Building digital resilience through Digital Forensic and Incident Response (DFIR)

The state of the threat

In an ever-changing digital landscape, the threat to business has never been greater. To respond to the risks faced by its partners, Thales puts its expertise in security incident response at their service. 

While the need for a Digital Forensic & Incident Response (DFIR) capability, with Forensics and Reverse services, or Incident Response Retainer Services, are more compelling than ever, a company cannot necessarily develop such a team on its own. Indeed, in order to be effective and operational, it is necessary to regularly deal with real and varied incidents, in order to acquire and maintain the necessary expertise and skills. 

As part of our 19 consultancy teams around the world, our experts deal on a daily basis with security incidents such as the increasingly frequent "Business Email Compromise" (BEC) frauds, which can result in losses of hundreds of thousands of euros.

What is a Business Email Compromise (BEC) fraud?

A BEC is a sophisticated form of electronic fraud in which cybercriminals target a company, using manipulation and social engineering techniques to compromise its data.

These cyber attacks are characterized by the usurpation of the identity of a trusted individual within the company, often a senior manager or financial officer.

The typical BEC scenario involves an adversary gaining access to an e-mail account through techniques such as phishing, social engineering or malware-based credential collection. Once the account has been compromised, the adversary can monitor communications, study work habits and identify opportunities for targeted attacks.

Once the adversary has taken control of the e-mail account, he can use the compromised account to send fraudulent instructions to other members of the company or their customers, particularly those responsible for finance, encouraging them, for example, to transfer funds. 

Adversaries can also use e-mail account access to gather sensitive information, such as customer, personal or other confidential data, which can then be exploited for fraudulent purposes. 

BECs, by their very nature and the fraudulent access obtained to sensitive documents inexorably raise legal implications in terms of notifications to the relevant authorities. Beyond the financial losses, the theft of personal data thus falls under the well-known General Data Protection Regulation (GDPR). 

Focus on Human Operated Ransomware attacks:

We also routinely deal with "Human Operated Ransomware" (HOR) attacks, which are also starting to come into the public eye. These attacks represent damaging threats, which have been growing significantly since 2018. 

The course of this type of attack follows a well-known chain of steps. Very often, adversaries begin by breaking into their victims' information systems, simply by exploiting the means of remote access (e.g. virtual private networks, 'VPNs') made available to users. To do this, they use passwords acquired through illegitimate channels. As with BECs, these passwords are usually stolen upstream via phishing attacks, even capable of bypassing certain multi-factor protection (MFA) solutions.

In particular, adversaries have in their arsenal malware dedicated to stealing identifiers. For many years now, these so-called "stealers" have been able, once installed by a careless user, to collect and exfiltrate a vast array of sensitive data, such as passwords stored in browsers. Numerous examples of the use of such tools exist, such as Tesla Agents, Redline or Mame.

Using the means put in place by companies to enable their users to access the internal network, adversaries gain their first foothold in the infrastructure. This is generally followed by a network discovery phase, followed by an elevation of privileges to become a domain administrator. 

Finally, after ensuring that the restoration capabilities of backup solutions have been eliminated, adversaries deploy ransomware on all machines to which they have access. The ultimate aim is to paralyze the company by encrypting all files and documents, and bringing existing services to a halt. Initially, ransomware only targeted Microsoft Windows machines, but we have seen a sharp rise in their capacity.

In the course of our work, we have witnessed situations that both illustrate the creativity of adversaries and underline the importance of constant vigilance. We have also witnessed adversaries navigating through their victims' information systems and deploying their ransomware.... from antivirus management servers. 

Cloud security

The cloud has dramatically transformed the way companies manage their data and applications, attracting malicious actors seeking access to them. Its remarkable growth in recent years, with its promise of easy deployment, has simultaneously introduced new security challenges. Secure configuration in the cloud requires in-depth expertise and upstream preparation. Simple configuration errors or mishandling can inadvertently expose sensitive data. 

