Light Dark
June 6, 2018 By Warren Perez Araya 3 min read
Incident Response
Security Services

When thinking about digital forensics, most people imagine a court and lawyers. But this isn’t true in most cases, as it’s much more than legal processes or procedures. Forensics is essentially the process of understanding why, when and how something happened. This could be done for a criminal investigation, a civil investigation or just as an internal incident response (IR) investigation.

It’s difficult to guess when an incident is going to occur — and even harder to anticipate if that incident will require some sort of forensic investigation, either internally or to present evidence in a court of law.

Companies must be prepared to respond if something unexpected happens. Generally, organizations have two options for IR and digital forensics: Buy or build?

Buying Incident Response and Digital Forensics

What does it mean to “buy” an IR and digital forensics team? It’s simple: A company pays another company to support them in the event of an incident. There are several advantages to this type of service. For instance, the company does not need to invest in equipment and personnel, as the service provider provides everything. The IBM X-Force Incident Response and Intelligence Services (IRIS), for example, offers teams to clients who’ve had a security incident.

Services provided by IRIS include:

  • IR planning
  • Remote threat response
  • On-site incident response
  • Around-the-clock access

Of course, this doesn’t mean that a company using this type of service doesn’t have to do anything in-house. The internal personnel must be trained in IR on a fundamental level. This would be like training your staff in first aid — they don’t need to be experts, but they should have at least some basic knowledge of how to act in an emergency.

There will likely also be a need for a more advanced in-house role. This person will be in charge of contacting and engaging the on-demand IR team. Evidence must be preserved, and a trained staff member should be in charge of ensuring that happens.

Building Incident Response and Digital Forensics

The second option is to build your team. This means investing in qualified and trained personnel, equipment, tools and a laboratory. It’s not every day that a security incident needs to be investigated from a forensics perspective — but when the time comes, it’s always better to be prepared.

There are several types of investigations that you must consider when building an IR team. When investigating an internal incident, the chain of custody is not that critical. For instance, if the IR or digital forensics team has to engage with a possible virus infection, the most important thing is that they secure the infected machine or machines. This allows the team to start working with the secured devices and analyze the software and look for indicators of compromise (IOCs). How the evidence is collected is not vital in a scenario like this. However, if the investigation must be presented to a court of law, how the evidence is collected and secured is vital.

Understanding this, an on-site IR team can be built to match what a company really wants or needs. Perhaps the noncriminal or civil investigations would be handled by the on-site team and the rest by a third-party company. Maybe the company wants to have a team capable of dealing with all sorts of investigations instead, which requires legal advice, a larger team and a lab to meet standards for compliance.

There is one exception that it’s important to mention, which is a sensitive topic that must be treated carefully. If an on-site team or a contracted team encounters child pornography, all tasks being performed must be stopped. The area must then be secured and any person that interacted with the device (computer, cell phone, server, etc.) must stay where they are until the authorities are called and arrive at the scene.

Making Your Choice

The decision to either buy or build an IR and digital forensics team boils down to two questions:

  • What do we want to respond to ourselves?
  • What is our budget?

Answering the first question can give you an idea as to whether you need a team capable of adhering to the lawful way to collect evidence or not. The second question is the tiebreaker. Building an IR team and equipping the team with the necessary tools and infrastructure could be more expensive than contacting these services from third parties — having the trained personnel, or training (if needed), costs money.

A company could transfer those expenses and the risk of having an on-site IR team by contracting these types of services with a team of specialists. In the end, answering these questions can give you an idea as to the right option for you.

 |  |  | 
Warren Perez Araya
SIEM Admin, IBM

More from Incident Response
August 23, 2024

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

August 7, 2024

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

July 31, 2024

PR vs cybersecurity teams: Handling disagreements in a crisis

4 min read - Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do. When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication. Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature