January 29, 2015 By Vijay Dheap 4 min read

You can tell that a concept is going mainstream when a popular Hollywood investigative drama has a spinoff dedicated to the concept. Cybercrime is becoming increasingly commonplace, and cyberthreats abound. So, fittingly, “CSI” is planning a new series focused on cyber forensics: “CSI: Cyber.”

It is interesting to see that while many popular law enforcement-oriented TV shows do include a cybersecurity analyst, his or her exploits are most often showcased in an impromptu fashion. However, this new show is expected to depict cyber forensics as a formal practice. Perhaps you should take a cue from Hollywood and look more seriously at how your organization can transition from ad hoc incident responses to implementing a robust cyber forensics practice.

What Are Cyber Forensics?

Cyber forensics can best be described as an investigative analysis of rich content — full packet data, documents and other artifacts — to reveal the presence, nature, impact and extent of a cyberthreat. If you think that sounds complex and sophisticated, that’s because it is. Becoming a seasoned cyber forensics investigator requires deep technical knowledge and significant experience. Additionally, given the availability of rich content, the data that needs to be mined is voluminous and varied.

Therefore, even the most senior forensics experts must spend a significant amount of time wading through data to zero in on nuggets of knowledge about a given security incident. From a security operations standpoint, these properties of cyber forensics make it an expensive proposition. As a result, cyber forensics has traditionally been viewed as a specialty to be called upon only when the situation is dire.

However, as cybersecurity takes center stage as a result of a growing number of destructive breaches and cyberattacks, cyber forensics cannot remain a niche capability. The need to democratize the capabilities required for cyber forensics and slash operational costs has never been greater. Only then can cyber forensics be standardized as a practice and be made a first-class citizen in cybersecurity operations.

Before unlocking the secrets to making cyber forensics more accessible to a broader set of organizations on a more regular basis, it is important to place cyber forensics within the context of a broader security intelligence framework. If you employ the principle of maximizing security value for time and cost investment, it becomes apparent that as an organization develops its security intelligence operations — from log management to security information and event management (SIEM) to flow analytics — the next evolutionary step is cyber forensics. This progression is not sequential but, rather, cumulative, letting the organization minimize the resources it commits to address security incidents while quickly and seamlessly employing sophisticated means to mitigate the risks from cyberattacks.

Read the Ponemon Institute Study on Network Forensic Investigations

Raise the Abstraction Level

Traditionally, cyber forensics has had a narrow focus on full packet capture and subsequent packet-level analysis. While lossless full packet capture is an essential capability, it does not deliver forensic value; rather, it needs to be employed as the first stage to gain access to a very rich source of content. By acquiring standardized and commoditized technology for packet capture, the cost side of the equation becomes more attractive.

Next, while packet-level analysis can reveal malicious or suspicious activity, it can be onerous and time-consuming, especially when dealing with large amounts of packet data. By shifting focus from individual packets to the aggregate payload of a collection of packets, an investigator can gain more clarity about the actual artifacts flowing over the network. Human intuition and logical reasoning can guide the application of specific technical expertise. Not only does this open cyber forensics up to a wider community of security analysts, but it also improves productivity.

Scope Forensics to Rich Metadata and Content

Organizations often become disillusioned with their forensics efforts when they attempt to employ cyber forensics exclusively to understand security incidents. They incur all the cost of full packet capture and storage of content but minimally focus their analysis on basic metadata associated with network traffic.

By employing forensics within the context of an overall security intelligence exercise, infrastructure investments can be minimized while the response time increases. Advanced SIEM and flow analytics can be used to glean insights from basic metadata for most security incidents and narrow the security context for the incidents that require a more in-depth investigation. Forensics focuses on allowing for the rapid retrieval of rich metadata and content relevant to the security incident. By allowing for content-level clarity, forensics can efficiently expose the “how” and “what” behind a security incident.

Employ a Platform Strategy

Seasoned cyber forensics investigators employ a specialized set of tools. Not only do each of these tools require training, but the efficacy of the forensics process rests on the expertise of the operator to synthesize the information from the various data inputs of all these tools to unlock knowledge.

Given that this model does not scale, building a cyberpractice within an organization requires the deployment of a forensics platform that delivers an integrated set of core forensics capabilities. Interestingly, if you analyze real-world investigative processes, patterns emerge that allude to the required set of core forensics tools — for example, a timeline depiction of events, visualization of entity relationships and categorization of artifacts.

The platform also needs to automate the enrichment of data and synthesize information wherever possible to deliver actionable knowledge. A platform approach also lets an organization go beyond just network packet data to other important artifacts from other sources, such as documents from file repositories, event feeds from applications and executable code.

Cyber forensics has too much riding on it to remain a niche capability in the cybersecurity field. By focusing more attention on this field, your organization can work to lower risk and improve your security.

More from Threat Intelligence

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

Widespread exploitation of recently disclosed Ivanti vulnerabilities

6 min read - IBM X-Force has assisted several organizations in responding to successful compromises involving the Ivanti appliance vulnerabilities disclosed in January 2024. Analysis of these incidents has identified several Ivanti file modifications that align with current public reporting. Additionally, IBM researchers have observed specific attack techniques involving the theft of authentication token data not readily noted in current public sources. The blog details the results of this research to assist organizations in protecting against these threats. Key Findings: IBM research teams have…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today