Digital forensics is the best offense and defense for cyber attacks
The majority of CEOs and COOs view digital forensics as an afterthought to cybersecurity. In the eyes of many business leaders, it is just a clean-up process for a data breach or cyber attack. But if you establish an effective digital forensics and incident response (DFIR) program, you can begin to use digital forensics as a tool for both recovery and prevention.
While cybersecurity and digital forensics work hand-in-hand, their close relationship can often obfuscate their individual objectives. For instance, cybersecurity’s main goal is to reduce an organization’s exposure to cyber attacks while also preventing their success. Cybersecurity has become even more important over the last decade and a half as industry leaders make the transition to digital applications. This is particularly true of the healthcare and automotive industries who have been lacking in their cybersecurity and forensic preparedness.
Digital forensics is a segment of forensic science that handles the investigation, analysis, and recovery of digital assets that have been affected by a cyber related incident, typically an attack. This is different from cybersecurity in that it pertains mostly to the events after a hack. But that doesn’t mean that it should be conducted proactively either. The danger of most cyber attacks is that their effects aren’t always detectable right away. This is particularly true of incidents like the SolarWinds attack where threat actors hid malicious code in an update for the then-popular digital monitoring platform. To contain and identify the damage caused by the data breach, companies need to be implementing digital forensics tests relatively frequently. This is how digital forensics and cybersecurity can be used together to combat the threats of cybercriminals.
Digital Forensics as a Recovery and Prevention Measure
While digital forensics focuses on the recovery and investigation of digital materials related to cyber incidents, the lessons learned from this process can be used to both support your security’s offense as well as its defense. Despite its main area of focus, digital forensics’ main objective is to protect an organization from the damage inflicted by cyber attacks. Part of that entails preventing breaches in the first place.
The Offensive Capabilities of Data Forensics
At its best, digital forensics can use its post-breach analysis to improve cybersecurity measures and prevent future attacks. After a cyber incident, data forensics should be conducted following your cybersecurity system’s identification of a breach. The closeness of this interaction is what can blur the lines between cybersecurity and digital forensics in terms of prevention, detection, and recovery. The purpose of the immediate forensics investigation is to trace the entry point, size, and threat level of the virus or data breach. Information of this kind is integral to reducing the impact created by the attack. The more effective your digital forensics efforts, the more likely you will be able to report timely and accurate information regarding the breach. This will inform the following measures conducted to remove and contain the threat. But data forensics’ capabilities don’t stop there.
A successful digital forensics and incident response program should be able to assist in the recovery of compromised networks and assets while simultaneously informing cybersecurity measures in the future. What is the point of committing mistakes if you don’t learn from them? DFIR solutions should be utilized to answer the 5Ws and 1H questions i.e., who, what, where, when, why, and how. Learning how a hacker was able to penetrate your security is just as important as containing the effects of the attack itself. In understanding how the threat actors committed the data breach, you can then learn what to do to prevent it. For example, in the case of SolarWinds, if your update software’s weak password protection was abused, you would learn to strengthen it for future attacks. Unfortunately, an attack so great can remove the possibility of a ‘next time’ altogether. That is why digital forensics should be conducted proactively.
The Need for Proactive Digital Forensics
Pfizer’s data breach in the autumn of 2020 demonstrates the need for proactive cybersecurity and digital forensics. The methodology of DFIR involves using initial threat detection methods to analyze the threat and scope of the cyber attack. This process doesn’t have to be exclusively applied retroactively. In fact, by conducting regular forensic scans of your networks, IoT devices, and servers, you can better evaluate the strengths and weaknesses of your digital platforms before a threat takes place. Similarly, you might even find a virus you didn’t otherwise know was there.
The lack of forensic readiness presented by Pfizer as their leaked patient information took to the internet for months of public viewing shows how having disconnected digital forensics and cybersecurity systems can prevent an organization from effectively preventing and recovering from cyber attacks. If your DFIR isn’t up to snuff, you should consider outsourcing solutions from a cybersecurity consulting firm. Otherwise, you, too, could end up like Pfizer.
Photo Credit: Johan Swanepoel/Shutterstock
Anas Chbib is the Founder and CEO of AGT - Advanced German Technology, a leading cybersecurity firm. He’s worked with corporations, government agencies, law enforcement, and intelligence services across the globe combatting emerging cybersecurity threats and is a consultant at the largest Digital Forensics Lab in the EMEA region. In 2020 AGT was acknowledged with an MEA Business Award and as the Cyber Security Training Consultancy of the Year. Anas holds a Business Administration and Computer Science degree from the University of Cologne.