There’s been a lot of talk about organizations needing an isolated environment for forensic investigations during a cyberattack. While the discussion has good intentions, many folks have missed the mark. There’s an unhealthy focus on recovery speeds instead of how the isolated environment is used to facilitate a proper cyber investigation. Don’t get me wrong, IT executives should aim to recover swiftly after an attack. But not at the expense of reintroducing malware into production or losing evidence that can aid in prosecution.
What is a data clean room in cybersecurity?
This isolated environment is often called a “cybersecurity clean room.” The concept began as a secondary location to run malware scans on business data. A clean room should be implemented as a trusted environment where analysts and investigators examine and analyze digital evidence related to cyber incidents, breaches, or crimes. The environment is where the security operations team can perform the investigatory steps needed to understand how an attack happened without the attacker being able to eavesdrop on the investigation. Building a timeline of the incident allows them to devise a recovery plan that eradicates the threat and helps prevent reinfection in the future. After the data is proven to be clean in this isolated environment, it can be moved to a staging area for testing to ensure that functionality is not lost before going back into production.
Cohesity believes having a clean room should align with best practices for digital forensics and incident response. Further, the IT operations and SecOps teams must work together through the investigation and recovery process. Ideally, these teams should work on a single platform with rich capabilities that improve the effectiveness and efficiency of both the response and recovery functions. Because at the end of the day, the all-important RTO isn’t just dependent on recovery speed but also on the speed of the response to the attack.
A useful clean room needs several features. The first is hardware, with a caveat. Just because you have a thousand workloads in your data center doesn’t mean you need the same amount of computing power sitting idle. The sizing should be based on guidance from your incident response team. After all, there’s no point in being able to replicate thousands of workloads if you only have three people on the response team.
Secondly, the hardware will need to be network-isolated to allow access to be easily changed during the investigation. For example, the backup servers will need to restore data into the clean room, but that access should be turned off once the restore operation is complete. This could be done using VLANs or a separate network with firewalls in between. Some folks will even physically unplug the network cables to avoid mistakes.
Once the room is built, it must be fortified with tools. Since the security tools on the compromised systems can’t be trusted, having a secure, vaulted location with the specialized forensic tools and software needed for data extraction, analysis, and preservation is critical. With a clean, separate, and protected copy of data always on standby, organizations can be assured the integrity of the tooling is not compromised. This will also give you the ability to bring back the services the company needs to access systems and communicate during the incident. After all, you can’t access the compromised systems without Active Directory, and you can’t coordinate the response without your collaboration tools. Plus, in a worst-case scenario, having a secure vault with gold images of critical systems and software will allow bare metal restoration.
How Cohesity Data Cloud helps
Cohesity provides several native capabilities to support the needs of the Security Operations Team in the clean room process. Cohesity Data Cloud‘s threat-hunting capability provides incident responders with a curated feed of hundreds of thousands of Indicators of Compromise (IoCs) used by ransomware operators across the MITRE ATT&CK Framework, helping the organization understand the techniques used by the adversary across the entire lifecycle of the attack.
The curated feed can be augmented by the customer’s own threat intelligence or those provided by a third party, and artifacts found on systems during the investigation can be fed back into Cohesity to hunt for additional systems that have been impacted, bringing them into the scope of the investigation.
Threat hunting with Cohesity is not reliant on an end-point agent, so it isn’t susceptible to the evasion techniques that disable XDR and EDR systems, allowing attacks to go unnoticed. Our approach also has the advantage of being completely passive, so the adversary can’t detect or disrupt it. Further, hunting with Cohesity is powered by the backup, so it will continue functioning even when the organization has isolated hosts and networks for containment.
In many organizations, backup retention periods are longer than logs typically held by security solutions. Savvy IT practitioners will realize that this provides an opportunity to detect the activities of nation-state actors conducting low-and-slow attacks, such as prepositioned wiper attacks with extended dwell times.
In traditional digital forensics, investigators had to rely on a single forensic image taken post-event, forming a hypothesis about how a system ended up in that end-state. With Cohesity’s enterprise data protection capabilities, forensics investigators are now free to time-travel across the entire incident timeline, loading images of a system’s file system state in seconds. Now, investigators can use their tooling to compare filesystems to rapidly identify deltas in configurations to find persistence mechanisms and malicious accounts or can extract binaries for detonation in sandboxes, producing more IoCs that can be fed into our threat-hunting capability.
Take the next step: Build your clean room strategy
There’s much more to creating a clean room environment than malware scans and instant restores. Your best chance to survive the latest destructive cyberattacks involves combining the response workflows, teams, and technology to increase the chances of success when an event occurs.
Cohesity’s approach of a single platform for both the ITOps and SecOps teams provides not only native tooling to speed the response actions of the security operations team but also integrations with their incumbent security tooling. This helps improve the efficiency and effectiveness of both response and recovery, improving resilience and reducing the impact of an attack. And we’re doing it without glossing over the hard stuff just so we can talk about recovery speed.