Demystifying the Dark Art of Cyber Forensics

January 29, 2015
| |
4 min read

You can tell that a concept is going mainstream when a popular Hollywood investigative drama has a spinoff dedicated to the concept. Cybercrime is becoming increasingly commonplace, and cyberthreats abound. So, fittingly, “CSI” is planning a new series focused on cyber forensics: “CSI: Cyber.”

It is interesting to see that while many popular law enforcement-oriented TV shows do include a cybersecurity analyst, his or her exploits are most often showcased in an impromptu fashion. However, this new show is expected to depict cyber forensics as a formal practice. Perhaps you should take a cue from Hollywood and look more seriously at how your organization can transition from ad hoc incident responses to implementing a robust cyber forensics practice.

What Are Cyber Forensics?

Cyber forensics can best be described as an investigative analysis of rich content — full packet data, documents and other artifacts — to reveal the presence, nature, impact and extent of a cyberthreat. If you think that sounds complex and sophisticated, that’s because it is. Becoming a seasoned cyber forensics investigator requires deep technical knowledge and significant experience. Additionally, given the availability of rich content, the data that needs to be mined is voluminous and varied.

Therefore, even the most senior forensics experts must spend a significant amount of time wading through data to zero in on nuggets of knowledge about a given security incident. From a security operations standpoint, these properties of cyber forensics make it an expensive proposition. As a result, cyber forensics has traditionally been viewed as a specialty to be called upon only when the situation is dire.

However, as cybersecurity takes center stage as a result of a growing number of destructive breaches and cyberattacks, cyber forensics cannot remain a niche capability. The need to democratize the capabilities required for cyber forensics and slash operational costs has never been greater. Only then can cyber forensics be standardized as a practice and be made a first-class citizen in cybersecurity operations.

Before unlocking the secrets to making cyber forensics more accessible to a broader set of organizations on a more regular basis, it is important to place cyber forensics within the context of a broader security intelligence framework. If you employ the principle of maximizing security value for time and cost investment, it becomes apparent that as an organization develops its security intelligence operations — from log management to security information and event management (SIEM) to flow analytics — the next evolutionary step is cyber forensics. This progression is not sequential but, rather, cumulative, letting the organization minimize the resources it commits to address security incidents while quickly and seamlessly employing sophisticated means to mitigate the risks from cyberattacks.

Read the Ponemon Institute Study on Network Forensic Investigations

Raise the Abstraction Level

Traditionally, cyber forensics has had a narrow focus on full packet capture and subsequent packet-level analysis. While lossless full packet capture is an essential capability, it does not deliver forensic value; rather, it needs to be employed as the first stage to gain access to a very rich source of content. By acquiring standardized and commoditized technology for packet capture, the cost side of the equation becomes more attractive.

Next, while packet-level analysis can reveal malicious or suspicious activity, it can be onerous and time-consuming, especially when dealing with large amounts of packet data. By shifting focus from individual packets to the aggregate payload of a collection of packets, an investigator can gain more clarity about the actual artifacts flowing over the network. Human intuition and logical reasoning can guide the application of specific technical expertise. Not only does this open cyber forensics up to a wider community of security analysts, but it also improves productivity.

Scope Forensics to Rich Metadata and Content

Organizations often become disillusioned with their forensics efforts when they attempt to employ cyber forensics exclusively to understand security incidents. They incur all the cost of full packet capture and storage of content but minimally focus their analysis on basic metadata associated with network traffic.

By employing forensics within the context of an overall security intelligence exercise, infrastructure investments can be minimized while the response time increases. Advanced SIEM and flow analytics can be used to glean insights from basic metadata for most security incidents and narrow the security context for the incidents that require a more in-depth investigation. Forensics focuses on allowing for the rapid retrieval of rich metadata and content relevant to the security incident. By allowing for content-level clarity, forensics can efficiently expose the “how” and “what” behind a security incident.

Employ a Platform Strategy

Seasoned cyber forensics investigators employ a specialized set of tools. Not only do each of these tools require training, but the efficacy of the forensics process rests on the expertise of the operator to synthesize the information from the various data inputs of all these tools to unlock knowledge.

Given that this model does not scale, building a cyberpractice within an organization requires the deployment of a forensics platform that delivers an integrated set of core forensics capabilities. Interestingly, if you analyze real-world investigative processes, patterns emerge that allude to the required set of core forensics tools — for example, a timeline depiction of events, visualization of entity relationships and categorization of artifacts.

The platform also needs to automate the enrichment of data and synthesize information wherever possible to deliver actionable knowledge. A platform approach also lets an organization go beyond just network packet data to other important artifacts from other sources, such as documents from file repositories, event feeds from applications and executable code.

Cyber forensics has too much riding on it to remain a niche capability in the cybersecurity field. By focusing more attention on this field, your organization can work to lower risk and improve your security.

Vijay Dheap
Big Data Security Intelligence & Mobile Security, IBM Security

Vijay Dheap currently leads Mobile Security Strategy and Big Data Security Intelligence Solutions for IBM. As the resident strategist he led the formulation ...
read more