Trustwave SpiderLabs is among the most well-respected teams in the cybersecurity industry, having gained a reputation for conducting cutting-edge research, plying the foggy corners of the darkweb for information, and detecting and hunting down threats.
What is less well known is how Trustwave's SpiderLabs' various teams' function and then pull together to create the formidable force that is the backbone of all Trustwave's offerings.
This is the second in what will be a series of blogs breaking down how SpiderLabs works to ensure the security of Trustwave's clients. Our first inside look examined Trustwave Security Testing.
In order to bring Trustwave’s Digital Forensics and Incident Response team to life, we asked Jason Bergerson, Director of SpiderLabs Security, to break down how this team operates.
1. What is the basic day-to-day activity of the DFIR team?
The DFIR team performs two types of services, proactive consulting and incident response. Proactive consulting consists of discussions with clients, the development of material, and the delivery of material through reports and/or virtual meetings. The incident response consists of discussions with clients, data collection and preservation efforts, evidence analysis, recommendations to contain, eradicate, and remediate, and delivering findings through virtual meetings and expert reports. In addition, when not performing client work, the team spends time on training and improving sales and delivery material.
2. What are the team's first steps when called onto a case? Does it become a 24/7 operation until the situation is clarified?
Requests for incident response most typically go to our on-call response system. The on-call consultant calls the client and performs an initial scope, and either confirms the client would like to invoke their retainer hours or begin the process of engaging an emergency contract. Once the scope is determined, initial requirements for data sources and technology deployment, where necessary, are provided to the client. Finally, the on-call consultant alerts the global DFIR team and regional managing consultants to ensure the correct number of resources are assigned based on the initial scope of work. The initial assumption is that the work will require a 'follow the sun' model for incident response delivery.
3. What are the most difficult aspects of conducting an investigation?
In most instances, we're taking over an existing environment where the consulting team has little historical knowledge of the environment. This lack of understanding requires collaboration with the client and the local resources to ensure proper access and data collection efforts are undertaken. Additionally, there is often a large volume of initial data to begin analyzing. This activity can front-load the project with necessary work that precedes being able to deliver the initial findings. It is also important to note, the urgent nature of an incident response can sometimes create an unrealistic expectation on how quickly initial findings and recommendations can be delivered. The response cycle is usually delivered in phases; as the investigation discovers new indicators of compromise, the recommendations will increase, and further analysis, and additional evidence sources, may be required.
4. What are some of the skillsets the DRIR team brings to a client when conducting an investigation?
The primary skill that good DFIR consultants possess is the ability to properly perform an investigation. The inquisitive nature of an investigator drives them to figure out how an incident happened, then how it moved in the environment, and what impact it had on the client. Along with having an investigative mindset, another skill is a good understanding of the forensic process, the tools involved, endpoint detection and response technologies, networking architecture, tooling, and logging, and a well-developed understanding of the MITRE ATT&CK framework.
5. What aspects of Trustwave's DFIR process do you believe clients and potential clients don't know but should?
The DFIR Retainer service is a valuable way to engage with Trustwave. The service provides a discounted rate from the emergency rate, a guaranteed service level response time of less than two hours, and a complete transferable hour's conversion to other consulting efforts if the client does not need the hours for an incident response. Once engaged, the process is very dependent on the client's ability to respond to the needs for collection and preservation. Even if it is determined that we must deploy an investigation tool set, that deployment is typically performed by the local IT or security staff. After Trustwave starts analysis, the updates can come through on a 24x7 rolling basis as the Trustwave DFIR team works to resolve the incident. Having client points of contact that can answer questions and implement suggested remediations or provide additional data sources is also a way to dramatically increase the speed with which the project can move forward.