Forensic solution

Forensic solutionΒΆ

If you need to make your environment resistent against zero-day attacks or reduce impact of a security incident. Your incident response team (IRT) should react fast to determine the scope and impact of the incident.

In such case IRT needs automation tools:

  • To analyse malware used in an attack.
  • To figure out a vector of the attack, a security breach, compromised services, lost data.
  • To minimize overall losses by rapid neutralizing the attack.

To satisfy these requirements:

  • Create a Security Domain with incident analysis and investigation toolkit as well as storage to store digital evidence.

  • Once a project or cluster is compromised, change a gateway IP to redirect to a forensic network for monitoring and analysis.

  • Take advantage of using automated malware analysis systems within the Security Domain for both: early detection of suspicious objects and forensic investigation.

    For example, use IDPS such as Suricata, Snort, or Bro to extract files from a mail or web unencrypted stream and send them to a malware analysis sandbox to verify behavior by opening or executing it in an isolated environment.

    Note

    For TLS/SSL encrypted traffic, terminate encryption on a virtual proxy server or use a special hardware-based firewall solution capable of decrypting traffic for deep packet inspection with a high throughput.