<p><b>FINDING #3</b>: DFIR Leadership Has Never Been More Important</p>
Organizations need effective incident response plans that specify the role of digital forensics. At the same time, leaders need to ensure DFIR practitioners are equipped with the resources and privileges they need to perform their roles.LEARN MORE >
Regulatory obligations are constantly evolving, but DFIR professionals are struggling to keep up. To manage regulatory risk, leaders must ensure DFIR teams either have the necessary time to interpret regulations or have access to expert interpretations (e.g., from legal counsel).LEARN MORE >
Third-party forensic service providers (FSPs) can meet many needs, such as extending an organization’s capabilities and providing impartial reviews. The right ‘mix’ of resourcing almost certainly involves some use of FSPs—leaders must strike a balance by addressing short-term needs while still investing in internal capabilities for the long term.LEARN MORE >
The field of corporate digital forensics is undergoing rapid evolution and is under the spotlight like never before as practitioners contribute to incident response and as the function itself comes to be regarded as essential within broader cybersecurity initiatives.
In such circumstances, informed and decisive leadership plays a critical role in determining whether an organization can reach its goals and fulfill its obligations.
A crucial function of leadership is to set the strategy by which an organization can meet its mission effectively and efficiently. In a world of finite resources, any waste that exists ultimately makes the organization less secure, whether by directing resources to the wrong place (like the saying goes, “the wrong controls in the wrong place are often worse than having no controls at all”) or by neglecting crucial areas until it’s too late.
In the context of corporate DFIR, it appears that there is considerable room for improvement (Figure 8). 37% of respondents indicated that a lack of a cohesive IR strategy is either an extreme (10%) or large (27%) contributor to wasted resources.
Respondents also pointed to a lack of standardized processes as a major cause of waste, with nearly 36% reporting that this gap is either an extreme (7%) or large (29%) contributor.
Many organizations have adopted various types of cybersecurity frameworks, with the two more common ones being the ISO-27000 family of standards and the other being the NIST Cybersecurity Framework. The NIST framework utilizes a maturity rating which helps organizations evaluate their current activities and whether they are sufficient based on their environment. An organization’s DFIR plans fall within the Respond / Response function of the NIST framework and within the ISO-27035 standard for incident management.”
When the pressure is on and the stakes are high—exactly the scenario that plays out during and following cyberattacks— it’s important that DFIR practitioners can reference clear plans, rather than trying to figure things out ‘on the fly.’
A well-developed IR plan includes, among other things, what actions need to be performed, what decisions need to be made (and by whom), and—most importantly—in what order. In the context of digital forensics, the plan should outline what forensics are required (if required at all) for each incident type; and it should also ensure that well-meaning IT teams don’t inadvertently destroy potential evidence in the race to recover (e.g., by re-imaging endpoints).
But beyond simply having a plan in place, the DFIR practitioners must be empowered to access the data sources they need (more than a third of respondents indicated that an inability to do so is at least a large contributor to waste) and must be equipped with the tools (or other resources) needed to perform their duties effectively. Leaders wield enormous influence in both areas.
In response to data breaches and the evolving threat landscape, regulators are imposing new requirements around duty of care and disclosure. Unfortunately, there are signs that many DFIR functions are struggling to keep up, potentially exposing the larger organization to significant regulatory risk.
The large majority (65%) of survey participants are involved in the process of investigating and reporting cyber incidents or breaches to government regulators, with more senior respondents more likely to be involved. Of that proportion, fully two thirds (67%) indicated that their role has been impacted by new reporting regulations.
of DFIR professionals indicatethat their role has been impactedby new reporting regulations.
The most frequently cited impact is increased pressure to produce investigative results faster (67% of impacted DFIR professionals); of course, this pressure is in addition to the increasing caseloads, more difficult investigations, and other factors already discussed in this report. This trajectory is unsustainable, and leaders must prioritize equipping their teams with the resources (e.g., tooling, personnel) needed to keep pace.
Moreover, 46% of respondents reported that they simply don’t have enough time to fully understand the new and changing legislation. Many DFIR professionals have backgrounds in law enforcement, cybersecurity, and IT, and comparatively few will have the training or qualifications to interpret complex regulations that often span hundreds of pages of dense legalese. Compounding matters further, many organizations are subject to multiple sets of regulations and obligations (e.g., economic zone, national, state/provincial, sector- or certification-specific, etc.).
Whether the most effective approach is empowering DFIR teams with the time to study regulations, or turning to legal experts for opinions and direction, or some hybrid, meeting regulatory obligations starts with understanding them—and that is led by leadership.
The recent rise in cyberattacks has garnered enough coverage to incite change–to begin with the passing of two new cybersecurity laws in the U.S. in 2022. This is just the first step in a million-mile journey. Technology is always evolving and so, too, are regulations. DFIR professionals should be aware of what sector their organization falls into and whether new federal, state, and/or industrial rules and regulations relate to them.
Leaders are responsible for ensuring the DFIR professionals are equipped and empowered to succeed, and access to third-party forensic service providers (FSPs) is a valuable resource.
Today, the majority of organizations represented in the survey outsource at least some DFIR investigations. Respondents from companies with fewer than 100 employees were the least likely to report that their organization outsources investigations (57%), while every other employee size cohort exceeded 73%, led by the 500-to-999 employee range (85%).
There are many reasons why an organization would bring in a third arty to perform some aspect of investigations. The top reason—cited by 47% of respondents, and quite consistent across all organization sizes—is a lack of expertise or skillset internally. This result aligns with the earlier observations pertaining to challenges with recruiting, hiring, and onboarding qualified DFIR professionals, as well as the evolving complexity of today’s investigations.
Additionally, this aligns with why business email compromise attacks are the most likely to require third-party resources to assist with the investigation, according to 50% of respondents.
Not having the required toolset was the second-most cited reason overall (38%), and also speaks to investigation complexity, as different devices and data stores may need specialized tooling. In particular, FSPs are often able to provide big data analysis (e.g., to examine hundreds of servers concurrently) and direct experience dealing with specific threats (e.g., ransomware gangs or strains).
of respondents cited a lack ofexpertise or skillset internally as the topreason for using a service providerfor some aspect of their investigation.
While some factors are consistent across organization sizes, others vary considerably. For example, organizations with fewer than 100 employees are more likely than others to use a third party as a result of the volume of investigations; they are also more likely to find third parties to be a cost-effective solution and far less likely to have a corporate policy in place requiring the use of third parties.
At the other end of the size spectrum, the largest enterprises are considerably more likely than others to require an impartial third-party review. In fact, this was the top reason why organizations with 10,000 or more employees call in outside assistance. While a major contributor to the need for third-party review is undoubtedly cyber insurance policy requirements, the largest enterprises likely also have more contractual and regulatory obligations than do the comparatively smaller organizations.
There is no doubt that FSPs are a very valuable resource that can extend the capabilities of the internal organization. At the same time, using FSPs to fill shortterm gaps in perpetuity is not a viable long-term strategy. Leaders should listen to their teams about what value FSPs can bring, perhaps as part of a formal gap analysis exercise, but must balance shortterm needs with long-term investments in the organization’s own capabilities.