By understanding what happened, when, how, and why, security teams can prevent similar breaches from occurring in the future.
Physical vs. digital forensics
Modern forensics is generally practiced in two places: law enforcement and corporate security/IT departments. While physical forensics (fingerprints, bullet trajectories, DNA testing, etc.) is often relevant with law enforcement, it is typically not a major factor in corporate security departments. However, its virtual sibling digital forensics is incredibly important to both constituencies.
With law enforcement, digital forensics has become more commonplace as more crime moves online, and increasingly relevant even with “offline crime” to help corroborate physical evidence and support key elements of a prosecution, like a criminal’s intent, location, or state of mind. Being able to definitively prove that someone did (or failed to do) something is the key goal, with process integrity (e.g. chain of custody) paramount.
In corporate security departments, digital forensics seeks to answer somewhat different questions than where did the malware come and how did it get here. What’s more relevant is determining where the bad guys went, what they did, and what they took after they hacked into the network in the first place. The goal is to understand details of what happened — when, how, and why — to prevent a similar intrusion in the future. (The “who” question is typically less important beyond identifying what type of actor/activity was likely involved, e.g. eastern European crime syndicate vs. state-sponsored espionage.)
But whether talking about digital forensics conducted by law enforcement or a corporate security department, the simple fact is that forensics is difficult — especially at the endpoint. Challenges in either case include accessibility of systems and data on them (e.g. cellphones), latency when pulling data from a system remotely, erroneously tipping off a user that their system is being accessed, myriad formats and devices, languages, and synthesizing data from multiple sources — to name just a few. This is where corporate security departments enjoy the benefits of decades of laborious work by law enforcement and vendors that supply them with tools: no matter how challenging a scenario may be, law enforcement has seen and handled it before, often with a higher degree of difficulty.
The criticality of rock-solid forensic tool sets becomes even more important when looking at the velocity, volume, and variety of data corporate security departments must sift through on a daily basis. Most large security teams see thousands or tens of thousands of alerts every day. Whether proactively hunting for threats on endpoints, validating alerts from a next-gen firewall, integrating threat intelligence, or correlating log data, network traffic, and endpoint artifacts in a SIEM, forensics is everywhere in today’s IR.
You don’t have to be a fan of Robert De Niro movies to understand how important forensics is to arson investigations… and IR. Just like De Niro’s character in Backdraft, today’s IR practitioner must rely on proven forensics tools in order to nab the bad guy.
Source: Information Week