Featured article by Karolina Koval
Cybercrime and cyber threats go hand in hand. New malware strains and attack vectors are developed by cybercrime groups in order to receive monetary gains, damage the reputation, or conduct reconnaissance and data exfiltration for a nation-state. If a business whose assets and data suffered from adversary behavior files a lawsuit against the suspected entity, digital forensics will help bring evidence of the breach to the court. Forensic engineers are also capable of restoring data that was lost as a result of the attack.
Cybersecurity engineers use publicly disclosed information about adversaries by mapping threat detection algorithms to frameworks like MITRE ATT&CK, which is easy to link to the newest malicious campaigns by using SOC Prime’s Cyber Threats Search Engine. Immediate implementation of security measures is possible by using a generic SIGMA format along with instant translators to vendor-specific formats like Uncoder.IO.
So, you might think that digital forensics step into the game when it’s too late for cybersecurity and the cyber-attack has already caused sufficient damage. However, in a number of the newest cybersecurity strategy approaches, forensics step in before the data breach takes place. Think of it as a preventive action. If professional security analysts, researchers, penetration testers, and threat hunters apply digital forensics at the stage of uncertainty (when they assume that the company’s security controls might have been compromised but they don’t know for sure), then it can help avoid the real danger.
Let’s review the basics of how digital forensics work and assess how they can be useful when combined with a proactive cybersecurity approach.
Diving Deeper Into Digital Forensics
Since forensics deals with real evidence that can be presented in a court of law, more often than not they deal with endpoint devices, whether it be servers or personal computers. However, it might be also possible to gather applicable evidence from web-based services such as e-mails. For both investigators and data recovery specialists, it is important to have access to hard drive memory because it is more likely to have some traces of the needed files. Otherwise, the evidentiary materials can be found on the application level. Forensic engineers also use proprietary software that helps them do their job and document their progress.
One of the key things that digital forensics specialists are concerned about is preserving the integrity of data. They are certified and thus, required, to do all it takes to maintain the original state and content of the information. It’s vital that no change should be made to the data that is considered possible evidence in the court case. Professionals dealing with computer-based evidence should also be fair and neutral. They should document and explain their examinations in such a manner that an independent specialist can perform the same sequence of actions and arrive at the same result.
All in all, digital forensics engineers can gather information from the following sources:
– Memory (including RAM and cache)
– E-mails
– Malware (files and codes)
– Databases
– Mobile devices
– Networks (mostly devices like firewalls, IPS/IDS)
The evidence that they collect might be private or classified and, hence, subject to non-disclosure. If this is the case, then most likely, cybersecurity specialists will not know how to use this evidence to strengthen security controls. However, if the information leaks or is being deliberately shared in sources like threat intelligence feeds, then it can be used for a deep analysis of threat actors, malware, and attack tactics/techniques with the consequent creation of proper detection and mitigation measures for organizations.
How Digital Forensics Help Cybersecurity
There is no doubt that reliable evidence of a cyber threat or an attack kill chain can help a lot in building the right security architecture, as well as maintaining the proper security posture by detecting and remediating the ongoing threats.
Digital forensics findings help cybersecurity in the following domains:
– Threat intelligence
– Analytics
– Vulnerability assessment
– Threat hunting
– Reports
– Threat prevention
– Risk mitigation playbooks
– Access management
– System architecture
Detailed information about the cyber threat that forensic specialists can provide, may serve as a starting point for technical analysis of malware which then leads to crafting adequate detection and mitigation measures. Software like antiviruses or endpoint detection systems also might be programmed for efficient protection only if the algorithms know what they are looking for, i.e. if they operate hard digital evidence.
Unlike businesses, digital forensics might be viewed as an active defense force. Meaning that their actions lead to possible identification and prosecution of the attackers. Meanwhile, organizations that conduct businesses are interested only in protecting their data and digital assets. They can reach out to digital forensics specialists for providing intelligence information or for recovering vital information in case the breach took place.
