The Carbon Black Quarterly Incident Response Threat Report for 2018 shows that destroying forensic evidence to hide attack sources and attack capabilities is becoming increasingly common. The report quotes an incident response professional as observing that “We’ve seen a lot of destruction of log data, very meticulous cleanup of antivirus logs, security logs and denying IR teams the access to data they need to investigate.”

More specifically, the report finds that in the last 90 days:

• 32% of investigated attacks included attackers wiping entire machines to hide evidence
• 72% of all IR professionals reported seeing deleted logs in at least one attack, and
• 41% of respondents reported investigating at least one attack on Manufacturing businesses.

Erasing machines and logs makes it difficult or impossible for response teams to discover and remediate attacks: identify equipment that attackers may have changed, understand how the attackers entered the system and identify the attackers themselves, where possible.

Waterfall BlackBox is a solution designed to support these incident response needs. Modelled after an aircraft “black box” flight recorder – which are actually bright orange – the Waterfall BlackBox stores logs, transactions, configuration files and other valuable data in a secure and tamper-proof repository to survive a cyberattack.

The Waterfall BlackBox is a network appliance, consisting of secure storage behind a Unidirectional Gateway. The appliance is connected to a network, collects or receives logs and other data and sends that data through the Unidirectional Gateway into the secure storage. Once transmitted through the Unidirectional Gateway, the log information is physically inaccessible to the monitored network.  An attacker has no way to gain network access into the secure storage to try to delete or edit the stored data. Response teams arriving at a site with a Waterfall BlackBox deployed, physically connect to the Waterfall BlackBox storage to gain access to trustworthy, untampered forensic and log data.

In this age of sophisticated cyberattacks, ransomware campaigns and industrial cyber-espionage, having the ability to stop an attack in progress, carry out a forensic postmortem and trace the attack to its source is critical to any business and organization. Waterfall BlackBox is a basic pillar in effective security architecture and incident response.

Waterfall BlackBox is being used worldwide by industrial and enterprise companies, incident response and forensic service providers and research groups.

For more information on the Waterfall BlackBox tamper-proof forensics system tune in to listen to this short podcast by the author “Seal the integrity of your logs with Waterfall BlackBox”.[/vc_column_text][/vc_column][/vc_row]

A Flight Recorder for Forensics 

Waterfall BlackBox

• Author
• Recent Posts

Andrew Ginter

Andrew Ginter is Waterfall’s Vice President of Industrial Security. He holds B.Sc. of Applied Mathematics and M.Sc. of Computer Science degrees from the University of Calgary, as well as ISP, ITCP, and CISSP accreditations.

Latest posts by Andrew Ginter (see all)

• CISA ICSJWG Event – A Lot to Look Forward To - April 14, 2023
• Air Gaps – I do not think it means what you think it means - April 6, 2023
• The OT Security Revolution - March 13, 2023