Forensics were front and center in the recent webinar Forensics from a CISO’s Perspective, one of six presentations that made up the ISC2 Spotlight APAC event Modernizing Security Operations, worth 5.5 CPE credits for attendees.
Jonathan Kimmitt, CISSP, CISO for U.S. digital forensics consultancy Alias Cybersecurity led attendees through a deep dive into digital forensics, their correct use, and an overview of the where digital forensics fit in the cybersecurity toolset.
The skills required for forensics are specialized, as are the processes and tools needed to execute forensics to legal standards, an increasingly important requirement. Every element of forensics must be carefully designed as well as practiced over and over. Forensics matters both during and after the event because it is how an organization understands what is happening to it in the moment and how a repeat can be avoided.
Defining the role of digital forensics
The primary objectives in dealing with a cybersecurity incident are always to protect people (for instance in healthcare or interference with a safety system), stop data exfiltration, recover the business, and to analyze an attack to prevent incidents from recurring. However, if CISOs are not careful, meeting these requirements can clash with a fifth issue, that of the need to preserve evidence.
Evidence matters for any later legal process, Kimmitt explained in the webinar. However, evidence is not just for post-incident analysis and its collection should begin immediately. Too often, in their panic during an ongoing incident organizations forget this.
“This is important for doing analysis and to figure out what happened. I have been in organizations where I came in several days after the incident had happened and they have got rid of all the evidence,” he explained.
The challenge is designing forensics into incident response in a way that balances priorities, for example the need to get the business back up and running and the immediate concern that data exfiltration must be stopped. Losing evidence can be as simple as rebooting or re-imaging a virtual machine (VM) or restoring it from a backup, all of which risk overwriting logs necessary for forensic investigation.
Building your digital forensics playbook
In that sense, forensics is a scientific method: the process must be sound, fully documented, and be able to demonstrate to a court that data was handled correctly, for example by employing write blocking, and through hashes that guarantee data has not been altered. The only way to do this while an incident is in progress is to work through a playbook with the right tools. Without that playbook, you’re making things up as you go along, and there’s a risk you’ll forget something.
“If you don’t have a playbook, you are just winging it. And I can tell you don’t want to wing it,” said Kimmitt.
The playbook simply details how you will store data, what sandboxing environment you use, and who will be performing each step. It will also relate this process to the overall business objectives such as the need to bring the environment back online where that is a priority. This will limit the forensics but may at times be necessary.
Training – repeatedly simulating different forensics incident scenarios – is the only way to improve and improving should always be a CISO priority, Kimmitt said. For example, how do you copy memory from a VM, or Windows, or Linux? Imaging tools need practice. He recommended tools such as Magnet RAM Capture, KAPE, Tableau TD2/TX1, VMware export tools, as well as Windows, Linux, and firewall logs.
In the post-mortem phase, simple things have tripped him up in the past. “Sometimes I didn’t have enough drive space to do duplication of drives. That was easy to fix. I didn’t like having to go down to the store and buy hard drives. I made sure that that was part of my process that I would maintain a selection of those drives.”
Michael Rebultan, senior specialist (Threat Intelligence) Government of Canada, and Chirag Joshi, founder and CEO, 7 Rules Cyber discussed three categories of insider threat– malicious insider, negligent insiders, and compromised credentials (legitimate but compromised user or machine accounts). Issues discussed included the practical challenges of insider forensics, how to implement zero trust to mitigate insider threats, and the usefulness of insider profiling.
AI platforms such as OpenAI are set to change the nature of penetration testing and Red Team/Blue Team security analysis. Haonan Quan (CISSP), cyber engineering lead for Sompo Holdings looked at the areas and techniques in play such as phishing creation and detection, intelligence gathering, log analysis, incident response, and multilingual reporting. He demonstrates what is possible using ChatGPT 3.5 and Bing chat’s ‘more creative mode’.
Tom Crisp, founder and CTO of Cyber Sentience demystified the dark web: what threat types can be detected using analysis of the dark web, and how these can be mitigated? On the one hand, the dark web is a supermarket for hackers. But it’s also an early warning system for leaked credentials, web vulnerabilities, compromised access to specific organizations, and stolen data which allows organizations to react to compromises that can’t be detected by other means before they have escalated.
Nathan Clarke, principal consultant security operations and threat intelligence, WiproShelde examines what goes on inside SOCs, often viewed as a black box even among IT teams. Another perception is that SOCs are all about centralizing alerts for specialized analysis. In fact, an equally critical element of SOCs is understanding the effectiveness of a SOC detection, feeding this back into detection rules. If a detection stops working effectively the SOC needs to assess this quickly and adjust its detection policies.
Balaji Kapsikar (CISSP), head of technology and cyber risk, Funding Societies. The need to align cybersecurity with business objectives sounds like a statement of the obvious but how is it achieved in practice? This presentation provides a high-level view of how to assess, plan and implement cybersecurity processes in a way that makes technology the servant of business strategy not its guide.