Incident and forensics management
Security incidents and digital forensics investigations are complex events with many facets, all of which must be managed in parallel to ensure efficiency and effectiveness. When investigations are not managed and documented properly, processes fail, critical items are overlooked, inefficiencies develop, and key indicators are missed, all leading to increased potential risks and losses.
Investigation management can be broken down into a number of key components and it is important that an organization is able to carry out all of these elements collectively and seamlessly in order to properly handle and manage any incident they may potentially face.
This blog will briefly cover 9 key areas that I believe are the most important when it comes to incident and forensics management. Ensuring these are firmly in place within your security operations or CSIRT team will ensure more efficient and effective incident management when an incident does occur.
Case management
Every investigation must be organized into a logical container, commonly referred to as a case or incident. This is necessary for several reasons. Most obviously, this container is used to identify the investigation and contain information such as observables, tasks, evidence, notes, and other information associated with the investigation, discussed in greater detail in the subsequent sections. Many investigations contain sensitive information that should only be accessible by those with a legitimate need to know. These containers also serve to enforce a level of access control.
Observables and findings
Investigations generate a large volume of data, from simple observables such as IP addresses, domain names, and hash values, to more complex observables such as malware and attacker TTPs, as well as findings such as those made from log analysis, forensic examination, and malware analysis. All this information must be recorded and shared with all appropriate stakeholders to ensure the most effective response to a security incident.
Data gathered from previous incidents can be an invaluable tool in responding more effectively to future security incidents. As individual data points are associated with each other, this information is transformed from simple data into actionable threat intelligence which can inform future decisions and responses.
Phase, expectation, and task management
Investigations generally progress through a series of phases, each of which will contain a series of management expectations and a set of tasks required to meet those expectations. As the complexity of an investigation increases the tracking of these phases, expectations and tasks become both more critical and more difficult to manage. Failing to properly track and manage investigation phases, expectations and tasks can lead to duplicated efforts, overlooked items, and other inefficiencies which lead to an increase in both cost and time to successfully complete an investigation.
Evidence and chain of custody
Documenting evidence and tracking the chain of custody can be a complex process during an investigation of any size. Documentation using older paper-based or spreadsheet systems does not scale to larger investigations, is prone to error, and is time-consuming. Failing to maintain a full list of evidence or maintain the chain of custody can result in lost evidence, duplication of efforts, and inability to use critical evidence during legal processes.
Forensic tool integration
Security operations use a multitude of tools and technologies on a daily basis with different ones being utilized for varying types of investigations. Logging into several platforms individually to collect data is often a manual process and can be tiresome and painful, as well as extremely time-consuming, and time is always of the essence. It is critical that security tools are connected and integrated to improve efficiencies and to fuse intelligence seamlessly together so that all data can be analyzed and documented in a single location and immediately shared with relevant stakeholders.
Reporting and Management
Reporting and the management of reports is a vital function during any investigation. Once information is documented, it must be able to be accessed easily and in multiple formats appropriate for a wide variety of audiences. As the scale of an investigation grows, so does the number of individual reports which will be generated. This can result in many complexities, including sharing logistics, proper access controls, and managing different versions of reports. To reduce the impact of these complexities, a single report management platform should be used to act as the authoritative source for all reports.
Activity tracking and auditing
Tracking actions taken during an investigation is important to ensure a consistent response, identify areas where process improvements are needed, and prove that the actions taken were appropriate. Not only must actions be documented, but it is also crucial to ensure that the integrity of this documentation cannot be called into question later. However, documenting activity during an investigation can be time-consuming, taking analysts' attention away from the tasks at hand, and is often an afterthought.
Information security
Investigative data can be extremely sensitive, and it is crucial that the confidentiality of such data be maintained at all times. Confidentiality must be maintained not only for those outside of the organization but also for those internal users who may not be authorized to access some or all of the incident information.
Asset management
No matter the specific roles a team is tasked with, the team will require many different physical and logical internal assets to accomplish their tasks. This may include workstations, storage media, license dongles, software, and other hardware. Regardless of the asset, an organization must be able to track that asset throughout its life, ensuring that they (and the money spent on them) do not go to waste. As the team grows, managing the tracking of these assets, who they are issued, their expiration dates, and more can become a full-time task.
Final thoughts
These core components combined enable security teams to work more efficiently throughout the entire investigative lifecycle, reducing both the cost and risk posed by the wide variety of events facing organizations today. Providing a holistic view of the security landscape and the organization’s broad infrastructure allows for better use of existing tools and technologies to minimize the time team members must spend on the administrative portions of investigations, allowing them to focus on the more important tasks that will ultimately impact the outcome of the response.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.