How to set up a successful digital forensics program

The time to set up a digital forensics program is before you have a breach. Here are the decisions you need to make.

computer forensics
Thinkstock

IT and security managers have found themselves needing to better understand the world of digital forensics, defined as the ability to track down the source of a network intrusion, an exploit such as ransomware, or some other incident where an unauthorized person has accessed a network to steal data or do other damage. Digital forensics combines a variety of skills, including a “CSI”-type investigator who has a background in law enforcement or at least an understanding of what is involved in collecting and preserving evidence that could end up in a courtroom as part of a lawsuit or criminal complaint.

This evidence could support further legal discovery efforts as part of a regulatory compliance violation. The goal of digital forensics is to examine a breach and produce the necessary documentation about what happened, along with stopping cyberattacks and cyber-based fraud.

Digital forensics has become more important as the probability of being breached continues to approach near certainty, and as organizations need to better prepare themselves for legal actions and other post-breach consequences.

“It isn’t like the TV show CSI,” said Davin Teo at his 2015 TedX speech in Hong Kong. Teo is a digital investigator and forensics consultant. “Things don’t usually get solved in neat one-hour time slots.” Teo has been active in this field since 2000. “Back then, there weren’t any courses to study and we were excited just to have digital cameras.” Both the tools and the threats have certainly become more sophisticated since then. For example, he now investigates anonymous death threats via email and fraudulent financial transactions.

Digital forensics, incident response (DFIR) combines many security tools and approaches, including being able to reverse-engineer malware, discover malicious files and search computer memory and digital documents for infections and threats. These tools come in handy both before and after a breach, and they could include endpoint detection and response (EDR), security information and event management (SIEM), log analyzers, threat intelligence databases, penetration and application testing tools, firewalls and intrusion detection products.

Often, digital forensics is combined with incident response situations, although the two are different sides to the same coin: “The former is when a building is burning down, the latter is when a detective tries to figure out who started the fire,” says Brett Shavers, a long-time forensic analyst.

These analysts have to understand nuances. “You have to be both covert and discrete,” Teo said in his talk.

These are the decisions you will need to make to implement a successful digital forensics program.

Start your digital forensics program at the right time

Forensic analysts are usually hired either prior to a breach on a retainer basis or quickly after the breach to remediate and find its root causes. Timing is everything, because the delay in setting up a corporate purchase order and approving a forensic vendor could be critical, and it risks missing key evidence to catch the culprit. “You have to get the right information before an attacker starts cleaning up after themselves,” says Josh Zelonis, an analyst with Forrester who has written numerous reports on forensics.  

“I have been surprised that many companies simply don’t respond fast enough in dealing with an intrusion,” says James Trainor, a senior vice president of Aon Cyber Solutions in New York City. Trainor retired in 2016 as the assistant director of the FBI’s Cyber Division. The faster the response and the more transparent a company is with disclosing its breach and sharing information about the exploit, the better the eventual outcomes. “It is the companies who do the opposite (who are slow to respond and don’t collaborate) that end up causing more damage to their company, their customers, and their reputations,” he says.

Understand the local legal consequences of a breach

This often involves hiring consultants who are familiar with these laws. “It isn’t about being able to prosecute somebody but dealing with other litigation that could result from shareholder lawsuits or governmental agencies,” says Zelonis. “You have 50 attorneys general in each state trying to demonstrate how tough they are on organizations that leak data.”

This has become more sensitive, particularly as the EU’s General Data Protection Regulations (GDPR) were enacted earlier this year. “In the EU, you need to have local counsel if you are going to establish the appropriate attorney/client privilege,” he says.

Part of understanding these local legal requirements is that post-breach notification windows have become compressed with recent regulations. The EU has a 72-hour reporting window, meaning that a company that experiences a breach needs to notify regulators within that time period or risk fines. That could be an issue, particularly for those enterprises that don’t know if they have been breached until months later. California also has very specific requirements for its notification.

