Video Screencast Help
Cyber Security Group

Live Response vs. Traditional Forensics

Created: 04 Aug 2014 • Updated: 04 Aug 2014 • 6 comments
Jamie Porter's picture
+2 2 Votes
Login to vote

liveresponse.png

The term live response is being heard more and more frequently but what exactly is it and how does it differ from traditional forensics.

Live response and traditional forensics have a lot in common in that they both are looking for similar artifacts on a system. The differentiator with live response is that the artifacts are being discovered on a live running system against an active adversary. With traditional forensics, images are taken of volatile memory and disks before being analyzed.  Imaging alone can take hours and then the images need to be processed and indexed to allow for keyword searches. Obtaining and processing the image can easily take a day or longer with large capacity discs. With live response there is no imaging or processing that has to occur.  . , everything is real time. This dramatically improves the response time in identifying and quantifying a threat and the quicker the threat is identified, the quicker it can be contained and remediated.

In a typical live response scenario it is a response to an immediate and active threat.  Many times the details of the threat are unknown, so the first priority is identifying and quantifying the threat. Using live response memory analysis techniques we can quickly pull a process listing showing what processes are running and begin identifying suspicious ones. Some other common artifacts that we can look for in memory are suspicious mutexes. It is common for a malicious mutex to be a string of random characters similar to Zeus domain names. Once we have identified the suspicious process, a sample of the code is pulled from running memory and analysis of the malware and creation of IOCs can begin. Of course an advantage to pulling the code from memory as opposed from disk is that it is unencrypted and unpacked so no special processing is required; all of this work can easily be completed before images would be gathered using a traditional forensic approach.

 It’s not just volatile memory but any other information such as prefetch files, registry keys, open network connections, system accounts, etc. can be gathered almost instantly using live response.

The key to using live response successfully is being very specific and focused on what to examine. When large files such as the registry or $MFT are transferred things slow down dramatically. For example, instead of pulling back the entire $MFT, focus on specific locations that malware is commonly located such as C:\Users\%APPDATA%\roaming and instead of pulling back the complete registry start by looking at the keys commonly used for persistence such as HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

Traditional forensics will always be needed to provide in depth analysis identifying how the malware got on the system and what activities took place while it was active. Where live response excels is at quickly identifying and containing an active threat.  The quicker we can identify the threat the quicker containment and remediation will take place.

There are many open source and commercial tools available for live response for insight into one of them check out my colleague Trent Healy’s post on Yara

Blog Entry Filed Under:

Comments 6 CommentsJump to latest comment

Robert Shaker's picture

Jamie,

This posts provides a lot of clarity on the two different scenarios for response. What are some things you think organizations can do in advance of an incident that requires live response to provide better information to responders to make them more successful?

Thanks!

Bob is a Senior Leader on the Symantec Managed Incident Response Service team. He can be found online at LinkedIn or Twitter

0
Login to vote
Jamie Porter's picture

Bob,

That's a great question.  Garrett Bechler and I did a presentatoin on just that topic at the last Vision conference.  There is a lot that goes into being successful in incident reponse.  Probably more than I can address in this comment. If I had to to pick one thing, it would be understanding what is normal in the environment. 

0
Login to vote
Robert Shaker's picture

That makes me think you read Matt's post on Layer 8 sensor arrays? smiley

Bob is a Senior Leader on the Symantec Managed Incident Response Service team. He can be found online at LinkedIn or Twitter

0
Login to vote
Jamie Porter's picture

I hadn't read it yet.  But it is a good post and I think he is making some great points.

0
Login to vote
Vikram Kumar-SAV to SEP's picture

Live response is more useful and direct but the organization has to still make clear demarkation between what qualifies for live response and what qualifies for Forensics.

Also detailed plan for handling live response and the expertise of the person conducting live response, as by ineffectrvely conducting live response on a system might make it useless for forensics specially if at any point law agencies have to be involved.

But for a Incident Response Live response is far more direct as results are quick and understanding the overall impact is much faster, the broader response to the threat is much quicker and will cause less impact for example : understandin which IPs/Domains (C&C) to block, which files to submit/block, what vulnerability was exploited and what patch to apply, what to monitor etc.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Jamie Porter's picture

Live response is not a replacement for forensics and never will be.  It is often difficult to know if forensics will be needed as an incident is spinning up.  Many times during the course of a live response artifacts will be uncovered that move the incident from live response to forenscis.  Some common indicators that would do this are: evidence of data exfiltration or criminal activity.  But there are others.
 

0
Login to vote