Incident Response at Scale: Considerations

In the realm of Cyber Incident Response (IR) at scale, it can be beneficial to break down IR-related challenges into categories aligned with the various stages and tasks involved. In this regard, two primary stages, namely Collection and Analysis, emerge, each presenting its own unique set of challenges. Considering and planning these ahead, can help if you’re planning operating Incident Response at scale.

Collection considerations

Consider traditional raw artefact collections as an example, whether based on custom in-house tools or commercial products, they can present scalability challenges due to their heavy reliance on large binary collections in addition to having to deal with unstructured data post-collection. Consequently, you may find yourself facing a whole new set of challenges in terms of storage, filtering, and ETL (Extract, Transform, Load), as you deal with substantial volumes of data when all you really need is a small piece of evidence. For instance, commonly, analysts or systems retrieve the entire Master File Table (MFT), often hundreds of gigabytes in size, from a remote host, just to extract a few kilobytes of relevant or required information (likely sought after evidence).

In this context, commercial Endpoint, Detection, and Response (EDR) products or advanced Digital Forensics and Incident Response (DFIR) tools such as Velociraptor can be leveraged to push targeted collections down to the endpoint’s sensor to collect only structured data instead of raw artefacts (like the MFT). With this approach, it can also be possible to define and push collection requirements based on known Tactics, Techniques, and Procedures (TTPs) to exclusively retrieve those that match. Most likely the tools will also retrieve those in a structured format.

Analysis considerations

With traditional analysis, some of the challenges lie in the rarity of knowledge required and the difficulty of nurturing that knowledge to properly process and analyse forensic data. Typically, individuals well versed in Digital Forensics and Incident Response (DFIR) would possess a variety of skills, and extensive practical experience accumulated over the years. This can result in a limitation of having a one-to-one ratio of analysts to investigation cases, and such, if you rely on small teams, even a few active investigations in parallel can challenge your operation and in extreme cases even cause it to crash.

In this context, building your operation around automation that can assist may offer a potential solution. Automated IR Playbooks can be designed to consistently provide valuable forensic data to experienced DFIR analysts, enabling them to build on this information. The logic used in these playbooks should be transparent, repeatable, and refined over time by every user and investigation case. This approach can significantly increase the number of investigations an analyst can support without compromising on the quality of their work.

Ensure balance for building robust Incident Response operation

Whether you’re an internal team securing your organisation, or offering Incident Response as a service, to build a truly resilient Incident Response operation, it is essential to recognise the importance of combining elements from both traditional and scalable approaches. By adopting a balanced strategy that leverages the strengths of each, organisations can establish an operation capable of effectively addressing incidents and overcoming Analysis and Collection challenges.