Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:53 PM
Connect Directly

Security Careers: A Closer Look At Digital Investigations

Security incident response and forensics are, at heart, people problems. Here are some tips for making the most of them

[This article appears as a special to Dark Reading courtesy of the(ISC)2 Advisory Board of the Americasas Executive Writers Bureau.]

No matter how good their defenses, every security team eventually finds itself facing a data compromise. Increasingly, enterprises are approaching these compromises by combining two disciplines that previously were thought of separately: incident response and digital forensics.

This combined process, called digital investigations, helps to streamline both incident response and forensics. Most organization have multiple processes that outline how an incident should be handled as well as the processes for supporting forensic methodologies. The concept of merging them together may at first seem frightening, but it shouldn’t be a re-invention of existing processes.

The National Institute of Standards and Technology (NIST) have published several documents that speak to security incident handling (SP800-61) and integrating forensics with incident response (SP800-86). These documents are publicly available on the NIST website, offering a framework and guidance to building internal digital investigation processes.

As you'll see in the NIST documentation, there are key elements that are translatable between incident handling and digital forensics. One example is event categorization: the initial assessment that must be performed when the investigator arrives on the scene.

This assessment provides the basis to determine the "fruits of crime" -- what was the target -- and the "tools of crime" -- what was used. The distinction between fruit and tool forms the starting point for analysis and conducting root cause analysis. Even after you've drawn the line around your "crime scene," however, you'll likely discover new information that expands the scope of the investigation.

The best strategy for dealing with this "scope creep" is to set a large perimeter around your crime scene and work to narrow it down by ruling out possible avenues. One approach is to utilize a spider-web technique: the concept that everything has a relationship, and a small change in one area results in a large difference elsewhere.

This technique positions the actual event at the center of the web, providing several ways to move out toward the root causes. These several inter-connected, outward data paths have all contributed to the incident as either a tool or fruit of the event, and may have direct association to another data path.

As more data is identified -- and as we move further away from the event -- we will find related data paths and associated root causes. As we move outward, some paths may reach a clear conclusion, which reduces the scope of the investigation.

As the investigation progresses and the scope of data changes, there may be multiple branches of information that requires synchronized analysis. There is no means by which an investigative team can simultaneously analyze everything. The best way to produce results quickly is to divide and conquer by creating dedicated "tiger teams" that have the appropriate skill sets to work through data quickly but thoroughly.

These "tiger teams" should be assembled on demand and must have access to critical resources in order to complete their part of the investigation. Depending on the specialization of the team, there will be a different focus on data sources and where to collect evidence.

The digital investigation process does not need to be a re-invention of forensic or incident response processes and procedures. There are several documents published by reputable organizations that can be used as a basis for integrating processes and handling different types of incidents. It is important to incorporate industry best practices into your investigative process and to draw upon industry knowledge when applying investigative techniques. Keep in mind that digital investigations are conducted when there is a breach -- the race to determine root cause(s) must be quick. The race to preserve evidence also necessitates speed. But acting fast is not always easy.

With any digital investigation, it is not uncommon to have an enormous amount of data to cull before a root cause can be found. And while the incident may have occurred on an end-user system, the scope of relevant data may often include network appliances, software, or even mobile devices.

While retrieving data from assets belonging to your own organization might be straightforward, the growing use of cloud services may complicate the picture. Your ability to retrieve data from cloud service provider (CSP) systems may prove challenging. In the cloud, there is no access to or ownership of the physical assets; numerous other organizations use the same platforms.

To help mitigate these problems work with your CPS before an incident occurs to establish service-level objectives that make the CPS an extension of your incident response team and ensure that you can collect data from the cloud provider environment using sound investigative processes.

As the investigation grows and the volume of data becomes overwhelming, it is important to cull and reduce the scope of evidentiary sources and narrow the question of what is relevant. It’s not uncommon to have a broad forensic toolset where one tool is for log analysis, another for system analysis, and so on. As investigative software continues to evolve into single-point solutions, investigators will gain access to platforms that offer even better intelligence and response tools.

Security information and event management (SIEM) platforms, for example, are an excellent technology to consolidate, store, and correlate data from multiple sources -- they can quickly reduce the amount of data related to security events. Stand-alone SIEM platforms provide a simplified view of data within the organization -- they may offer automated detection, but they often rely on manually reactive processes.

By integrating SIEM systems with automated incident response capabilities, you can reduce the manually reactive processes performed by security analysts. Based on the category of incident that has occurred, there is an immediate need to collect and preserve volatile evidence that can be lost over time, such as running processes, remote system connections, and active users. SIEM tools enable the preservation of live system data at the time an incident occurs -- a capability that can be can useful when subsequently analyzing entire systems.

Now that we have extracted relevant data from SIEM and collected volatile data through automated response capabilities, it may be time to use digital forensics as a means of recovering additional evidence. For any category of incident, there are always digital artifacts that exist in some state on end-user systems; relevant information can be extracted from sources such as event logs, registry hives, or the recycle bin.

Digital forensics generally requires some level of specialized training; however, many forensic toolkits offer a great deal of automation to identify and preserve evidence. Tightly integrated and streamlined forensic toolkits allow the security analyst to complete the initial triage while preserving the forensic evidence, leaving it to the forensic practitioner to do the heavy lifting.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/29/2012 | 7:41:43 PM
re: Security Careers: A Closer Look At Digital Investigations
Analyzing the malware itself and how data was exfiltrated can also help prevent future attacks.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
PUBLISHED: 2021-04-14
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system funct...
PUBLISHED: 2021-04-14
An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler did not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send i...
PUBLISHED: 2021-04-14
AjaxSearchPro before 4.20.8 allows Deserialization of Untrusted Data (in the import database feature of the administration panel), leading to Remote Code execution.