Being able to determine how an intruder evaded security measures is something every organization should be concerned with. Companies spend millions of dollars on security, and when there's a breach, they need to determine how it occurred so they can isolate the current risk and use the insights to build additional defenses and improve the current security posture. Forensics play an essential role in developing and levergaing this insight.
Selecting the Proper Tools
To get complete visibility from a forensics standpoint, organizations need to have the proper tools.
Are you looking for forensics from a network standpoint? From an operating system standpoint? If so, where are these tools going to be placed to gather all the information from the network? Will a tap be installed to collect this data from the network? Will an agent be pushed to the operating systems to consistently collect information? Or, will there be plugins for applications such as email that allow a forensic analyst to gather data?
Many times, you'll have analysts performing full-disk images, and with these tools, there needs to be a way to verify the metadata is kept forensically intact and presentable. These tools need to be easily deployed and equipped with the proper permissions to collect necessary data. Without this, the organization will have blind spots that will likely cause issues during an investigation, especially if it is happening in real-time.
It is just as important to have proper procedures on how to deal with incidents as it is to have proper tools. In order to gain complete visibility into an enterprise, there needs to be set procedures on how data is collected, managed, kept, and passed on to others. Without a proper chain of custody, the data could be tainted and not admissable if there are legal outcomes to the investigation. Also, organizations need to establish who is allowed to initiate a case and how the legal team should work with analysts to collect all the needed information.
These may seem like business-related tasks, but they are just as important as learning how to configure a forensic tool with the proper inversion of control. Without the two working together, the data will never get into the hands of those who need it.
Every organization should consider building a team of forensic analysts with dedicated roles and skillsets. Just like in any other security field, there are experts in different areas of forensics, whether it is networking, operating systems, or applications. Since these resources are in high demand, constant training on new techniques and tools is necessary to keep up with the ever-changing attack vectors.
Depending on the size of your organization's security team, a full-time forensic analyst might not be feasible. These resources and skillsets are expensive to recruit and retain, and having experts on staff may not be the right choice. A better plan may be to have on-call forensic expertise available. The organization can put resources on retainer for deployment when there is an incident. This "pay-as-you-go model" works well for smaller organizations that cannot afford a full-time forensic analyst.