Introduction
Although we are covering them in one chapter, forensics activities and post-mortem activities for cyber incidents are entirely different. We’re going to repeat a passage from the introduction to Chapter 14: while it’s helpful to break the entire incident response discipline into a series of discrete phases so that each can be described individually to assist with training and the command and control of response activities, it is rarely clear-cut when one process ends, and the next begins. There is often significant overlap, and as new information emerges, it is usually necessary to revisit a phase previously thought completed. For instance, while in recovery, monitoring activity may detect the presence of indicators of compromise identified for the current cyber incident and that may send you all the way back to the containment phase.
Bill draws the distinction between forensics for law enforcement versus what an organization might do for internal investigative value. Depending on your industry and the specific details of a breach, preserving evidence may be essential. Regardless of your organization’s desire to use the courts, regulatory and contractual obligations may force you to preserve evidence and establish the chain of custody. Bill goes on to discuss how to incorporate post-mortem reviews into your process for continual improvement.
Matt helps the reader prepare for forensic activities, including working with your legal team, law enforcement, suppliers and anyone else who will need to know in advance what actions they can and cannot take and what assets, physical and digital, need to be sequestered. He then reviews the lifecycle of forensic analysis so that the organization can be prepared to conduct such an analysis by pulling together the right combination of internal and external resources.
Gary begins his discussion with a review of forensics methods that apply to all layers of the stack, including the network, system, software, mobile, and IOT. He then guides the reader through the decision-making process and the requirements for both building a forensics capability in-house, including a build-out of the lab, and staffing a forensics team. The caution to the reader is that this can be expensive, and the needs change continually, so be prepared for an ongoing investment.
Some of the questions the authors used to frame their thoughts for this chapter include:
♦ What is digital forensics and what value does it bring to the business?
♦ What resources are required to develop a digital forensics lab and should the CISO build one?
♦ What roles and resources are needed to field a digital forensics team?
Planning for Forensic Investigations – Stamper
Unless your organization and your security team are quite large, it’s unlikely that you will have dedicated expertise and resources available to facilitate forensic investigations of security-related matters, notably breaches. Nevertheless, there will be scenarios where having access to forensic capabilities will be necessary. Similar to the incident and breach responses, planning for forensic analysis in advance should be an essential priority associated with the CISO’s security program, even for smaller organizations. Let’s take a look at some of the core planning required to prepare you for when a forensic analysis is needed.
Why do we need forensic capabilities as part of our overall security program? There are two principal reasons. First, forensics supports legal claims and actions. Essentially, we use forensic analysis to determine if a crime has been committed and, ideally, determine attribution and present evidence that is legally admissible to support our claim in a court of law. This analysis can be required when there are disputes related to intellectual property, rogue employees, or corporate espionage. Another reason we might need forensic analysis is simply the matter of determining what took place and how – documenting “packet truth.” Forensics provides a great set of capabilities to evaluate the “history” of our environment (what took place at each stage or phase of the kill chain) and how actors who were not authorized made changes to that environment.
While there is overlap between these two capabilities, there are certain conditions precedent that need to be defined. If a forensic analysis is going to be used to support legal proceedings, effectively legally-defensible analyses, the activities must be legally authorized. Few things are worse than having evidence of a crime that would corroborate your case only to have the evidenced determined to be not legally admissible because the forensic analysis was not appropriately authorized, or the chain of custody did not offer the right assurance. To ensure proper chain of custody practices, you need to plan how you will handle forensic evidence (more on this below).
Preparing for a Forensic Analysis
When preparing for forensic analysis, make sure that you speak with your legal counsel and outline some of the scenarios where forensic analysis would be valuable. As discussed in Chapter 15, we should anticipate certain types of incidents. Revisit the list of potential incidents that you have planned for and determine what kind of forensic analysis to use in these scenarios. Recognize that just like threats and risks, evidence can come from many potential sources.
Evidence can be left behind by perpetrators outside of your organization (such as APTs, criminal elements, corporate espionage, state-sponsored actors, in-laws, among other unsavory actors). It can originate from inside the organization (for example, disgruntled and rogue employees). And it can come from your supplier and vendor ecosystem (this could include third-party service providers, “vetted” independent contractors, and the manufacturers and suppliers of systems, software, and hardware used in your environment). Anticipate needing to collect evidence outside of your “four walls,” and plan how you will get it. Further, with the advent of connecting more operational technology (IoT, ICS, and SCADA) to our networks, it’s important not to overlook these systems as potential sources of evidence.
Once you’ve evaluated these potential sources, coordinate a discussion with legal counsel to understand the repercussions of gathering evidence from these sources. Work out a process that is consistent with your organization’s priorities (e.g., attribution and prosecution when cases arise or – potentially in conflict with those two items – the restoration of services). For scenarios that involve the collection of evidence used to determine if there was a rogue insider involved, engage both human resources and legal counsel in this process.
While in the United States there are limited expectations of privacy in the workplace, we cannot say the same for organizations that operate outside of the U.S. As a case in point, privacy in the workplace in a European context is expected by employees and legally enforced. Knowing what can and cannot be collected in support of an investigation in advance is critical. Where legal privacy protections preclude the collection of the evidence systematically, you’ll need to look at alternative approaches such as user analytics that anonymize activity that can be unmasked subsequently with appropriate legal justification (e.g., a search warrant).
Equally important, the collection of evidence needs to be legally authorized. This authorization requires that practices are consistent with applicable laws and regulations. In the United States, Federal Rules of Evidence govern this process. Changes as recent as December 2017 to section 902, subsection 14 (902(14)) reflect the evolving nature of digital forensics and are focused on streamlining the admissibility of electronic evidence by standardizing certain practices and expectations.
Specifically, the hashing value to determine the integrity of forensic evidence (essentially a presumption of authenticity). Documented and strong chain-of-custody practices should be front and center in your forensics program. Bottom line, CISOs should proactively work with their legal counsel to pre-validate evidence collection procedures in a manner consistent with the organization’s objectives, priorities, and legal requirements.
As noted above, it’s important that your forensics program is also used to determine the fact pattern of incidents where the end game is not attribution and legal proceedings but rather improvements to the security practices and architecture of the firm. Under these circumstances, forensic analysis is used to make internal improvements to the security program and reduce the risk of a similar issue taking place in the future.
Beyond collaborating proactively with legal counsel and HR, a good investment in your forensic preparation would be to meet with your local FBI office or your local sheriff’s or police department’s cybercrimes units to validate their requirements when they are working a case. Learn what they would need from your organization. Many law enforcement cybercrime teams are real experts in forensic analysis and have learned to investigate many technically-distinct scenarios – frequently with open source tools, given their budget challenges.
While they are certainly not attorneys, you may also gain some insights from them around what you can and cannot obtain without authorization. In meeting with your local or regional law enforcement cyber teams, you may also learn more about the tricks of the trade and develop some valuable relationships with the agents and teams that may be called upon when you have a case. It’s better to establish these relationships sooner rather than later, so be proactive.
