With acceptance that the prospect of unauthorised incursion, hacks and/or compromise of corporate, and personal systems is to now be expected, it would seem to make good sense to accommodate mechanisms with which the organisation may respond to such manifestation as and when they are encountered. It is this awareness which is driving many reputable organisations to seek robust and pragmatic solutions to accommodate such a reactive profile. To date, in a high number of instances, the overarching objective of the engagement of cyber-attacks has been based on a keeping-the-lights on approach, where maintaining the operational status has been key. However, as many have discovered to their cost, not to deal directly with adverse events does not necessarily eradicate the root-exposure, and can lead to the prospect of ongoing and unidentified internal security breaches, which in some cases have been known to have exposed Plc’s assets to compromise over extended periods of up to, and beyond a 12-month period. As a responsible organisations, there is also the necessity to understand and comply with the obligations of any standards which may be applicable, or signed up to as a matter of certified status. For example, PCI-DSS, the expectations of the Data Protection Act (UK) and the ISO/IEC27001, which all assert that certain mechanisms are in place. For instance, under PCI-DSS there is an obligation to:
1. ‘Implement an incident response plan to respond immediately to a system breach’ 2. ‘Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider’
Whilst under the ISO/IEC27001 (A.13.2.1), there is a stipulation that the organisation shall:
1. ‘Deploy management responsibilities and procedures shall be established to ensure a quick, effective, and orderly response to information security incidents’
It has, however, been observed on multiple occasions that it is in the area of incident response in which many organisations can be lacking in their operational capabilities – but which is now gathering interest in many reputable organisations who are seeking to plug this open wound with pragmatic and robust solutions. To further qualify the interest in the area of digital forensics, it is noteworthy that the respected, and Royal Charted Society of Forensic Sciences has also adopted and evolved their areas of scientific interest to encompass digital forensics, joining their wide portfolio of disciplines including ballistics, fluid and other speciality areas of forensic scientific support for the investigative landscape. Of all the components of the incident response lifecycle, it is the element of digital/cyber forensics which seems to represent the highest wall to climb. But this is not necessarily the case, as with the correct approach, it is possible to deploy adequate mechanisms and solutions to accommodate a desired and pragmatic level of incident/event support, which does not necessarily have to represent a significant investment for the business. For instance, start the security mission by agreeing the levels at which the internal organisation will have the capabilities of engaging, and where there is need to pass-off to another party where the complexities of the activities exceed the internal skill-set. It is also essential to have a recognised team, be they physical or virtual, with established roles, responsibilities and capabilities to meet the operational expectations. Remembering that with the international organisations, they may also leverage the virtual-team approach of follow-the-sun incident management, which can bring 24-hour benefits and continuity to the activity. Of course, there will be a need to enable the incumbent team with an adequate level of technological resource to underpin operations, which may be provisioned by open source and zero cost solutions, such the Magnet Forensics RAM acquisition tool, through to professional solutions like AccessData’s FTK toolset. However, the most critical component of all with the Digital Forensics mission is to remember that ‘Process-is-King’ to assure the validity of the outcome is robust and where required admissible in court of law. It is equally important to have awareness of the applicable local, and international laws which may, by implication concern the operation. For instance, if working in, or outsourcing to India, an appreciation of the Indian Technology Act 2000 (ITA2000) is important, as it carries some explicit expectations. When working in areas like North America, an understanding of some of the applicable disclosure laws can be essential, whilst in the UK/EU, possessing knowledge of the area of Child Abuse Images under COPINE (Combating Paedophile Information Networks in Europe) and The Protection of Children Act 1978 (PCA 1978) to provision awareness of the legal constituents, and implications of any acquired, and potentially illegal images, and the associated handling and reporting obligations. Neil Hare-Brown CEO at STORM Guidance commented:
“When a security breach is suspected it is absolutely vital that digital evidence be properly preserved and analysed by skilled digital forensic specialists. All too often I have had seen organisations fail to pay attention to proper forensic process, only to regret it later when giving evidence in a previously unexpected employment tribunal, civil or criminal court. Always be prepared!”
Thus further mirroring Neil Hare-Browns observations, many professionals will concur that if a business is seeking to deploy such internal capabilities of digital forensics disciplines, there must be an acceptance that the capability will be tight fit, and recognise the importance of the process orientated, Disciplined Security, which goes well beyond that of ticking boxes. There are basically six areas which should be in place to accommodate a digital forensics operation, and they are:
- Timely response engagement
- Practice Contemporaneous documentation and notes
- Assure engagements follow an agreed Process
- Conduct all investigations in a manner which is Legal
- Always be Consistent
- Recognise the limitations
Accommodating a Digital Forensics capability internal to the organisation can bring many benefits to the business, and can provision a high level of assurance when an event is in flight. However, as many have found to their cost, to attempt to construct such a capability mid-event simply doesn’t work. Keep in mind the ‘5 Ps’: Prior Planning Prevents Poor Performance. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
