In the 1991 movie Backdraft, Robert De Niro plays the part of Donald ‘Shadow’ Rimgale, a fire department detective investigating a series of arsons in Chicago. As a former firefighter himself, De Niro’s character works closely with firefighters to piece together events based on the available evidence, both physical and circumstantial, and relies on his years of experience as both a firefighter and arson investigator.
Today’s practice of incident response (IR) is very similar to De Niro’s Backdraft character: equal parts firefighter (containing and remediating a breach as quickly as possible while minimizing damage) and investigator (figuring out what exactly happened, how, from where, and why). Security analysts must first and foremost get things under control, stopping harmful or unauthorized activity as soon as it is discovered. But while a fact-based understanding of exactly what happened is important, without a root cause analysis, similar breaches can and often do simply reoccur. And though threat vectors and tools (think keyboards, computer monitors, and sophisticated software instead of flames, hoses, and fire-retardant jackets) are very different -- the use cases for incident response and firefighting are actually quite similar.
Physical vs. digital forensics
Modern forensics is generally practiced in two places: law enforcement and corporate security/IT departments. While physical forensics (fingerprints, bullet trajectories, DNA testing, etc.) is often relevant with law enforcement, it is typically not a major factor in corporate security departments. However, its virtual sibling digital forensics is incredibly important to both constituencies.
With law enforcement, digital forensics has become more commonplace as more crime moves online, and increasingly relevant even with “offline crime” to help corroborate physical evidence and support key elements of a prosecution, like a criminal’s intent, location, or state of mind. Being able to definitively prove that someone did (or failed to do) something is the key goal, with process integrity (e.g. chain of custody) paramount.
In corporate security departments, digital forensics seeks to answer somewhat different questions than where did the malware come and how did it get here. What’s more relevant is determining where the bad guys went, what they did, and what they took after they hacked into the network in the first place. The goal is to understand details of what happened -- when, how, and why -- to prevent a similar intrusion in the future. (The “who” question is typically less important beyond identifying what type of actor/activity was likely involved, e.g. eastern European crime syndicate vs. state-sponsored espionage.)
But whether talking about digital forensics conducted by law enforcement or a corporate security department, the simple fact is that forensics is difficult -- especially at the endpoint. Challenges in either case include accessibility of systems and data on them (e.g. cellphones), latency when pulling data from a system remotely, erroneously tipping off a user that their system is being accessed, myriad formats and devices, languages, and synthesizing data from multiple sources -- to name just a few. This is where corporate security departments enjoy the benefits of decades of laborious work by law enforcement and vendors that supply them with tools: no matter how challenging a scenario may be, law enforcement has seen and handled it before, often with a higher degree of difficulty.
The criticality of rock-solid forensic tool sets becomes even more important when looking at the velocity, volume, and variety of data corporate security departments must sift through on a daily basis. Most large security teams see thousands or tens of thousands of alerts every day. Whether proactively hunting for threats on endpoints, validating alerts from a next-gen firewall, integrating threat intelligence, or correlating log data, network traffic, and endpoint artifacts in a SIEM, forensics is everywhere in today’s IR.
You don’t have to be a fan of Robert De Niro movies to understand how important forensics is to arson investigations... and IR. Just like De Niro’s character in Backdraft, today’s IR practitioner must rely on proven forensics tools in order to nab the bad guy.