"More importantly," says Keanini, "while they will get in with some form of exploit, they still need to go undetected while performing other phases of the attack."
During this operational phase, the enterprise can detect the attackers with these telemetry levels and deploy countermeasures before they complete their objectives.
Enterprises need to be aware that offensive forensics, like other attack techniques, will continue to evolve. Criminal hackers will use any tool available to get the job done, even if the tool is by itself benign and they are using it other than as its creator originally intended.
CSOs and CISOs need to continually educate their IT and security teams to keep them current on new threats and techniques. Most security teams will eventually need new tools to detect offensive forensics attacks, says Hazdra.
High-value assets need new modes of protection in order for security teams to detect and prevent hacker use of forensic tools against enterprise data, says Hazdra.
"The unauthorized use of these types of tools likely occurs in a blind spot for most organizations as they may monitor things like network traffic, file integrity, intrusion detection and unauthorized attempts at access, for example, but may not have tools in place to detect someone performing a memory dump on a system or whether the person using a forensic tool is on their security team or is an attacker," Hazdra explains.