Incident Response and Computer Network Forensics

Quick Description of Incident Response and Computer Network Forensics

Incident Response and Computer Network Forensics are topics that are crucial for cybersecurity professionals to understand as they respond to threats within their organizations. When a threat actor breaches your security controls, it's crucial that an organization responds quickly, identifies the issue effectively, and addresses the changes needed to get the organization back to normal operations. Incident Response teams provide effective, structured plans of attack to address events as they happen within an organization. They are key to ensuring that incidents within an environment are limited in scope and help address any security control changes needed to prevent incidents in the future. Network forensic toolsets are some of the tools utilized to examine devices, networks, and transactions to build the pieces of the puzzle of a security incident.

An Example Computer Forensics Report

The below document was created as my final project within this course. It focuses on a mock business that had personal employee data leaked on the internet. The report provides a rundown of the incident and steps taken to mitigate the data leak. All examples in this report are fictitious but the steps represent those taken by an IR team to identify and address a similar type of breach in the real world.

Reflection

As I reflect on this course and re-read the example report provided above, I'm reminded of the importance of IR teams in an environment and how important it is for them to maintain a professional and ethical demeanor through their activities. If an incident is severe enough, how the IR team handles their response can be the decision between the success or failure of a company. The feedback provided by an IR team, especially when running through internal red team/blue team exercises, can be crucial to staying ahead of threat actors out to do harm to your organization.

Professionally, understanding IR teams, how they utilize and feedback into crucial cyber security operations, and overall how they protect an organization is one of the key factors to the success of cybersecurity within the organization. IR teams provide great insight into what actually has happened when an incident occurs which can provide feedback to architectures, policies, and other management activities to ensure your organization is better protected when another incident happens. Many third parties provide strong IR offerings to help organizations that might not be able to roll their own. Some examples of third-party IR teams are the Palo Alto Networks Unit 42 (https://www.paloaltonetworks.com/unit42) team or the Center for Internet Security's offering to U.S. State, Local, Tribal, and Territorial entities (https://www.cisecurity.org/isac/report-an-incident). These third-party IR teams have the value of bringing much more knowledge and experience with them when responding to issues, possibly shortening the time to resolution or lowering the overall impact of the incident.

IR teams often have strong ethically driven principles as their work affects the success of the business and, in the event of insider threats, affects the rights and discipline of individuals. Having a good moral compass allows members of IR teams to abstract themselves from personal feelings, look at the data in front of them, and provide regulating authorities with the information they need to pursue justice where required within an organization. Utilizing forensic tools that maintain the integrity of evidence and maintaining the chain of custody for evidence is crucial to the success of any investigation. Thankfully the process of incident response and data collection is well called out in publications such as NIST Special Publication 800-61 (https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf) which provides organizations with the guidance they need to successfully implement an IR process in their environment.

References

Basis Technology. (n.d.). Autopsy - Digital Forensics. Retrieved December 12, 2021, from https://www.autopsy.com/

Center for Internet Security. (n.d.). Report an Incident. CIS Center for Internet Security. Retrieved April 2, 2022, from https://www.cisecurity.org/isac/report-an-incident

Ellis, S. (2013). Creating Forensic Images Using Software and Hardware Write Blockers. ScienceDirect. https://www.sciencedirect.com/topics/computer-science/hardware-write-blocker

Palo Alto Networks Unit 42. (n.d.). Unit 42 - Threat Intelligence & Consulting. Palo Alto Networks. Retrieved April 2, 2022, from https://www.paloaltonetworks.com/unit42

Stanger, J. (2020, July 6). The Ancient Practice of Steganography: What Is It, How Is It Used and Why Do Cybersecurity Pros Need to Understand It. CompTIA. https://www.comptia.org/blog/what-is-steganography