Forensic Readiness is the ability of an organization to quickly gather evidence and respond to a security incident, while keeping the costs to a minimum and with minimum interruption to the ongoing business. A lot of organizations are aware that security incidents can and will happen. In the event of a security incident, an external or internal incident response team (or cyber forensics team) is hired or put to work mitigating the incident and making sure the company can go back to business as usual. Forensic readiness is crucial for optimizing the time between the incident taking place and resuming business. This is done by making sure the incident response team has a head-start in their investigation, and can quickly determine the source of the breach, as well as how to mitigate it.
There are several steps to take to improve an organization’s Forensic Readiness. First, potential evidence which may be relevant in case of a breach must be determined. This stage is basically a brainstorm of all possible types of breaches a company may endure such as a phishing attack, malware, website hack and so on. For each type of breach, the organization should determine what evidence may support the investigation when it happens. Examples can be authentication logs, web request logs, firewall- and network logs.
When the types of breaches and types of log data have been determined, the source of the various types of data should be identified. For each data source, the forensic value as well as the desired retention, format, level of detail and legal requirements must be determined.
Since the collected log files must be able to serve as evidence when a breach happens, it is important to make sure that an attacker cannot modify any of the logs. Furthermore, legal issues should be considered such as secure storage and handling of the data. This can be achieved when the logs are collected at a central point in the network, for example by using a simple syslog server or for larger organizations a SIEM.
When all this data is collected centrally, it is also important to train staff to handle an incident and preserve the evidence. Policies should be put into place making sure that it is clear for everyone when an incident justifies the use of the logs and when an escalation should take place.
In addition to an incident response plan- or policy, a company should consider how data can be retrieved from the log system in a safe and secure manner without compromising the integrity of the log data.
When all the above steps are taken, the organization will be ready when an incident happens. In case a cyber forensics team is investigating a breach or cybersecurity incident they will be able to quickly access all log data, via a single, centrally managed interface. This will allow the team to quickly determine the root cause of the breach and speed up their investigation, in turn speeding up the recovery time to business as usual.
Neem contact met ons op voor meer informatie
DeepBlue Security & Intelligence