The day-today security activities in an organization are the heart of security operations. Here I’ll explain various techniques for performing security investigations. I’ll also explain how to log and monitor activities for security purposes, how to establish secure resource provisioning, and how to apply general security concepts, such as least privilege.
Understanding security investigations
There are various number of categories that are used to describe how we examine IT assets , digital devices, to look for potential evidence. Computer forensics focuses specifically on looking for evidence on computing devices and their storage media. Not only should we look for potential evidence, but we have to consider the preservation of that evidence to reduce the possibility of tampering. That data is then analyzed to arrive at conclusions that might be admissible as evidence in a court of law. Digital forensics is a little bit different because it expands the types of technological solutions that we can examine beyond just computing devices. It’s for digital devices, which would include things like smartphones, tablets, perhaps even accessing the logs on a Wi-Fi router. Cyber forensics is kind of a catch-all term that is sometimes used to refer to digital, or computer forensics.
The different categories that describe how digital devices are examined for potential evidence. Some of these categories are computer forensics, digital forensics, cyber forensics, and network forensics.
Network forensics can be used outside of the purposes of gathering legal evidence. Network technicians might perform network forensics to examine network traffic, looking for abnormalities, as would be the case with intrusion detection systems. But on the legal side, we might capture network traffic for the purposes of gathering evidence. It must be done in a way consistent with the law. We want to make sure, once again, that any captured network traffic is kept safe, so it can’t be tampered with. eDiscovery refers to a process where electronic data is sought, and it’s secured within the confines of the law, and then analyzed to arrive at conclusions. The overall purpose of eDiscovery is to have evidence that is admissible in the court of law. All of these activities in gathering evidence must be done in accordance with the laws that apply to the specific situation.
Another category for describing how digital devices are examined is eDiscovery.
Identifying evidence is the first step in gathering evidence from digital devices.
Evidence needs to be identified, and then it needs to be collected. The chain of custody ensures that data is kept safe, and is kept track of at all times. We also want to make sure, in some cases, that we’re making complete hard disk copies, so that the original evidence is left untouched. File hashing can also be used to verify whether file contents have changed. The examination and analyzing of evidence is then done to draw conclusions that can be used in a presentation of findings. Within an organization – related to its security policies – we need to have an incident response policy that applies when we have a security breach. We have to be properly staffed, and have the correct teams to deal with these incidents should they arise. The teams could be virtual; so they could be teams that work together over the Internet, or they could be permanent local fixed staff. We might also have to consult with some other representation from our legal department – human resources, security personnel, and so on. The purpose of incident response is to maintain and restore business continuity when a security breach occurs.
The next step is collecting and acquiring evidence which involves establishing and following a chain of custody, making hard disk copies, and hashing files.
Examining and analyzing the gathered evidence is the next step and precedes presentation of the process’s findings.
The two policies that are vital for an organization’s security govern how it responds to potential threats and how incidents are handled.
It is important for organizations to be properly staffed with virtual or permanent teams and have core representation which includes a legal, human resources, communications, security personnel, internal review, and informatics departments.
The goal of incident response is to maintain and restore business continuity.
So we can deter future attacks through investigation and, of course, prosecution, to set an example or a precedent. Incident response will reduce the impact that the situation has on an organization’s people and its assets. Response will also provide management with sufficient information to determine an appropriate course of action, given a specific situation. The main phases of incident response include triage, where we do the initial sorting and diagnosing of information to determine a course of action, which is the next step. Incident response also includes a follow up to determine what worked well, and what did not, in our initial response to a problem. So we should review the incident response process, to see if any improvements could be made. There are always changes that need to be made. This is an ongoing process. In this video, we discussed security investigations.
Other goals are to deter future attacks through investigation and prosecution, reduce the impact the situation has on the organization, and provide management with sufficient information to determine an appropriate course of action.
The three main phases of incident response are triage, action/reaction, and follow-up. Triage involves sorting and diagnosing information, action/reaction involves determining how to address the incident quickly. The follow-up phase involves determining what went well and what didn’t and reviewing the incident response process. It is a dynamic process that needs constant updating.