“Much of the innovation in the forensics field is focused on simplifying and automating these processes, ensuring they can be performed even in the largest and most complex networks, and applying them for both proactive attack detection as well as efficient incident response,” he said.
Forensics is vital to incident response
Syncurity’s President and CEO John Jolly said forensics are critically important to the incident response process and are useful for both routine and timely response. For example, in an incident where a company is dealing with a successful phishing attack, forensic processes can be used to establish facts such as who clicked on the link, who was successfully phished/compromised, and what information was actually accessed or taken.
This helps a security team plan the appropriate response and assess reporting requirements, he said. “For instance the forensic process might help you determine that 10 users clicked, but that the phish was not successful because the malicious domain was already sinkholed (blocked),” Jolly said.
In the event corporate intellectual property is stolen, either by an insider or by an external attacker, forensics helps establish a specific timeline and sequence of events that can be used by law enforcement to investigate or prosecute the attacker. “In this situation it is important that forensics are conducted in a manner that meet and demonstrate/preserve an evidentiary chain of custody,” he said.
One key element in this phishing scenario is that the company pre-planned the response and forensic processes to a phishing attack and instantiated them in an incident response platform so that they are repeatable, predictable and measurable, Jolly said.
The process includes appropriate escalations for different scenarios that are driven by who was phished, the value of what was or wasn't taken, and compliance with internal policies and external regulatory requirements, he said.
“The analysts and security team then simply follow the established playbook, conducting their analysis and simultaneously establishing a forensic record as they complete the response process,” Jolly added. “Companies need predictable and repeatable response because it saves time, money, and lessens the impact of attacks by stopping the inevitable sooner.”
The companies also benefit from establishing a process and making it auditable - this enables them to measure the process and improve it over time, and also establish to both internal stakeholders and external regulatory authorities that they are using best practices and exercising an appropriate standard of care, he said.
When asked what computer forensics will look like in the future, Demirjian said it will no longer exist in its current form. “It will become much more focused on prevention. It will change in the way data recovery has evolved. Once people started to lose their data, they started using remote back-up to prevent it. The same thing will occur with forensics. Companies will put into place forensic applications so that if something happens, they have the data and the ability to track what happened. They will no longer need to preserve the hardware.”
Sign up for CIO Asia eNewsletters.