In this article we look at the relationship between Incident Response and Digital Forensics
- What is a cyber incident
- Examples of Cyber Incidents
- What is Incident Response
- What is Digital Forensics
- Why is Digital Forensics Important for Cyber Incident Response
- Can IT Teams do Digital Forensics and Cyber Incident Response
What is a Cyber Incident
A cybersecurity incident can be defined as unauthorised access or attempted access to a system, the UK National Cyber Security Centre also define it as a “breach of a systems security policy in order to affect its integrity or availability.”
Examples of Cyber Incidents (Defined by the UK National Cyber Security Centre):
- Malicious code: Malware infection on the network, including ransomware
- Denial of Service: Typically a flood of traffic taking down a website, can apply to phone lines, other web facing systems, and in some cases internal systems.
- Phishing: Emails attempting to convince someone to trust a link/attachment.
- Unauthorised Access: Access to systems, accounts, data by an unauthorised person (internal or external) – for example access to someone’s emails or account.
- Insider: Malicious or accidental action by an employee causing a security incident.
- Data breach: Lost/stolen devices or hard copy documents, unauthorised access or extraction of data from the network (usually linked with some of the above).
- Targeted attack: An attack specifically targeted at the business – usually by a sophisticated attacker (often encompassing several of the above categories).
What is Digital Forensics
We discuss computer forensics and digital forensics in more detail on our services page here, however, digital forensics broadly covers the acquisition and preservation of data from devices running modern operating system, across PCs, laptops, servers, mobile telephones, smart phones tablet devices, network and cloud infrastructure.
We are regularly instructed to retrieve and report on numerous forms of digital evidence, including but not limited to:
- Audit & access of Office 365
- Email correspondence
- Deleted files, folders, emails & messages
- Instant messaging & social media communication
- Application history
- Internet activity and history
- Theft of electronic intellectual property
- Computer servers & network infrastructure
Investigations can be instructed for HR & Employment, IP theft, fraud & forgery, but for the purposes of this article we will focus on the relationship between digital forensics and the following cyber incidents:
- Ransomware
- Targeted attacks
- Business email compromise
- Office 365 account compromise
- Invoice interception/payment fraud
- Malicious insider attacks
Why is Digital Forensics Important for Cyber Incident Response
Once an organisation has been compromised in an attack, there can often be pressure from senior management onto the IT team to remediate the issue as quickly as possible.
This can lead to problems, especially when trying to discover the root cause of the attack, when it comes to seeking legal remedies (e.g. from another company that may have been liable, or from an employee), and even when trying to make claims with insurance.
By reacting too quickly, not capturing logs and gathering vital digital evidence, organisation may be leaving themselves open to another attack in the future or throwing away any chance they had at settling litigation or legal matters.
Without specialist tools or knowledge, it can be difficult to determine whether data has been stolen or exfiltrated from a system. And in fact, remediating from an attack too soon could jeopardise artefacts used to determine whether any data has been stolen.
If you suspect personal data has been breached from your systems and there is a risk to the rights and freedoms of individuals, you are obligated to report it within 72 hours under the UK GDPR to the Information Commissioner’s Office (ICO). There will undoubtedly be obligations to wider stakeholders too, such as regulators, insurers, customers or partners.
So digital forensics can help discover the root cause of the attack, what systems and data has been compromised, help you determine what your regulatory obligations are, and help you gather digital evidence for legal remedies.
Is Digital Forensics and Incident Response a Specialist Skill
In most instances, IT teams cannot conduct digital forensic investigations, and unless they have prior experience in handing complex cyber incidents (such as a targeted attack or ransomware), typically they can’t effectively respond to these types of incidents. Of course, there are exceptions and specialist security teams may have the necessary experience and tools, but for your traditional IT Operations and Infrastructure team, the required skills are usually not available in-house.
The acquisition and preservation of digital evidence to an evidential standard and integrity is a specialist skill. As is the analysis of security logs, reverse engineering malware, containing, remediating and responding to advanced cyber incidents, such as ransomware.
If you are planning to seek legal remedies and require a digital forensic investigation it is advisable to speak to a specialist to ensure that digital evidence is not unknowingly compromised. Likewise with ransomware, business email compromise, and targeted attacks, if the IT team does not have specialist security knowledge, it is advisable to seek assistance from an outside team to ensure that proper root cause analysis is conducted, systems are thoroughly remediated, and that backups are not compromised in the recovery process.
If you have concerns with your situation we are happy to have an informal and confidential chat to see if a engaging with an outside expert would be of benefit to you.
Further information on how we can help with digital forensics investigations is available here and detail on our cyber incident response services is available here.
First Response also provides incident response, as well as fully managed services for Microsoft Defender for Endpoint, further information on these services is available here.