War Laptops for Incident Response Ninja's12 NOV 2020 | Yushen Wei and Raghu Narapareddy
October was National Cybersecurity Awareness Month (NCSAM), which was created to raise awareness about the importance of cybersecurity and how organisations should protect and secure their IT/OT environments. This year marks the 17th anniversary of NCSAM. Due to this reason, it is the perfect time to bring awareness to a critical piece of equipment for any cybersecurity incident, responders typically know as the "war laptop".
Briefly defined, a war laptop is the core instrument in any matured incident responders' arsenal, to be capable of handling any type of analysis during security breaches. This computer will be used to identify, contain, eradicate and remediate incidents. The war laptop could be said to be the heart of incident responders "go-bag" for immediate deployment during any incident. NIST documentation SP800-61 highlights the significance of a war laptop during an incident response as being loaded with all necessary software (e.g. packet sniffer, digital forensics) applications for the IR analysts. Note that because this laptop has a special purpose, it is likely to use software other than the standard enterprise tools and configuration.
War laptops are chosen intelligently, as they are used to handle multiple simultaneous tasks to reduce the time spent on data collection and analysis. To handle these tasks, the configuration of a typical war laptop must have significantly higher specifications than a regular everyday workstation in terms of RAM, processor and storage capacity. This results in higher costs to procure these laptops, but the cost will be offset by the time saved during analysis.
The specification of a war laptop might be solely dependent on the purpose of the analysis, either for Incident Response or for Malware Analysis. War laptop should also be capable enough to run a couple of virtual machines as a small lab environment to do any ad-hoc testing as part of the incident analysis. For example, analysis of log files using an ELK stack or any other local SIEM solution to process large log files.
An ideal configuration for a war laptop is as follows:
Typically, the cost of a war laptop would range anywhere from 2-4K USD, depending on the custom specifications mentioned above. In most cases, information security budget cap becomes the hindrance to purchasing war laptops for investigations based on the number of responders and active cases.
Figure 1 – Mid tier war laptop from Sumuri
More often than not, organisational IT and information security management only approve the incident response team to utilise another corporate laptop for analysis or worse, to continue using the same corporate laptop. These decisions are based solely on the notion of cost prevention measures. However, in the long term, this would inevitably lead to more overhead, and in some cases, this is highly detrimental to the actual response effort. Considering an average business cost of an incident responder as 100+ USD per hour, the investment on using a war laptop for an incident investigation is clearly justified, as they can reduce the time spent on such incidents by at least two days.
The practice of using corporate laptops in any incident response engagement poses an information security risk for the organisations themselves. Listed below are some examples:
Aside from the listed cybersecurity challenges of doing an incident analysis with corporate machines, the technical processing of large datasets would become an impediment for the incident response team. Most corporate laptops are severely limited by processing power in regards to CPU and RAM. In incidents requiring forensic analysis of digital images, memory, logs, and even malware simulation, the use of a corporate machine given its limited specification is significantly slower than utilising purposely built hardware.
Time is critical in any incident response case. The benefits of using war laptops for the investigation are to save time, flexibility and separation from the corporate environment. These laptops should not utilise a deployed corporate standard operating image and must be free from corporate IS controls such as EDR, AV, DLP .etc. At the same time, the consultants must adhere to IS policies specific to war laptops on how to handle customer data during the investigation (for example reverting to the basic snapshot once the IR is completed).
Consider an investigation of data exfiltration from an Exchange server. After the initial triage, the responder may be required to parse the organisation's F5 application logs, IIS server logs and perform forensic analysis of the Exchange server (memory or drive). Depending on the processor of the analysis laptop and on the size of the Exchange server's image, indexing it with a forensic tool would take several hours. The parsing of log files in the ELK stack takes a significant amount of time as well. In scenarios where there is an absence of war laptops, the responders would have to ship the evidence to the office by following a proper chain of custody and then initiate the investigation from in-house forensic workstations. With the help of war laptops, the parsing of images and log files can be initiated on-site while conducting interviews with the key stakeholders during the incident which would significantly improve the efficiency of the overall response effort.
Figure 2: Data exfiltration from Exchange server
Given the benefits discussed above, best practices must be followed for all investigations of cyber incidents, both from an efficiency and operational security standpoint. If taken into account, all the future perspectives of saving time, flexibility and improving an organisational IR posture, the cost of war laptops is a minimal price to pay for the additional values. Therefore, in honour of the National Cybersecurity Awareness Month, utilise this opportunity to engage with senior security leadership within your organisation to pitch the benefits of war laptops for incident response. It will increase efficiency and aid the incident response process in catching those pesky bad guys!
Connect with us