DFIR isn’t easy, but it’s never been more important—especially in today’s threat landscape. Motivated, skilled, and well-financed cybercrime groups are constantly innovating. At the same time, the explosion in the volume of data and range of devices included in today’s investigations is already straining DFIR personnel.
To manage cyber risk and meet growing and ever-tighter obligations, it is important that every organization has timely access to modern DFIR capabilities. Here are several insights that you can takeaway to strengthen your DFIR approach:
INVEST IN DFIR SOLUTIONS THAT PRIORITIZE SPEED, ACCURACY, AND COMPLETENESS
Time is of the essence when a potential compromise is discovered. Delays in uncovering root cause of a cybersecurity incident potentially opens the organization up to more risk and impact to business continuity. As attacks become more and more sophisticated, invest in a forensic solution that allows you to get the details you need in a way that is simple yet thorough and accurate, so that you can unravel the incident quickly.
INTRODUCE FORENSIC AUTOMATION TO REDUCE BURNOUT
While automation is not a new solution in the cybersecurity space (many organizations utilize SOAR solutions), oftentimes the forensic investigation process still requires practitioners to wait for progress bars to complete to click next and move to the next step.
Introducing a forensic automation solution to streamline the collection and processing aspects of the workflow can help security leaders retain DFIR professionals as it has the potential to reduce burnout as well as eliminate the delays and burden of manual touchpoints that extend investigation timelines.
EMPOWER FORENSIC PRACTITIONERS TO ENACT IR PLAYBOOKS IN RESPONSE TO ACTIVE EVENTS
Putting an IR plan in place ahead of time helps to ensure a faster, smoother response to active events. Within the IR plan, clarify the role and responsibilities of the forensic investigator and how forensics contributes to the Respond/Response function of the NIST Cybersecurity framework. Additionally, our survey found that accessing data is a real issue and contributes to investigative delays. DFIR teams should work with various stakeholders from across the organization to ensure when time is of the essence, investigators can access the data they need to perform their duties. Investing ahead of time for the right tooling to enable quick and targeted collections of data is critical in responding to active events. Lastly, cyber exercises, including both SOC and DFIR Teams with support of all the stakeholders should routinely be conducted, allowing for updates and adjustments to be made to the IR response plan.
ENSURE DFIR TEAMS UNDERSTAND THE ORGANIZATION’S REGULATORY (AND OTHER) OBLIGATIONS
New and changing cybersecurity regulations are putting pressure on DFIR teams in many ways. Staying on top of changes can be difficult when they are already thinly spread. Ideally, regulations should be read and interpreted by legal professionals who can ‘translate’ them into clear and actionable information for DFIR practitioners. If obtaining official legal interpretation is not possible, provide them with the resources they need— especially time—to read and digest the information, and supplement with limited access to legal counsel for especially confusing requirements. As well, requirements also come from insurance providers, customers, and vendors. Most importantly, understanding these detailsin advance of an incident ensures that DFIR teams can meet requirements with accuracy and speed.
LEAN ON SERVICE PROVIDERS, BUT HAVE A PLAN FOR THE FUTURE
Whether small or large, almost every organization leans on an FSP for at least some aspect of their DFIR investigations. Service providers help to augment the capabilities of the organization–this could be through providing specialized tooling or supporting internal teams challenged with talent gaps. In the long-term, security leaders should work with their internal teams to perform a formal gap analysis and balance their short-term needs with the long-term strategic needs of the security organization.