A Needle in a Haystack – Why Your Organization Needs Digital Forensics

If you’re a computer security professional, the question is always there – lurking in the background: Is your security perimeter safe? 

Even if you have a strong security stance and you’re using a range of tools to keep out the cyber criminals – this may no longer be enough.  

As the approaches taken by intruders continue to evolve, many organizations find they require digital forensics (DF) to identify cyber security threats and thwart attacks. But what is DF, and how does it relate to other aspects of cyber security? 

Digital Forensics, Defined 

DF is an emerging discipline in cyber security, a proactive process that involves uncovering and interpreting electronic data. Frequently, data that is obtained is used in a court of law, though DF is also utilized in the private sector. 

DF preserves evidence in its most original form while performing a structured investigation collecting, identifying, and validating information for the purpose of reconstructing past events.  

Typically, DF involves four steps: acquisition, recovery (including creating working copies), analysis, and presentation. As defined by NIST’s Guide to Integrating Forensic Techniques into Incident Response, this applies to the following categories of data sources: files, operating systems, applications, and network traffic. 

Keeping Ahead of the Game  

DF identifies suspicious activity and determines whether an attack has taken place that bypassed the security products that you installed.  

Advanced attacks may bypass security products by identifying the rules they run by and figuring out how to sidestep them. Or, an attack may utilize encryption or sandbox evasion to avoid being noticed.  

In this, DF differs significantly from the world of alert management – where the starting point is generally the review of alerts coming through an EDR (endpoint detection and response) tool, then determining an appropriate response. (For more insight regarding the alert management lifecycle, click here.) 

The Challenge – Obtaining Original, Accurate, Repeatable Data 

A fundamental goal in the field of DF is ensuring that evidence is forensically sound – something that isn’t as easy as it may seem. Threat intelligence analysts must identify ways of duplicating or preserving evidence while ensuring the process itself has not inherently changed the data. The data must be in its most original form. As pointed out in this piece by Blaine Stephens of interworks, without integrity, evidence loses its value and admissibility in a court of law. 

Likewise, data needs accurate time stamps. An accurate timeline demonstrates who did what, and when; but in digital data, time stamps may be absent  and where they exist, they can be spoofed. Reconstructing the timeline is complex – in fact, the process is complex enough to require application of machine learning techniques. 

Repeatability is another challenge. To be able to state conclusively that Action A caused Result B, the concept of repeatability must be introduced – something that is difficult to obtain. 

And because this is an emerging field, there are no agreed standards. There are very few researchers  and each threat hunter is working in an independent fashion.  

This last issue is compounded by the sheer volume of vendors, devices, software, and protocols in the industry, which creates a large amount of data that must assessed  and means the investigative process is inherently complicated. 

Last but not least is the challenge of finding the right people for this work. Bottom line: DF expertise is hard to come by. A general shortage of cyber security talent plagues businesses nationwide – and, according to a recent report by CyberSeek, the problem is intensifying as the demand for cyber security workers is increasing continuously across the United States (and in other regions the situation is often more acute). In fact, there were 301,873 cyber security job openings in the private and public sectors between April 2017 and March 2018, including 13,610 public sector openings. As a result, organizations may want to consider turning to MSSPs (Managed Security Service Providers) to provide the necessary expertise rather than looking for a cyber threat intelligence expert to maintain in-house. 

Working Effectively with DF within Your Organization 

As the need for DF continues to grow, organizations need to find ways to integrate it into the organizational work process.  

As pointed out by NIST (see page ES-2 of their report, Guide to Integrating Forensic Techniques into Incident Response), organizations must define policies addressing major forensic considerations, such as contacting law enforcement, performing monitoring, and conducting reviews of forensic procedures.  

Likewise, organizations should maintain guidelines for forensic tasks that consider both the organization’s policies and other applicable laws and regulations, while supporting appropriate use of forensic tools. 

On the departmental level, IT and cyber security teams need to be prepped to participate in forensic activities. This is challenging, as IT groups notoriously are overworked and often are reticent about participating in DF-related activities. 

Finally, digital forensic investigators need the full support of C-level management – particularly, for forensic actions that may have an impact on the organization’s operations, such as affecting mission-critical systems. 

CyberProof’s Next-Gen SOC  a Use Case 

The highly experienced cyber threat intelligence investigators & analysts that work in CyberProof’s security automation and orchestration platform provide in-depth analysis of malware and forensics. The defined process for DF followed by CyberProof’s team begins when an alert is triggered in the SOC’s platform and escalated to Tier 3 teams or higher 

If the alert is identified (by automated or manual investigation), an incident is created and tagged with a severity level – according to Playbook procedures. If the incident requires deep investigation it will quickly be escalated and assigned to Tier 3-4 team members, such as the DF analyst. 

At this stage, a request for data duplication is triggered. Requests are submitted for data, including .pcap files, FTK images, AccessData images, Autopsy output, etc.  

The DF analysts go through the different files and data, looking for evidence. When evidence is uncovered, they go through a process of validation. 

Once the evidence has been validated, the incident is updated in CyberProof's threat intelligence platform. Where required, the incident continues to be investigated by the SOC team members or is closed and a report issued for the client. 

Each & every step is backed by a chain of custody procedure in accordance with the relevant local applicable laws.   

What’s Next? Digital Forensics Best Practices  

Despite the lack of industry standards, a clear set of DF best practises should be followed. As the field of DF continues to expand and become more critical in cyber security operations, CISOs and CIOs can sidestep trouble and optimize the time invested by threat hunters by adopting these best practices: 

  • Time stamps: Synchronize times on all servers to avoid trouble later; with accurate time stamps, you can develop accurate timelines and use material in court. 
  • Log retention: Special attention must be made to define the right level of log retention and other key information to enable digital forensics. One of the major challenges when setting up cyber defense is making sure the data required for forensics is available (and correctly archived). 
  • Imaging software: Become more familiar with imaging software so you can make duplications of data at the endpoint and on mobile devices. 
  • MDM: Investigate options for MDM (mobile device management), which increases security and awareness and helps organizations better handle the challenges of mobile devices. 
  • Open-source: Look into open-source forensic products including Autopsy, Sleuth kit, and FTK.