The Role of Digital Forensics and Incident Response (DFIR) in Cybersecurity

If the last few years have taught us anything, it’s that every organization — no matter how big or well-protected — is vulnerable to cyber attacks. From major corporations to government agencies, attackers have breached seemingly ironclad security systems. If your organization ever suffers a data breach, you’ll need a digital forensics and incident response (DFIR) plan. The time to craft one is now.

DFIR combines two separate but related ideas. The first, data forensics, involves gathering evidence after a breach for use in legal proceedings. The second, incident response, is about neutralizing threats, repairing systems, and preventing future cyber attacks. 

With remote work becoming more common and mobile threats on the rise, the hard truth is that your organization may have to deal with a data breach at some point. If and when that happens, having a DFIR policy in place could help keep the damage contained and put you on the road to recovery.

‍

What is digital forensics and incident response?

What is digital forensics and incident response? Digital forensics, as its name suggests, is essentially a crime scene investigation in a computer system. A researcher pores through a compromised system to find the vulnerabilities that allowed the breach to happen. This research may also reveal an attacker's methods — social engineering, malware, or something more unconventional.

The ultimate goal of digital forensics is to share evidence with law enforcement and attorneys. In fact, most states have specific laws about an organization’s responsibility in the event of a data breach. Since this process varies by location and breach severity, it’s best to consult with your organization’s legal team to ensure regulatory compliance.

The other half of DFIR is incident response. This step involves identifying and containing threats, stopping a breach in progress, recovering data afterward, and shoring up your cybersecurity posture to prevent future attacks. At best, a strong incident response plan can stop an attacker before a data breach happens; at worst, it can make the fallout easier to manage after the fact.

While both digital forensics and incident response strategies are vital in addressing data breaches, in the throes of a data breach, the two might be at odds with each other. Digital forensics requires meticulous research and careful file preservation. Incident response requires ousting intruders, purging data, and shutting down systems as quickly as possible. Finding the right balance between these two processes should also be part of your plan.

‍

Steps in the digital forensics process

A digital forensics investigation usually occurs after a data breach. An investigator sifts through files, communications, and other relevant data to learn how an attacker compromised the system. Then, they share this data with law enforcement officials, attorneys, or other participants in the legal process. The National Institute for Standards and Technology (NIST), lays out four steps in the digital forensics process:

Collection

During collection, the researcher determines which data is relevant to the investigation. They then label, record, and organize the data. Before the end of the process, many different parties will have access to this data.

Examination

Next, the researcher identifies and extracts segments of data that might provide specific information about the breach. They make copies of this data and store it in secure, isolated systems for further reference and research.

Analysis

In the analysis step, the researcher observes and probes the data they’ve acquired to find the underlying cause of the breach. If the data looks clean, the researcher may have to repeat the collection or examination steps.

Reporting

Upon completion of the previous steps, the researcher summarizes their findings and shares them with any relevant parties, both internal and external. The write-up should include a specific account of how the breach occurred and recommendations to prevent future attacks.

The NIST does not go into great detail about any of these steps, claiming that “digital forensics is both a field of science and a field of art. It has no deterministic technical procedure to provide a step-by-step guide that will lead the analyst directly to the answer.” A skilled investigator must be both knowledgeable and creative.

‍

Steps in the incident response process

Incident response is arguably the more practical half of DFIR. While digital forensics deals with research and preservation, incident response can stop breaches before — and as — they happen. In this part of the process, an IT administrator (or team) prepares for a breach, limits the amount of damage an attacker can do, repairs hardware and software after the fact, and recommends specific steps to improve the organization’s cybersecurity framework. The SysAdmin, Audit, Network and Security (SANS) Institute has six steps in its incident response process: 

Preparation

In the preparation step, the administrator reviews an organization’s existing security policy and determines whether it’s suitable for handling a data breach. If not, the administrator revises the policy and communicates changes with the staff. Each employee — including the IT staff — should know their responsibilities in maintaining data security and what to do in the event of a breach.

Identification

If an administrator observes any unusual behavior within an organization’s network, they must decide whether that behavior is from a legitimate account or a compromised one. If a breach seems likely — or even possible — the administrator must log all suspicious activity, notify all relevant parties, and escalate the issue as needed. 

Containment

In the event of a breach, an administrator must limit an intruder’s access to sensitive files as quickly as possible. This might mean restricting permissions, locking down file access, or forcibly logging the attacker out. The less time a threat actor has in your network, the fewer resources they can compromise. 

Eradication

Eradication involves removing any trace of an attacker from an organization’s systems. This might mean uninstalling malware, wiping devices, removing compromised accounts, or resetting network addresses. This step can be time-consuming, as administrators must ensure they’ve erased everything an attacker brought into the system.

Recovery

During recovery, an administrator restores the network to full working order. This may involve resetting hardware or restoring backups of damaged files. After this step, the system should function normally again for your staff and stakeholders.

Lessons learned

Once the other steps are complete, an administrator documents how the breach occurred and suggests ways to stop similar attacks from happening again. This may involve updating security policy, investing in new software or hardware, or changing how employees access and share sensitive data. You may also need to communicate some of this information to stakeholders and law enforcement.

‍

Mitigate your cybersecurity risks with mobile threat intelligence

While digital forensics and incident response can be invaluable after a cyber attack, you can take proactive steps to help prevent data breaches. The Lookout Threat Intelligence Platform, for example, uses advanced artificial intelligence (AI) algorithms to discover mobile threats and track them in real time. Security experts from Lookout can help you strengthen your cybersecurity posture and educate your staff, while an ever-expanding threat database can help you combat the latest malware and social engineering tactics.