Incident Response and Computer Network Forensics
Introduction to Incident Response and Computer Network Forensics
Even in the best managed, best secured corporate entities, breaches are inevitable. It is helpful to get past the lens of preventing all breaches or wondering if a breach will occur into a frame that assumes a breach has already occurred or soon will. In fact, the idea of hunting threats in the existing environment is a modern best practice with entire teams devoted to the effort. This course made just this set of assumptions and helped the organization plan for and execute incident response (IR) plans when a breach is discovered. Students were challenged to perform tasks such as crafting incident response plans, looking over legal issues related to the IR and digital forensics fields, evaluating a range of forensics tools, and finally, completing a real-world exercise in data recovery and evidence presentation. The final presentation specifically involved using digital forensics software to understand a forensic image of a hard drive and interpret the results as an investigator would for potential court testimony. This course was challenging and interesting in that it provided a helpful blend of technical exposure and engagement with IR and forensics policy concepts. Both of these subjects will be helpful in future endeavors.
Reflection
The Incident Response (IR) and Cyber Forensics course was a challenging blend of technical and managerial topics that the cybersecurity leader must be familiar with to adequately respond to issues when they inevitably occur in the modern information technology environment. IR and forensics are areas where planning ahead, identifying tools, documenting processes, and training personnel must be done beforehand for the IR practice to be effective. This course taught the cybersecurity leader how to plan and prepare for these challenges.
One of the most interesting parts of this course was the spirited debate that occurred within the class over the analysis of a disk forensic image and preparation for the presentation of evidence. This exercise used The Sleuth Kit and Autopsy digital forensics software packages to perform primarily email and file analysis. Even within a relatively simple exercise (as compared with real-world investigations), results can be complex and controversial at times. Findings may need to be presented as evidence in a court of law by cyber security professionals acting as expert witnesses. Therefore, professionalism and currency of knowledge in the cyber forensics domain are of paramount importance to the organization.
The requirement for professionalism also extends into new technical arenas. IR is now more than ever focused on cloud and mobile evidence gathering, as this is currently where much of the computing occurs. Encryption now plays a much larger role as more and more devices are encrypted by default. In some cases, these devices are difficult for even law enforcement to collect evidence from. This underscores the rapidly changing forensics landscape away from relatively simpler PCs and laptops.
When leading an IR and forensics organization, analysts must be well prepared, well trained, and up to date on the latest collection, analysis, evidence storage, and chain of custody practices. A team that is lacking in training, pre-agreed upon processes, and escalation contacts is destined for failure in this practice area due to improper response, mishandling of evidence, or inability to clearly and succinctly present evidence to executives and in courtrooms.
Although becoming a forensics expert is a lifelong process, this seven week course is an immensely valuable onramp in leading and managing IR and forensics teams. Furthermore, this course broadens the cybersecurity manager's toolkit to be able to address and adequately prioritize these issues, which is an immense help to the organization.
Even in the best managed, best secured corporate entities, breaches are inevitable. It is helpful to get past the lens of preventing all breaches or wondering if a breach will occur into a frame that assumes a breach has already occurred or soon will. In fact, the idea of hunting threats in the existing environment is a modern best practice with entire teams devoted to the effort. This course made just this set of assumptions and helped the organization plan for and execute incident response (IR) plans when a breach is discovered. Students were challenged to perform tasks such as crafting incident response plans, looking over legal issues related to the IR and digital forensics fields, evaluating a range of forensics tools, and finally, completing a real-world exercise in data recovery and evidence presentation. The final presentation specifically involved using digital forensics software to understand a forensic image of a hard drive and interpret the results as an investigator would for potential court testimony. This course was challenging and interesting in that it provided a helpful blend of technical exposure and engagement with IR and forensics policy concepts. Both of these subjects will be helpful in future endeavors.
Reflection
The Incident Response (IR) and Cyber Forensics course was a challenging blend of technical and managerial topics that the cybersecurity leader must be familiar with to adequately respond to issues when they inevitably occur in the modern information technology environment. IR and forensics are areas where planning ahead, identifying tools, documenting processes, and training personnel must be done beforehand for the IR practice to be effective. This course taught the cybersecurity leader how to plan and prepare for these challenges.
One of the most interesting parts of this course was the spirited debate that occurred within the class over the analysis of a disk forensic image and preparation for the presentation of evidence. This exercise used The Sleuth Kit and Autopsy digital forensics software packages to perform primarily email and file analysis. Even within a relatively simple exercise (as compared with real-world investigations), results can be complex and controversial at times. Findings may need to be presented as evidence in a court of law by cyber security professionals acting as expert witnesses. Therefore, professionalism and currency of knowledge in the cyber forensics domain are of paramount importance to the organization.
The requirement for professionalism also extends into new technical arenas. IR is now more than ever focused on cloud and mobile evidence gathering, as this is currently where much of the computing occurs. Encryption now plays a much larger role as more and more devices are encrypted by default. In some cases, these devices are difficult for even law enforcement to collect evidence from. This underscores the rapidly changing forensics landscape away from relatively simpler PCs and laptops.
When leading an IR and forensics organization, analysts must be well prepared, well trained, and up to date on the latest collection, analysis, evidence storage, and chain of custody practices. A team that is lacking in training, pre-agreed upon processes, and escalation contacts is destined for failure in this practice area due to improper response, mishandling of evidence, or inability to clearly and succinctly present evidence to executives and in courtrooms.
Although becoming a forensics expert is a lifelong process, this seven week course is an immensely valuable onramp in leading and managing IR and forensics teams. Furthermore, this course broadens the cybersecurity manager's toolkit to be able to address and adequately prioritize these issues, which is an immense help to the organization.