The primary goal of a cyber investigation is to develop sufficient evidence of the breadth and depth of the compromise to enable successful remediation of the affected areas and immobilization of the attackers.
To conduct a cyber investigation of a targeted attack, a company requires four critical capabilities:
- Network forensics will include a centralized, searchable event log repository, combined with deep-packet inspection capabilities, to give the company continuous visibility into network anomalies and security events that will provide insight into attacker techniques.
- Enterprise memory forensics will include the ability to inspect running processes, in memory, looking for suspicious behaviors. This inspection is designed to detect malicious software that is configured to never write directly to disk and signature-based detection mechanisms, which cannot discover malware it has never seen.
- Enterprise host-based forensics will enable the investigation team to confirm malware infection on, access to, or data exfiltration from hosts identified by other work streams or through the forensic process. It will also confirm accounts compromised or created by the attackers that allow persistent access to the environment.
- Enterprise sweep will enable the investigation to search hosts across the enterprise for the indicators of compromise developed during the investigation to identify computer assets that must be remediated during the event eradication.
For more details, download the full report.