All these incidents highlight the need to embrace a proactive, constructed and well-informed approach to protecting against these attacks. Adversaries often have a deep understanding of customer infrastructures, and tool-based security alone may not be enough.

Indeed, a crucial aspect to consider is the trust placed in security products. The reality is that security products, while essential for defense in depth, are not a stand-alone solution.

Setting up a team dedicated to monitoring and incident management is just as crucial. Security alerts raised by products need to be handled proactively, with particular attention paid to warning signs of malicious activity. This constant vigilance is the key to anticipating threats before they turn into major incidents. In many of the missions we have handled, the software in place had raised alerts that had not been seen.

Incident response

In terms of incident response, we adapt to the specific needs of each customer. We understand that each company is unique, with its own resources, processes and requirements.

So, if a customer already has a crisis management team, but requires additional, advanced forensic skills, we can integrate seamlessly into the existing process. For customers without a dedicated incident management team, we can take over the entire process. In both cases, we work closely with existing teams and understand the importance of adjusting to internal protocols to harmonize everyone's efforts and ensure a coordinated, effective response.

We are also able to mobilize other expert teams within Thales to provide additional support, whether in the organization of crisis management or to help meet any legal obligations that may arise from an incident.

In terms of immediate incident response, our primary objective is to neutralize the adversary and secure the information system. We focus on critical issues such as:

How did the adversary gain access to the information system?

- Find the entry point (patient 0), analyze possible attack vectors, whether through software vulnerabilities, configuration errors, phishing attacks, etc.

What are the adversary's communication channels?

- Whether it's to control the infrastructure or to move around on it, discovering any means of communication used by the adversary will enable you to circumscribe him and cut off his access.

How long has the adversary been present on the information system? 

- Determining the period of time during which the adversary has had access to the system, thus enabling us to measure the potential extent of the impact and a potential healthy restoration point.

What did the adversary access and exfiltrate?

- Identify compromised data or systems, assess potential losses, and analyze any data exfiltration.

Our approach aims to provide rapid, targeted answers to these questions, minimizing damage and restoring information system security and integrity as quickly as possible.

Who we are

Drawing on our CERTs, Computer Emergency Response team, Cyber Threat Intelligence team and incident response experts, we have built up solid experience in our field. 

Thales' global incident response capability extends from Europe to Australia. 

We offer our customers proactive incident response preparation to help their partner organization's teams become more autonomous. We help our customers to prepare themselves by validating the essential points that will both reduce their attack surface and improve their ability to react and investigate. Through this annual exercise, we provide our customers with concrete, detailed reports that reinforce their ability to respond to threats, reducing their reaction, analysis and remediation times.

Our service

Our dedicated Digital Forensics and Incident Response service aims to support customers in their preparation, investigation and analysis of the digital evidence obtained, in order to respond effectively to cybersecurity incidents. This involves the collection, preservation, examination and analysis of digital data to uncover the causes and extent of a security breach, identify the root cause and support the remediation process.

To support you: 

• Expertise and Specialized Knowledge: a team of highly qualified and certified professionals with specialized knowledge in digital forensic analysis and incident response. Leveraging its expertise allows the client to benefit from industry best practices. 
• 24/7 Availability and Rapid Response: In the event of a security incident, an incident manager intervenes immediately, assesses the situation and initiates the incident response process. 
• Advanced Tools and Technologies: access to advanced tools, technologies and software specifically designed for digital forensic analysis and incident response. These tools can facilitate faster and more accurate collection, analysis and preservation of evidence, thereby improving the overall effectiveness of the investigation. 
• Compliance and Legal Considerations: Processes follow requirements and compliance related to incident response and handling of digital evidence. This ensures that the investigation process and evidence collection meets relevant legal and regulatory standards, reducing the risk of evidence manipulation and helping organizations maintain compliance with data protection and privacy regulations. 
• Experienced CERTs: our teams have handled thousands of incidents since their inception. 

In Case of Incident 

Do not hesitate to contact us!

Article by Paul Jung, Thales Senior security consultant.