The most common DFIR incidents
According to Magnet Forensics’ latest State of Enterprise Digital Forensics and Incident Response survey, digital forensics is growing as it becomes increasingly intertwined with incident response. However, some digital forensics professionals are burned out and need more automation and leadership in the DFIR space, where hiring is difficult.
The survey by Magnet Forensics, which develops digital investigation solutions, was conducted between October and November 2022.
Digital forensics is increasingly involved in incident response
Digital forensics, sometimes called computer forensics, is a field that has been mostly applied to a single computer for many years. Typical use cases were searching for data on the computer of an employee suspected of committing a crime, or investigating legal or malicious programs such as information stealers.
Over time, attacks have become more complex and large-scale, targeting multiple computers or servers of companies, often at the same time. Digital forensics, which used to be about offline analysis of entire hard disk copies, took a turn when it became necessary to analyze running systems.
As a result, digital forensics has found new ways to integrate this complexity with incident response teams. It allowed deeper analysis of systems without shutting them down, and digital forensics and incident response typically work together within the SecOps team in the Security Operations Center.
Targeted attacks are typically where digital forensics works ideally with incident response. While incident response works to contain, resolve, and recover from incidents, digital forensics may be the best solution to finding the root cause of an incident.
Lessons learned from all incident responses and digital forensics operations help companies identify weaknesses in their defenses and implement new safeguards and processes.
The most common DFIR incidents
According to Magnet Forensics, data exfiltration or IP theft accounts for 35% of all activity and is the most common DFIR incident, closely followed by business email breaches (Figure A). 14 percent of respondents indicated that their organization encounters BEC fraud very often. Other common incidents include employee misconduct, misuse of devices or policy violations, internal fraud, and endpoints infected with ransomware.
Data exfiltration, IP theft and ransomware have a huge impact on organizations. DFIR professionals have a hard time working on it because experience and equipment are needed to quickly investigate ransomware and data breach cases, while cybercriminals try to make investigations as difficult as possible.
The challenges of evolving cyber attack techniques
Attacks are constantly changing in size and complexity, and threat actors are using multiple techniques to make detection difficult; as a result, 42% of DFIR professionals indicated that evolving cyber attack techniques were either an extreme or a major problem for their organization.
Staying up-to-date with such cyber-attacks is a challenge as companies rely more on R&D professionals focused on equipping the organization with new and ever-evolving tactics, techniques and procedures. Great sources of information on evolving threats include MITRE, CISA, and cybersecurity researchers’ LinkedIn or Twitter accounts.
Further automation of DFIR is needed
There are many repetitive tasks to be performed in DFIR, and tools to automate these tasks are often needed.
SOCs already make the most of automation because they have to deal with telemetry, but digital forensics automation is different because it mostly involves the data processing needed to coordinate, execute, and monitor forensic workflows.
Half of DFIR professionals indicated that investment in automation would be very valuable for many DFIR functions, as workflows still rely on manual execution of too many repetitive tasks.
More than 20% of respondents indicated that automation would be most valuable for remote acquisition of target endpoints, target endpoint triage and digital evidence processing, and incident documentation, summarization and reporting.
Respondents indicated that the increasing volume of tests and data was either an extreme (13%) or a major (32%) problem.Figure B).
DFIR staffing challenges
Nearly 30% of corporate DFIR users agree that investigative fatigue is a real problem, while 21% strongly agree that they feel burned out in their jobs. The stress caused by the volume of investigations and data, as well as the need to respond quickly to incidents, makes it difficult for professionals to rest. Automation can help these professionals save time and enable faster analysis.
Recruiting was identified as a serious challenge by 30% of those surveyed, while recruiting new DFIR professionals can also be difficult, as the job can be very different from company to company; for example, this may affect the devices used (Figure C).
More DFIR leadership is needed to assist with data and regulation
Such a rapidly evolving field needs informed and determined leadership to develop strategies and manage resources effectively. Managers influence how DFIR professionals can effectively access the data resources they need, which is often difficult, as indicated by more than a third of respondents.
The biggest contributors to wasted resources are the lack of a coherent incident response strategy and plan, as well as the lack of standardized processes.Figure D).
Regulation is another challenge for DFIR professionals. For example, 67% of DFIR professionals indicated that their role was affected by new reporting regulations, and 46% of respondents reported not having enough time to fully understand new and changing legislation. Managers must understand the rules and decide how to handle them, for example by freeing up DFIR teams to study the policy or consulting with the company’s legal department.
Outsourcing with DFIR investigations is common
Most companies tend to outsource some of their DFIR investigations, mainly because they lack these skills internally. Almost half of the respondents (47%) indicated the lack of expertise as the primary reason for using service providers, and the second reason (38%) was the lack of the necessary equipment, which can be extremely expensive in some cases.
DFIR recommendations for businesses
Companies should invest in DFIR solutions that prioritize speed, accuracy and completeness. More delays mean more risk when analyzing incidents.
Automation should be strongly enforced to help DFIR professionals reduce burnout and investigative delays.
An incident response plan is essential. The plan clarifies roles and responsibilities and details how forensics and incident responses will be conducted. It should also facilitate data access with clear instructions and indications of who provides what within the company. Critical positions providing access to data must be available 24/7.
DFIR teams must fully understand the rules and legislation. In general, anything that can be done in advance to prepare for future incidents should be carefully considered and done when not working on an incident.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.
Read the following: Security Incident Response Policy (TechRepublic Premium)