Why you need a digital forensics team (and the skills to look for)

In a world where enterprises are embracing the fact that breaches are not a matter of ‘if, but when,’ it is becoming increasingly important to develop internal and external resources to investigate and oversee the impact of attacks after they have happened.

Digital forensics is a relatively recent skills concentration—one that does not necessarily require the same talents, expertise or background as other cybersecurity positions. And while more enterprises are recognizing that they need such talent on the back-end, as it were, there are still holdouts that are entirely focused on detection and prevention, to their detriment.

“I think this is actually a misconception [that] organizations do not necessarily need to build out digital forensics teams in-house,” says Sean Mason, director of incident response for Cisco Security Services, adding that Cisco is building out its ownforensic capability via its incident response services team. A key problem, Mason says, is “there is not enough talent to go around and, generally speaking, most organizations don’t have enough demand to require a full-time team on staff.”

Munish Walther-Puri, chief research officer at dark web monitoring company Terbium Labs, points out that digital forensics requires a combination of “investigation, intelligence, and innovation.”

Digital forensics teams are a complement to any IT team “because they figure out the who, when, when, where and why a bad actor came into the system, says Avani Desai, president of audit and accounting firm Schellman & Co. “They help paint a picture of the incident and provide guidance on how to mitigate the risk of that happening again.” The forensics teams also take past data and processes and builds upon it to make sure they have the tools to handle issues that are getting significantly tougher to solve, Desai adds.

Darien Kindlund, vice president of technology for Insight Engines, a provider of natural language search technology, points out that digital forensics is “an important pillar in any security operations team, in order to assess and understand tools, tactics, and procedures (TTPs) used by attackers to compromise a firm. That way, the firm can stop future breaches using these same TTPs by new attackers. A firm’s ability to understand how these attacks work is directly tied to how effective their digital forensics team is.”

Thinking differently for forensics

Digital forensics employees are often lumped in with cybersecurity personnel in general—but the skill set and expertise required is typically very different. Being part of the digital forensics team means working with a large subset of the organization, such as human resources, IT, legal, compliance and operations, according to Desai. “They need to have strong interpersonal skills, as tension is often high during an incident or breach response,” Desai says. “As with any highly analytical job, the forensics team must have high attention to detail, focus on a methodological approach and execution, and have a determined approach – no stone can go unturned.”   

In addition, digital forensics team members need to “understand the ever-evolving environment of cybersecurity and how changes and new malware will affect the systems, which means they have to have a keen desire to learn and adapt to changes,” Desai says.

Digital forensics may not be as flashy as other cybersecurity positions—it is an “unconventional” IT security job, according to Desai. “But the skills of analytical thinking, attention to detail, solving puzzles are exciting and the earlier exposure the easier it will be to have a pipeline in the next ten years.”

Walther-Puri agrees that the ideal digital forensics employee is “different than conventional IT talent, a digital forensics analyst must think in both a structured and non-linear fashion.” For example, he says, investigation is about being methodical, but at the same time, tracking a cybercriminal requires creativity. “Beyond thinking like the adversary, an analyst must be able to understand motivations and techniques with inspiration from criminology, economics, security, intelligence and psychology,” Walther-Puri says.

Mason says “forensicators,” as he calls them, are generally going to have more of an investigative mind than anything else. “Additionally, given the data they need to examine and interpret, these are individuals with both a very deep and very broad understanding of IT and related infrastructure,” he says. Similarly, Kindlund agrees that digital forensics teams need to “understand deep internals of every operating system (OS) and application supported at their firm. This is because attacker activity varies per target application and OS, and digital forensics teams need to extrapolate how identified activity may exist across the entire ecosystem of digital assets within a firm.”

Indeed, people with a more “procedural” background and bent are typically a better fit for digital forensics in their investigation process and the demand to collect and maintain evidence, according to Ron Schlecht, managing partner of BTB Security Consulting. “That’s what we’ve seen to be most successful,” Schlecht says, adding that these employees often come from a legal or law enforcement background, but still require technical training. The bottom line: They need to understand the “digital footprints we all leave behind, the aspects of a computer and how to pull it together,” he says.

Given the amount of collaboration the digital forensics team needs to conduct (externally and within the organization) with legal, compliance, law enforcement, IT and human resources, Desai points out that interpersonal skills and a broad understanding of these units is as important as the necessary technical skills commensurate with a digital breach investigation. “They need the ability to communicate in layman’s terms,” Desai says. “They need to communicate, they need to understand the chain of command, especially the legal aspect.”

But, with an existing shortfall of nearly 3 million people to fill cybersecurity positions, according to a recent ISC(2) study, filling the growing number of even more demanding digital forensics positions will be challenging for enterprises. The skills gap for digital forensics teams “mirrors the larger cybersecurity skills gap found across the world,” according to Kindlund. “Most firms focused on building great forensics teams foster these skills internally by hiring creative, technical thinkers and training staff to perform critical forensics skills among IT security personnel who are interested in learning more.”

The ongoing acute shortage of cybersecurity skills makes attracting and retaining cybersecurity professionals with digital forensics skills a challenge, says Doug Cahill, group director and senior analyst for the Enterprise Strategy Group, Inc. “Critical success factors for doing so go beyond compensation and include fostering a culture in which cybersecurity is a clear priority,” he adds. “The opportunity to continue to learn and expand one’s skill set, and access to advanced cybersecurity controls including endpoint detection and response controls are key.”

How to attract, retain and groom digital forensics professionals

1. Cross train employees in other areas. Exceptional thinkers in anti­-money laundering(AML) and compliance, creative corporate security analysts, and those who understand storytelling and statistics (audit, financial analysis, etc.) are all personas that can be trained in the skills required for digital forensics. Skills can be taught, while curiosity and creativity are much harder to impart.

2. Build a culture of diversity. If the mission and problem set attracts talent, culture is key to retention. Diversity — in background, experience, and skill set — will create a unique culture that people will think twice about leaving.

3. Develop roles around solving problems, not functions or titles. It’s easy to give someone a title or assign them to a function, but the types of people that will fill those roles are apt to get bored or feel constrained. To develop personnel (both horizontally and vertically), shape the roles around the type of problem and scope (e.g., tactical/operational, investigative/analytical, reporting/service delivery). People will continue to grow and groom colleagues/junior team members if they can envision a trajectory for themselves.