How can we possibly keep up against cybersecurity threats?
The instances of cybersecurity threats targeting businesses continue to grow at an alarming rate—with cyberattack attempts on corporate networks increasing by 50% per week compared to last year.1 Not to mention the evolution in the complexity and sophistication of these threats.
In the face of these threats, forensic investigators are also coming up against massive volumes of potential datapoints that could be reviewed to determine the validity and extent of incidents.
Time is always of the essence in cybersecurity. The longer a bad actor has access to a system, the more valuable data they may be able to access. Combine this with an increasingly dispersed workforce, with corporate endpoints spread across the map, and you may wonder what you can do to keep up.
One major way? Triage.
Modern Tools for Modern Threats
The development of modern digital forensics and incident response (DFIR) tools has grown significantly along with the continued rise in cybersecurity incidents. To facilitate the mountain of data and alerts, solutions for early case assessment triage have become an increasingly important part of DFIR toolkits.
Modern cloud-based triage can be helpful for companies, and forensic service providers, to ensure they’re making the most of their resources.
What is Triage?
In digital investigations, triage basically means the prioritization of data on multiple endpoints (or computers) that may contain Indicators of Compromise (IOCs).
Using the initial triage results, DFIR professionals can make the important decision of where to allocate the resources required to conduct a full deep dive forensic acquisition and analysis.
Why Triage is Needed Now More Than Ever
As businesses continue to evolve to hybrid frameworks, there is greater exposure to digital threats than ever before. Businesses need to ensure they have the tools to assess remote endpoints for malicious activity such as malware, IP theft and data exfiltration.
But the cybersecurity threat that is top of mind for most digital forensics teams right now is ransomware attacks.
With an estimated 86% of breaches being financially motivated3, there has been a marked increase in ransomware frequency. In fact, in 2020 close to 25% of organizations reported weekly instances of ransomware infections. 4 In a similar survey, it was reported that the average ransom payment in the first half of 2021 reached $570,000—82% higher than 2020’s average2.
Many bad actors are now also taking more time in the system prior to launching their attack. With the added time, bad actors will move deeper into the network to ensure the highest potential payout. The technical skill set required to deploy ransomware is also no longer a barrier to initiating an attack, with Ransomware-as-a-service groups growing more prominent, bringing more refined tactics to these breaches:
“Ransomware-as-a-service (RaaS) groups take their time during infiltration and reconnaissance before executing payloads, a marked contrast to the indiscriminate spray-and-pray approach of premodern ransomware operators.”5
With the high potential cost and frequency of ransomware attacks, it is essential to contain breaches and stop the further spread of malware or data loss. Triage is a critical step required to understand the extent of the breach and quickly prioritizing actions to be taken. The response time, and thoroughness of the response, will contribute to the financial implication of a breach as well as the impact to corporate reputation.
The Need for Speed in Triage Tools
The longer it takes to identify malicious activities the higher the risk of sensitive information being compromised or stolen. Once a bad actor has gained access to a system, they will move laterally through the network to secure increased privileges and high-value assets.
There are several factors that contribute to the speed and efficiency of an incident response, which should be considered when selecting the right triage tool to fit into your technology stack:
- Ease of use – DFIR professionals need to be equipped with tools that are easy to use and increase the efficiency of their investigation. Solutions that can be leveraged by less experienced DFIR staff, and other team members, can also greatly improve the response time to an incident.
- Accessible from anywhere – With the availability of cloud-based tools that can be accessed from any location with an internet connection, travelling onsite or shipping data is becoming increasingly unnecessary. The time and cost associated with these activities becomes difficult to justify when remote, off-network data collection options are available.
- Light weight – With a threat actor in the system, it is important to tread lightly so they do not accelerate their attack or data exfiltration. The same is also true when dealing with internal bad actors. The ability to collect evidence covertly so as not to arouse suspicion can help to prevent important data from being deleted or compromised.
- Scalable – When an issue arises, there is no room for limitations on scale and functionality. You need the full capability of the tools to be at your fingertips, ready to deploy and meet the requirements of any size of incident.
- Integration with other DFIR tools – To truly provide a time-saving solution, a triage tool needs to work effectively with other cybersecurity tools to facilitate in depth forensic examination or validating findings in other platforms.
Introducing Magnet IGNITE
With these industry wide challenges in mind, Magnet Forensics has developed IGNITE to enable rapid triage of remote endpoints—helping you identify where and when a full forensics analysis is required. As a cloud-based tool, you can access IGNITE from any location with an internet connection to quickly triage endpoints to find potentially malicious activity as well as determining if data has been exfiltrated from an endpoint.
To learn more or to sign-up for a free trial visit the IGNITE product page.
- 2022 IDC MarketScape for Worldwide Digital Forensics in Public Safety (magnetforensics.com)