Prevention and detection aren't enough. To better defend against future intrusions, you need a strong digital forensics team that can analyze attacks.
In a world where enterprises are embracing the fact that breaches are not a matter of ‘if, but when,’ it is becoming increasingly important to develop internal and external resources to investigate and oversee the impact of attacks after they have happened.
Digital forensics is a relatively recent skills concentration—one that does not necessarily require the same talents, expertise or background as other cybersecurity positions. And while more enterprises are recognizing that they need such talent on the back-end, as it were, there are still holdouts that are entirely focused on detection and prevention, to their detriment.
“I think this is actually a misconception [that] organizations do not necessarily need to build out digital forensics teams in-house,” says Sean Mason, director of incident response for Cisco Security Services, adding that Cisco is building out its own forensic capability via its incident response services team. A key problem, Mason says, is “there is not enough talent to go around and, generally speaking, most organizations don’t have enough demand to require a full-time team on staff.”
Munish Walther-Puri, chief research officer at dark web monitoring company Terbium Labs, points out that digital forensics requires a combination of “investigation, intelligence, and innovation.”
Digital forensics teams are a complement to any IT team “because they figure out the who, when, when, where and why a bad actor came into the system, says Avani Desai, president of audit and accounting firm Schellman & Co. “They help paint a picture of the incident and provide guidance on how to mitigate the risk of that happening again.”
Digital forensics teams are a complement to any IT team “because they figure out the who, when, when, where and why a bad actor came into the system, says Avani Desai, president of audit and accounting firm Schellman & Co. “They help paint a picture of the incident and provide guidance on how to mitigate the risk of that happening again.” The forensics teams also take past data and processes and builds upon it to make sure they have the tools to handle issues that are getting significantly tougher to solve, Desai adds.
Darien Kindlund, vice president of technology for Insight Engines, a provider of natural language search technology, points out that digital forensics is “an important pillar in any security operations team, in order to assess and understand tools, tactics, and procedures (TTPs) used by attackers to compromise a firm. That way, the firm can stop future breaches using these same TTPs by new attackers. A firm’s ability to understand how these attacks work is directly tied to how effective their digital forensics team is.”
Thinking differently for forensics
“As with any highly analytical job, the forensics team must have high attention to detail, focus on a methodological approach and execution, and have a determined approach – no stone can go unturned."
Digital forensics employees are often lumped in with cybersecurity personnel in general—but the skill set and expertise required is typically very different. Being part of the digital forensics team means working with a large subset of the organization, such as human resources, IT, legal, compliance and operations, according to Desai. “They need to have strong interpersonal skills, as tension is often high during an incident or breach response,” Desai says. “As with any highly analytical job, the forensics team must have high attention to detail, focus on a methodological approach and execution, and have a determined approach – no stone can go unturned."
In addition, digital forensics team members need to “understand the ever-evolving environment of cybersecurity and how changes and new malware will affect the systems, which means they have to have a keen desire to learn and adapt to changes,” Desai says.
Digital forensics may not be as flashy as other cybersecurity positions—it is an “unconventional” IT security job, according to Desai. “But the skills of analytical thinking, attention to detail, solving puzzles are exciting and the earlier exposure the easier it will be to have a pipeline in the next ten years.”