Automating DFIR with SOAR

A Digital Forensics and Incident Response (DFIR) plan is a systematic and documented method of approaching and managing situations resulting from IT security incidents or breaches as well as collecting evidence related to those incidents or breaches. DFIR plans are used in enterprise IT environments and facilities to identify, respond, limit and counteract security incidents as they occur.

What is DFIR and why do I care?

The best way to handle an incident is by being prepared and having already taken the necessary precautionary steps. This involves a specific process of identifying a set of individuals to make up the incident response team, making sure they are well trained for any procedures they may need to execute, creating a detailed document called the incident response plan and continually practicing and updating the incident response plan. The plan should have detailed steps for each type of incident that identifies the actions to be carried out, the order they should be executed, and which team members are involved. It is not a question of if you need to have a process and plan for digital forensics and incident response, it is only a matter of when you will be using it.

  • Overview: Traditional digital forensics and incident response is very dependent on physical systems and physical access. However, most organizations now run one or more of their services in the cloud. To address modern hybrid infrastructures your digital forensics and incident response plan must account for systems that are virtual and located outside your premises.
  • Preparation: Preparation ensures that the DFIR is in a ready-to-execute state. Preparation also ensures that personnel are trained and that infrastructure and software needs are met ahead of time.
  • Detection: Detection handles the initial identification and triage of an incident and establishes a chain of command for the incident response through investigation and documentation. A security orchestration, automation and response (SOAR) platform can automate ingestion of alerts or events from any number of security and networking devices on your network, as well as monitor email inboxes.
  • Containment: Containment stops the incident from increasing in severity or scope. Containment protects the organization. A SOAR platform can orchestrate various security and networking tools to gather evidence from a system, shut off network access to a system, power down systems, and correlate alerts and incidents to help identify spreading compromises.
  • Eradication: Eradication eliminates the root cause of incident to secure affected assets and to prevent further breaches. A SOAR platform, collecting backup data from a system, reimagining a system, redeploying containers and running on-system malware scans or scripts can all be automated and available at the click of a button.
  • Recovery: Recovery restores pre-incident functionality to affected systems. A SOAR platform can use scripts or vendor tools to push standard images to systems, restore backed up data to assist in the recovery process, as well as verify whether expected accessibility and behavior have been restored.
  • Lessons Learned: A lessons learned exercise is a retrospective focused on improving processes & procedures. An incident report based on the timeline of the incident is created and agreed on. The report should identify when things happened and ensure everyone agrees with the details. The lessons learned phase is often overlooked or skipped but it is very important because it reviews the incident and finds opportunities for improvements in the incident response plan and the overall security posture.
  • Benefits of Automation: Automating the digital forensics and incident response plan and process can provide some very useful benefits like better consistency and uniformity of the actions, an increase in speed and accuracy, better tracking of what is taking place, and a reduced divergence from the plan itself. The process of gathering all data related to a case from multiple tools, environments, and sources can be automated with a SOAR platform. Most SOAR platforms allow data to be exported or reported in various formats.

*** This is a Security Bloggers Network syndicated blog from Swimlane authored by Heather Williams. Read the original post at: https://swimlane.com/blog/automating-dfir-with-soar/