of 8,000 Danish kroner. There are prices for every taste. It can be a good investment if one needs data secure media like hard drives. If you can make a combination of hardware and software so that you can perform different tasks, then you are better off.

Remember This is what suits YOUR task to be purchased for, you are building YOUR toolbox

Files for your inspiration to the prepreation

dfir 2022 (PDF, 98.66 KB)

trussel og haendelser (PDF, 111.46 KB)

dfir severity chart (DOCX, 11.17 KB)

dfir severity chart (PDF, 37.38 KB)

dfir escalation chart ark1 (PDF, 52.66 KB)