Properly prepare your breach response team ahead of time

Your playbooks and workflows should be tested and proven before a breach happens. “If your own team is arguing who gets to do what, you aren’t going to be able to respond effectively,” says Zelonis.

Part of this process is adopting red team tools and using various tabletop simulation exercises “so that companies can walk through the steps involved in any post-breach response and work out the kinks,” says Max Dziak, manager of development security operations at St. Louis-based security consultancy NTP. “You want to be able to understand the various roles and responsibilities and be able to streamline your response. It could be as simple as reviewing a few scenarios and getting agreement from all the key stakeholders as to where your data lies and who handles what during a critical incident.”

Consider whether to have a retainer in place ahead of time

“Retainers are essential to breach response, and having an incident response retainer in place is a best practice to ensure a timely and efficient response” said Zelonis in his Forrester report, Planning for Failure, How to Survive a Breach. They found that 58 percent of enterprises surveyed have current retainers in place, and another 17 percent are planning to have one in the next year. The report suggests the necessary metrics to evaluate a potential supplier, including developing implementation road maps, understanding your business requirements, and choosing the right threat response and prevention products.

Collaborate with all post-breach stakeholders

The best circumstances are when IT, legal and HR department are all involved in crafting a digital forensics plan, since all three will play important roles in a post-breach recovery. “When I worked at Rolls-Royce, I needed HR to help acquire the devices, IT to follow processes (like making sure the device remains on to preserve volatile evidence), and for legal to help drive the investigation,” says Curtis Brazzell, a managing security consultant for Pondurance, based in Indianapolis.

Part of this collaboration is the understanding that your legal team is an important part of this activity and not an obstacle. “The lawyers are the ones who will eventually save your butt,” says Zelonis. Dziak suggests another reason for hiring the right legal talent: This is where you will need a licensed private investigator who can understand the appropriate chain of custody requirements, along with local laws.

Evaluate and choose an EDR product

For some enterprises, the best time to evaluate your pre-breach posture is when considering a new EDR product.  Some EDR vendors include a zero-dollar retainer if you purchase their products. This makes sense, because then you have a contractual vehicle in place before any breach happens. Others use managed service providers for their breach response. Then they suggest the EDR tool that is then used as part of an investigation. This can be rolled out later as a permanent solution if a company is looking to update its endpoint protection.

Educate your team on the available digital forensics tools

The number of forensic tools is staggeringly huge. Shavers’ website lists hundreds of them, for example. SANS also has developed an open-source forensics workstation called SANS Investigative Forensics Toolkit. This paper describes how to install various tools on Windows 10 in a very detailed sequence of steps. Make sure your IT team understands the basics of evidence preservation and custody requirements with these tools.

Understand your digital forensics training requirements

A good place to start is the SANS website linked above, which lists fee-based courses leading toward various certifications and numerous fact sheets on a wide variety of topics. “The SANS program is great. I’ve obtained three certifications from them over the years,” says Trainor. “Continuous education is very important for IT professionals that need to stay current with the latest technologies and threats.

Many of the SANS instructors are very active in the forensics community and come from a practitioner perspective. Shavers suggest that you carefully evaluate your training needs before selecting a course, especially ones that requires a fee. “Don’t jump in before you know exactly what you are going to learn from the class,” he warns. “I have wasted money in the past signing up for the wrong class.”

There is also no lack of reading materials on the topic. Here are a few recommendations:

  • Forrester has the best series of comparative reports on various forensics and incident response enterprise tools, including their Wave report on Digital Forensics which evaluates a dozen different tools and where the top vendor was PwC. They also have reports which provide suggestions on building the best security architecture and playbooks to help with planning for the eventual breach.
  • Finally, a new book from Professor Josephine Wolff at Rochester Institute of Technology called You'll See This Message When It Is Too Late is worth ordering from Amazon. While there are plenty of other infosec books on the market, to my knowledge this is first systematic analysis of different data breaches over the past decade. She reviews a total of nine major data breaches of the recent past and dissects why they happened and how they could have been prevented.

Copyright © 2018 IDG Communications, Inc.

8 pitfalls that undermine security program success