DFIR是收集数字法医证据的过程, 搜寻可疑活动, 并持续监视端点事件. 更深入一点,安全专家Scott J. 罗伯茨 定义DFIR 作为“一个多学科的专业,专注于识别, 调查, 纠正计算机网络剥削."
从过程的角度来看, an 事件响应 和 investigation plan that leverages comprehensive forensics will include responsibilities such as investigation, 分析管理, 威胁检测, 通信, 以及研究结果的记录.
Subsequent remediation 和 cleanup typically includes removing attacker remote-access capabilities, 恢复优先级的业务流程和系统, 保护受损用户的账户.
Contained in the minutiae of those processes are the following key components of a DFIR framework:
在更大的网络安全实践框架内, DFIR serves to obtain a finely detailed look at how a breach occurred 和 the specific steps it will take to remediate that particular incident. Let’s dive deeper into the separate functions that make up a holistic DFIR practice.
Detecting compromised users affected by a breach is the first step to gaining visibility into what occurred 和 crafting a timely response to ensure attackers are purged from the network, 漏洞得到了控制和修复, 剩下的 可利用的漏洞 矫正. 从那里, 可以进行深思熟虑的调查, one that can identify evolving attacker behavior 和 more accurately spot it in the future.
An investigation into a specific breach is never going to look like the investigation that came before it. 定制应对威胁的情境方法是非常必要的, 这种威胁是否即将发生或已经发生. 展开调查时, 安全团队可能会对受影响的资产执行数据分析。, 获取浏览器历史工件, 事件日志, 目录中的文件, 登记箱.
采集过程中最关键的一步 威胁情报 is ensuring the data are tailored to each 和 every function in a security organization. 一旦付诸实践, 情报周期 通过收集会产生结果吗, 分析, 并传播给组织中的相关利益相关者. This process presupposes a heavy emphasis on automated analysis that can quickly search through data 和 surface relevant insights.
在分析电位 恶意软件 在网络上, 安全小组会提交可疑样本, 在一连串的分析中进行分析, 然后根据风险评分对威胁进行分类. 这有助于分清轻重缓急. 这是需要立即关注的事情还是可以等待? 在这个分析阶段, reverse engineering 恶意软件 can help teams find the best way to underst和 its ultimate target 和 quickly eradicate it.
一旦入侵范围和受影响的资产完全确定, 应用程序, 用户也得到了控制, a 安全运营中心(SOC) will launch a predetermined plan to restore normal business operating processes. Documentation is key to disaster planning so teams can underst和 the various components of the backup system. 维护一个自动化的, offline backup can further help the process of recovering from a 恶意软件 attack.
数字取证应用于 事件响应 通过融入这个过程. 每个安全专家都知道, 仅仅对事件做出反应并解决问题是不够的, you have to know exactly what happened 和 how it happened so that systems can be calibrated for that attack path 和 surface customized alerts the next time that behavior is spotted.
如果有人问,“什么是数字取证?”, we would more pointedly want to have a discussion on multi-system forensics (briefly mentioned above). 这是, the ability to monitor 和 查询 critical systems 和 asset types all along a network for indications of suspicious behavior. 让我们更细致地看看这个过程需要做些什么:
数字取证应该使威胁响应者和猎人能够收集, 查询, 并监视端点的几乎任何方面, 端点组, 或者整个网络. The practice can also be used to create continuous monitoring rules on an endpoint as well as automate server tasks. 具体用例包括:
DFIR is a critical tool in a cybersecurity program because it helps to more accurately 和 granularly reveal the methodology 和 path that an attacker is looking to take or has already taken to breach a network.
It’s in the best interest of a business 和 its security program to go beyond response 和 calibrate preventive measures to recognize the same or similar behavior in the future.
DFIR的好处怎么说都不为过, as the goal of breach investigation is visibility so that security teams can gain insights from what happened 和 create a stronger program.