You can tell that a concept is going mainstream when a popular Hollywood investigative drama has a spinoff dedicated to the concept. Cybercrime is becoming increasingly commonplace, and cyberthreats abound. So, fittingly, “CSI” is planning a new series focused on cyber forensics: “CSI: Cyber.”

It is interesting to see that while many popular law enforcement-oriented TV shows do include a cybersecurity analyst, his or her exploits are most often showcased in an impromptu fashion. However, this new show is expected to depict cyber forensics as a formal practice. Perhaps you should take a cue from Hollywood and look more seriously at how your organization can transition from ad hoc incident responses to implementing a robust cyber forensics practice.

What Are Cyber Forensics?

Cyber forensics can best be described as an investigative analysis of rich content — full packet data, documents and other artifacts — to reveal the presence, nature, impact and extent of a cyberthreat. If you think that sounds complex and sophisticated, that’s because it is. Becoming a seasoned cyber forensics investigator requires deep technical knowledge and significant experience. Additionally, given the availability of rich content, the data that needs to be mined is voluminous and varied.

Therefore, even the most senior forensics experts must spend a significant amount of time wading through data to zero in on nuggets of knowledge about a given security incident. From a security operations standpoint, these properties of cyber forensics make it an expensive proposition. As a result, cyber forensics has traditionally been viewed as a specialty to be called upon only when the situation is dire.

However, as cybersecurity takes center stage as a result of a growing number of destructive breaches and cyberattacks, cyber forensics cannot remain a niche capability. The need to democratize the capabilities required for cyber forensics and slash operational costs has never been greater. Only then can cyber forensics be standardized as a practice and be made a first-class citizen in cybersecurity operations.

Before unlocking the secrets to making cyber forensics more accessible to a broader set of organizations on a more regular basis, it is important to place cyber forensics within the context of a broader security intelligence framework. If you employ the principle of maximizing security value for time and cost investment, it becomes apparent that as an organization develops its security intelligence operations — from log management to security information and event management (SIEM) to flow analytics — the next evolutionary step is cyber forensics. This progression is not sequential but, rather, cumulative, letting the organization minimize the resources it commits to address security incidents while quickly and seamlessly employing sophisticated means to mitigate the risks from cyberattacks.

Read the Ponemon Institute Study on Network Forensic Investigations

Raise the Abstraction Level

Traditionally, cyber forensics has had a narrow focus on full packet capture and subsequent packet-level analysis. While lossless full packet capture is an essential capability, it does not deliver forensic value; rather, it needs to be employed as the first stage to gain access to a very rich source of content. By acquiring standardized and commoditized technology for packet capture, the cost side of the equation becomes more attractive.

Next, while packet-level analysis can reveal malicious or suspicious activity, it can be onerous and time-consuming, especially when dealing with large amounts of packet data. By shifting focus from individual packets to the aggregate payload of a collection of packets, an investigator can gain more clarity about the actual artifacts flowing over the network. Human intuition and logical reasoning can guide the application of specific technical expertise. Not only does this open cyber forensics up to a wider community of security analysts, but it also improves productivity.

Scope Forensics to Rich Metadata and Content

Organizations often become disillusioned with their forensics efforts when they attempt to employ cyber forensics exclusively to understand security incidents. They incur all the cost of full packet capture and storage of content but minimally focus their analysis on basic metadata associated with network traffic.

By employing forensics within the context of an overall security intelligence exercise, infrastructure investments can be minimized while the response time increases. Advanced SIEM and flow analytics can be used to glean insights from basic metadata for most security incidents and narrow the security context for the incidents that require a more in-depth investigation. Forensics focuses on allowing for the rapid retrieval of rich metadata and content relevant to the security incident. By allowing for content-level clarity, forensics can efficiently expose the “how” and “what” behind a security incident.

Employ a Platform Strategy

Seasoned cyber forensics investigators employ a specialized set of tools. Not only do each of these tools require training, but the efficacy of the forensics process rests on the expertise of the operator to synthesize the information from the various data inputs of all these tools to unlock knowledge.

Given that this model does not scale, building a cyberpractice within an organization requires the deployment of a forensics platform that delivers an integrated set of core forensics capabilities. Interestingly, if you analyze real-world investigative processes, patterns emerge that allude to the required set of core forensics tools — for example, a timeline depiction of events, visualization of entity relationships and categorization of artifacts.

The platform also needs to automate the enrichment of data and synthesize information wherever possible to deliver actionable knowledge. A platform approach also lets an organization go beyond just network packet data to other important artifacts from other sources, such as documents from file repositories, event feeds from applications and executable code.

Cyber forensics has too much riding on it to remain a niche capability in the cybersecurity field. By focusing more attention on this field, your organization can work to lower risk and improve your security.

More from Threat Intelligence

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…