5 min read
interACT – a remote shell solution crafted exclusively for modern DFIR
Evren Pazoglu : Fri, Jan 20, '23
The operational reality for most of today’s modern enterprises is a daily stream of different kinds of cyber-attacks at different frequencies and severity levels. And the volume, velocity and sophistication of these attacks are continually growing, following an aggressive upward trend. Read more to see how interACT is a revolutionary remote shell solution specifically designed for modern digital forensics and incident response (DFIR)
During the incident response process, every minute that passes can have a significant impact on your ability to minimize the effects of a breach, so it’s essential that Digital Forensics and Incident Response (DFIR) teams can quickly respond and investigate their systems.
DFIR solutions that involve investigating directly with endpoints onsite are no longer suitable in the modern business environment. Most enterprise companies have geographically dispersed locations, from international headquarters to smaller regional offices. And, typically there’s a greater number of employees who work from home and use different kinds of operating systems with varying different release versions in the mix.
Since getting in front of an endpoint computer to perform DFIR activities is not always feasible or cost effective, the best option is to do this remotely. This can be particularly useful in situations where the devices are located in remote or hard-to-reach locations or where it is not safe for the incident responder to access the devices physically.
There are a number of activities that require accessing and managing devices remotely as part of cyber security incident response efforts. These can be broadly summarized as:
-
To quickly gather information about an incident and assess its impact.
-
To contain an incident by isolating affected devices from the network, killing suspicious services and processes or even shutting the devices down.
-
To perform forensic analysis on the affected endpoints to better understand how the incident occurred and identify any indicators of compromise.
-
To remediate the incident by cleaning up infected devices and restoring them to a secure state.
-
To download malware samples or contaminated files for further analysis and to create cyber threat intelligence (CTI).
Traditionally, a variety of tools and solutions are needed for DFIR professionals to accomplish these tasks remotely without having to access the affected devices physically.
It’s not ‘remotely’ simple
When there’s a need to connect to those devices remotely to perform the DFIR activities listed above, there will be a need to install or enable remote device management tools or services like RDP, SSH, VNC, or other third-party tools.
Even if remote device management tools are installed, there are several drawbacks and disadvantages to using those tools for incident response activities:
-
Limited visibility: Remote endpoint management tools may not provide complete visibility into the endpoint environment, making it difficult to assess the extent of any incident accurately.
-
Lack of control: Because the tools are remote, they may not allow the incident responder complete control over the endpoint, which can be frustrating and hinder the response process.
-
Complexity: Some remote endpoint management tools can be very complex to use and may require specialized training to operate effectively.
-
Compatibility issues: There may be compatibility issues with certain endpoint operating systems or hardware configurations that prevent the use of certain management tools. Investigators sometimes need to use different tools for different operating systems or distribution. Even if they use SSH for all operating systems, the shell commands are different depending on the OS of the endpoint.
-
Expanding Attack Surface: If the remote endpoint management tool is not properly secured, updated, and managed, it could potentially be accessed by unauthorized parties. It can create further vulnerabilities which may be exploited by attackers. This could compromise the endpoint and make the situation far worse by expanding the attack surface.
-
Management and Maintenance Cost: Every new application and tool that’s used should be properly installed, configured, updated, and patched. These tools also need extra network access requirements, which means some TCP/UDP ports need to be allowed on the gateways. The management and maintenance of all of these activities will create an extra workload for the system, network management, DFIR, and security staff.
The frustrating truth is that most remote endpoint management tools that are used in remote incident response introduce many new problems, and these problems may contribute to a bigger problem than the actual initial breach being investigated.
Binalyze AIR GuideDownload our DFIR Guide and learn more how you can elevate your incident response processes.
|
Remote and scalable DFIR thanks to interACT
Binalyze AIR’s interACT module is a comprehensive secure remote shell that is cross-platform and provides a standardized command set for Windows, macOS, and Linux to greatly simplify the investigation process. Investigators and incident responders can connect to the endpoint easily by starting an interACT session via the AIR console.
When an interACT session is initiated, the AIR console connects to the endpoint in just a few seconds and provides a command line interface for investigators to begin their investigation or remediation work.
interACT has been built specifically for DFIR. The full list of current commands are listed in the table below but some common use cases that investigators, analysts and incident responders need include:
-
List, delete, copy, and move files and folders; kill suspicious, malware-related processes and services.
-
Remotely isolate endpoints to contain contamination.
-
Download suspicious files for further malware analysis.
-
Run queries and searches using osquery to find, list and filter suspicious indicators.
interACT cross-platform commands |
|
cat |
Display content of a file |
cd |
Change current working directory |
curl |
Make HTTP request |
del / delete / rm |
Delete a file or directory |
dir / ls |
List the files and folders in a certain directory |
exec / execute |
Execute a process on the endpoint and return stdout/stderr |
find |
Search for a file or directory |
get |
Get a file from the endpoint |
hash |
Display the hash values of a file |
head |
Display the first 10 lines of a file |
help |
Display help messages |
hex |
Display hex encoded output of a file |
image |
Read a disk/volume and write its contents |
kill |
Kill process(es) by process id or process name |
mkdir |
Create a directory |
osquery |
Write an osquery search command |
pslist |
Display the running process list |
put |
Put a file from the library to the endpoint |
pwd |
Display current working directory |
volumes |
List the mounted volumes |
zip |
Compress/decompress a file or folder |
Permission-based, granular access control
Another very useful and unique feature of interACT is its ability to control access to features based on the users’ permissions level. This allows DFIR team leaders and managers to create appropriate access profiles to match the experience and ability of each team member. Currently interACT has 3 levels of permissions:
-
Enumeration Privileges
-
Read Content Privileges
-
Write and Execute Privileges
These access levels can be further enhanced by controlling individual users' access to organizations on the AIR platform resulting in a highly granular solution of access control.
A library feature to create a consistent investigative standard across your DFIR team
interACT’s Library feature allows DFIR managers and team leaders to upload standardized investigation assets like scripts and toolkits to make it easy for individual analysts to utilize those assets in the course of their investigation with a single click.
Also by providing access to the Library of approved assets a more uniform investigative process, across the whole team, can be defined and encouraged.
Full disk imaging for when you need it
The interACT module of AIR unlocks the ability to collect a full disk image of the device under investigation as part of a deeper investigation, law enforcement applications or simply as a backup. The format of our full disk images is DD.
Fully audited and logged
Another valuable feature of interACT is the full auditing and logging capability. Every command used and response received is logged in a real-time interACT session report. Additionally, if any files are transferred between the analyst and asset these are also logged, including their hash values.
This comprehensive audit log provides peace of mind that, should you need to demonstrate exactly what happened during the remote shell session you can do that.
Thanks to interACT from Binalyze AIR, remote endpoints will no longer pose a block or issue. DFIR professionals can perform almost all incident response activities that they need to without installing or configuring any other tools. All actions are logged and stored for audit or other purposes.