Crisis management

After the crisis: the importance of investigation

Determining the end of a cyber crisis remains complex, as it is often marked by the cessation of emergency measures and the resumption of activity, sometimes in degraded mode. However, once the crisis cells have been closed, the challenge remains: to continue investigations and carry out a post-mortem analysis. The aim? To strengthen the organization's cyber resilience.
3 min

What are the stages in a post-crisis investigation?

Post-crisis investigation must begin with a detailed analysis of how the incident was handled. Every step, action and decision must be accurately recorded.

In parallel with this post-mortem analysis, Security Operations Center (SOC) analysts will need to continue investigating to determine the true extent of the impact and identify any persistent presence of malicious activity.

Rely on the right tools  

During this stage, SOC analysts will deepen their understanding of the tactics, techniques and procedures (TTPs) employed by attackers. By analyzing event logs and log files, and using behavioral analysis tools, analysts will seek to identify correlations between various suspicious activities.

To this end, the Endpoint Detection and Response (EDR) is an essential ally.

Analyze and clarify the context of an attack 

EDR provides IT and cyber teams with all the contextual elements linked to security events. With this in mind, it is crucial to continue exploiting this data during the post-crisis investigation phase. This ability to contextualize disparate elements over time provides an in-depth understanding of the tactics used by attackers.

This information (security events, correlations, telemetry) can also be used to trace the attack and understand the attacker’s path.

Spotting persistent traces 

Some attacks leave persistent traces in the system. For example, a major retailer was able to find traces of old attacks after deploying EDR on all its endpoints sites. Here, too, this in-depth investigation shows its usefulness in ensuring that the organization is truly out of danger, and that the attacker is no longer present in the system.

Keep a record for filing a complaint 

It is crucial to keep and exploit computer traces. These traces, often referred to as “digital evidence”, recovered from EDR, are essential to the complaint process and subsequent investigations.

Computer traces therefore constitute electronic evidence admissible in court. They support allegations and provide tangible evidence in support of a complaint.

What can you do with the results of your investigation?

Prioritize your efforts

Analysis of attackers’TTPs plays a central role in prioritizing security efforts. Lessons learned from sophisticated attacks, such as the one against US cybersecurity firm FireEye in December 2020, underline the importance of focusing on the specific techniques and tactics exploited during an attack.

The post-investigation action plan stems directly from the findings of the in-depth investigations. It encompasses a set of targeted measures aimed at reinforcing the security and resilience of the IT infrastructure. These actions may include, among others, deploying security solutions on non-covered machines, reviewing and modifying administrative privileges, and reinforcing corporate information systems security policies.

Reconfiguring your tools

Depending on the results of your investigations, you will need to change the configuration of your detection tools (NDR, MDR, SIEM, EDR…).

For example, for EDR, detection rules can be modified or added following analysis of TTPs during the investigation phase. These rules are based on recognized standard formats such as YARA, for signature-based detection, and SIGMA, for behavioral detection.

Drawing lessons to guard against future risks

In conclusion, post-crisis investigation is more than just retrospective analysis. Carried out with the right tools, it provides analysts with the keys to understanding how the crisis was triggered. This in turn enables them to draw the necessary lessons,adjust their IT security strategy and avoid similar incidents in the future. This investigation phase is therefore part of a continuous improvement process, aimed at reinforcing the organization’s security posture over the long term.

Improve your cyber strategy with feedback from Antonin Garcia, CISO at Veepee.