Aside from being a computer whiz, one of the most important functions an analyst has is conveying forensic evidence to clients and their legal teams. This sounds easy, but forensic professionals are always thinking about how to explain the evidence in a way that is not only accurate but can be understood by those with non-technical computing experience. It is highly unlikely for even a medical doctor to understand the technical jargon of a digital autopsy – and analysts need to be mindful of that.
For example, analysts should avoid reporting to their clients the following: The threat actor brute forced into patient zero using RDP, ran mimikatz to escalate privileges to the administrator account, and laterally moved to another device to set a staging area which contained the ransom payload. Save that fast talk for your colleagues.
Instead, analysts are better off making the same point by putting it this way: The threat actor, or hacker, used brute force, which is an automated process to guess usernames and passwords. After cracking the credentials, the actor used Remote Desktop Protocol to connect to patient zero, which is the device we believe was accessed first, because it is the first device where we identified malicious activity. While connected to that device, the threat actor used mimikatz, a credential harvesting tool that is used to obtain Windows usernames and logins stored in memory or cache. This allowed the actor to gain access to a high value user account – in this case the administrator account. From there, the actor hopped to another device in order to set up a staging area, or a folder on the computer where they stored malicious files for later use. Along with other malicious files, the threat actor also placed the ransom payload in that folder, which later encrypted your system.
Sure, that took a bit longer to explain but the client now has information that can be properly digested and understood.
Any incident response provider should make a concerted effort to ensure their clients thoroughly understand what has happened to their digital systems. After all, it is the client and their legal team that ultimately need to make the decision to report to the authorities whether data has been accessed (viewed) or exfiltrated (stolen).
We are here to help both our clients and our readers understand the cyber world around them – because once you understand, you can make informed decisions. And, as the saying goes, knowledge is power, and power means keeping data and systems secure.