Although we are covering them in one chapter, forensics activities and post-mortem activities for cyber incidents are entirely different. We’re going to repeat a passage from the introduction to Chapter 14: while it’s helpful to break the entire incident response discipline into a series of discrete phases so that each can be described individually to assist with training and the command and control of response activities, it is rarely clear-cut when one process ends, and the next begins. There is often significant overlap, and as new information emerges, it is usually necessary to revisit a phase previously thought completed. For instance, while in recovery, monitoring activity may detect the presence of indicators of compromise identified for the current cyber incident and that may send you all the way back to the containment phase.
Bill draws the distinction between forensics for law enforcement versus what an organization might do for internal investigative value. Depending on your industry and the specific details of a breach, preserving evidence may be essential. Regardless of your organization’s desire to use the courts, regulatory and contractual obligations may force you to preserve evidence and establish the chain of custody. Bill goes on to discuss how to incorporate post-mortem reviews into your process for continual improvement.
Matt helps the reader prepare for forensic activities, including working with your legal team, law enforcement, suppliers and anyone else who will need to know in advance what actions they can and cannot take and what assets, physical and digital, need to be sequestered. He then reviews the lifecycle of forensic analysis so that the organization can be prepared to conduct such an analysis by pulling together the right combination of internal and external resources.
Gary begins his discussion with a review of forensics methods that apply to all layers of the stack, including the network, system, software, mobile, and IOT. He then guides the reader through the decision-making process and the requirements for both building a forensics capability in-house, including a build-out of the lab, and staffing a forensics team. The caution to the reader is that this can be expensive, and the needs change continually, so be prepared for an ongoing investment.
Some of the questions the authors used to frame their thoughts for this chapter include:
|· What is digital forensics and what value does it bring to the business?
· What resources are required to develop a digital forensics lab and should the CISO build one?
· What roles and resources are needed to field a digital forensics team?
Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.