Secure Networks: Endace Packet Forensics Files
"Secure Networks: Endace Packet Forensics Files" features interviews with leading cybersecurity and networking experts from companies such as Cisco, Darktrace, Palo Alto Networks, and others. It focuses on the issues that Security, Network Operations and DevOps teams face in securing and managing their networks and applications and provides insights into best practices and future developments.
Secure Networks: Endace Packet Forensics Files
Episode 47: Network forensics and incident response specialist, Jasper Bongertz
What are some of the challenges of responding to a serious incident – such as a ransomware attack or advanced persistent attack? Where do you start, and what are the critical things you need to do?
In this episode we are lucky to welcome Jasper Bongertz, Head of Digital Forensics and Incident Response at G DATA Advanced Analytics in Germany. Jasper has a wealth of experience from working in the front line of incident response at G DATA as well as in his previous role at Airbus. He also has a long background in network forensics – having been a Wireshark and network forensics instructor - and continues to be a very active member of the Wireshark community.
Jasper starts by outlining some of the steps to mitigate “headless chicken mode” which is what he often sees when organization first uncovers a serious cybersecurity incident.
The process starts with understanding exactly what has happened, and what the impact is so that a clear response plan and timeline for resolution can be established. This requires gathering the available evidence – including network packet data if it’s available. It’s important to be able to do this quickly – particularly in the case of ransomware attacks where the organization’s IT systems may be unavailable as a result of the attack. With ransomware, speed is crucial since the organization’s primary priority is typically to get back to an emergency operating state as quickly as possible. Jasper lists some of the tools that his team finds useful in rapidly gathering that critical evidence.
Once the scope of the incident has been established, you need to have the specific expertise on hand to do the initial investigation to understand what happened and how it happened so you can identify the right response. Typically, Jasper says, that will involve having at least an incident response specialist, a forensic expert, and a malware reverse engineer, but depending on the scale of the event may involve many others too.
Jasper outlines the most important steps organizations can take to protect themselves against ransomware attacks and ensure that in the event of a successful attack they can recover. The two most important of these are making sure domain administrator credentials are protected to prevent privilege escalation and ensuring backups are complete and protected from sabotage.
Lastly, Jasper discusses the changing cyberthreat landscape. He outlines why he thinks data exfiltration and extortion will become more a common threat than ransomware and encryption, and why network data is critical to combat this growing risk.