A Dive in Incident Handling and Digital Forensics: Using Automation to improve Response to APT Incidents

Abstract

Over the last few years, companies have grown enormously in terms of IT; their structure has expanded, and consequently, they have been facing cybersecurity incidents more frequently. The entry of governments into so-called cyberwarfare has allowed threat actors to gain tremendous resources, developing tactics and malicious software that are increasingly complex to detect. The evolution of the attacker has therefore culminated in the Advanced Persistent Threat (APT), which aims to establish itself in stealth mode in a company's IT infrastructure, exfiltrating data and enrooting itself deeper into the system. Experts in the field thus often find themselves unprepared, with tools that are not state-of-the-art, or overloaded with work given the high number of operations to be performed and the pressing time requirements during the incident response phases. These issues lead to more time-consuming investigations or an opposite reduction in the quality of forensic analyses, with possible loss of evidence and unsatisfactory results.

This Thesis aims to propose an open-source automation that removes side operations, such as data manipulation, from the professional's workload, while providing support through automated analysis that can result in a more advanced starting point in digital forensics investigations. The proposed toolchain consists of an automated pipeline, built around the necessities of a specific SOC team, that collects data directly from infected machines and remotely sends it to a forensic analysis platform. This information goes through a reorganisation process to obtain a timeline of events critical to understanding the life of the machine under investigation; it is also complete with OSINT knowledge to support the analyst through a meticulous data enrichment procedure. Automation also allows the processing of large amounts of data and the correlation of timelines of different devices in order to have a more general view of the ongoing incident.

To evaluate the effectiveness in a potential scenario, an experiment was carried out after deployment by collecting and analysing the artefacts of an APT with two equally experienced analysts, who, one using the proposed solution and the other using spreadsheets, reported their findings while providing personal feedback. This test showed how automation can provide crucial assistance during forensic operations, enhancing the arsenal of blue teams and improving analyst satisfaction.