Forensics were front and center in the recent webinar Forensics from a CISO’s Perspective, one of six presentations that made up the ISC2 Spotlight APAC event Modernizing Security Operations, worth 5.5 CPE credits for attendees.
nJonathan Kimmitt, CISSP,nCISO for U.S. digital forensics consultancy Alias Cybersecurity led attendees through a deep dive into digital forensics, their correct use, and an overview of the where digital forensics fit in the cybersecurity toolset.
nThe skills required for forensics are specialized, as are the processes andntools needed to execute forensics to legal standards, an increasinglynimportant requirement. Every element of forensics must be carefully designednas well as practiced over and over. Forensics matters both during and afternthe event because it is how an organization understands what is happening tonit in the moment and how a repeat can be avoided.n
nDefining the role of digital forensics
nThe primary objectives in dealing with a cybersecurity incident are alwaysnto protect people (for instance in healthcare or interference with a safetynsystem), stop data exfiltration, recover the business, and to analyze annattack to prevent incidents from recurring. However, if CISOs are notncareful, meeting these requirements can clash with a fifth issue, that ofnthe need to preserve evidence.n
nnEvidence matters for any later legal process, Kimmitt explained in thenwebinar. However, evidence is not just for post-incident analysis and itsncollection should begin immediately. Too often, in their panic during annongoing incident organizations forget this.n
nn“This is important for doing analysis and to figure out what happened. Inhave been in organizations where I came in several days after the incidentnhad happened and they have got rid of all the evidence,” he explained.n
nnThe challenge is designing forensics into incident response in a way thatnbalances priorities, for example the need to get the business back up andnrunning and the immediate concern that data exfiltration must be stopped.nLosing evidence can be as simple as rebooting or re-imaging a virtualnmachine (VM) or restoring it from a backup, all of which risk overwritingnlogs necessary for forensic investigation.n
nBuilding your digital forensics playbook
nIn that sense, forensics is a scientific method: the process must be sound,nfully documented, and be able to demonstrate to a court that data wasnhandled correctly, for example by employing write blocking, and throughnhashes that guarantee data has not been altered. The only way to do thisnwhile an incident is in progress is to work through a playbook with thenright tools. Without that playbook, you’re making things up as you go along,nand there’s a risk you’ll forget something.n
nn“If you don’t have a playbook, you are just winging it. And I can tell youndon’t want to wing it,” said Kimmitt.n
nnThe playbook simply details how you will store data, what sandboxingnenvironment you use, and who will be performing each step. It will alsonrelate this process to the overall business objectives such as the need tonbring the environment back online where that is a priority. This will limitnthe forensics but may at times be necessary.n
nnTraining – repeatedly simulating different forensics incident scenarios – isnthe only way to improve and improving should always be a CISO priority,nKimmitt said. For example, how do you copy memory from a VM, or Windows, ornLinux? Imaging tools need practice. He recommended tools such as Magnet RAMnCapture, KAPE, Tableau TD2/TX1, VMware export tools, as well as Windows,nLinux, and firewall logs.n
nnIn the post-mortem phase, simple things have tripped him up in the past.n“Sometimes I didn’t have enough drive space to do duplication of drives.nThat was easy to fix. I didn’t like having to go down to the store and buynhard drives. I made sure that that was part of my process that I wouldnmaintain a selection of those drives.”n
nn
nOther sessions
nn
nnnDefending Data Frontier: Fireside Chat on Digital Forensics and InsidernThreatsnn
nnMichael Rebultan, senior specialist (Threat Intelligence) Government ofnCanada, and Chirag Joshi, founder and CEO, 7 Rules Cyber discussed threencategories of insider threat– malicious insider, negligent insiders, andncompromised credentials (legitimate but compromised user or machinenaccounts). Issues discussed included the practical challenges of insidernforensics, how to implement zero trust to mitigate insider threats, and thenusefulness of insider profiling.n
nnnUtilizing OpenAI on Red Team and Blue Team Activitiesnn
nnAI platforms such as OpenAI are set to change the nature of penetrationntesting and Red Team/Blue Team security analysis. Haonan Quan (CISSP), cybernengineering lead for Sompo Holdings looked at the areas and techniques innplay such as phishing creation and detection, intelligence gathering, lognanalysis, incident response, and multilingual reporting. He demonstratesnwhat is possible using ChatGPT 3.5 and Bing chat’s ‘more creative mode’.n
nnnDemystifying dark web threats for security professionalsnn
nnTom Crisp, founder and CTO of Cyber Sentience demystified the dark web: whatnthreat types can be detected using analysis of the dark web, and how thesencan be mitigated? On the one hand, the dark web is a supermarket fornhackers. But it’s also an early warning system for leaked credentials, webnvulnerabilities, compromised access to specific organizations, and stolenndata which allows organizations to react to compromises that can’t bendetected by other means before they have escalated.n
nnnDetection Lifecycle Management – Managing the key input to securitynoperationsnn
nnNathan Clarke, principal consultant security operations and threatnintelligence, WiproShelde examines what goes on inside SOCs, often viewed asna black box even among IT teams. Another perception is that SOCs are allnabout centralizing alerts for specialized analysis. In fact, an equallyncritical element of SOCs is understanding the effectiveness of a SOCndetection, feeding this back into detection rules. If a detection stopsnworking effectively the SOC needs to assess this quickly and adjust itsndetection policies.n
nnnSynergizing Security and Success: Aligning Strategy with BusinessnObjectivesnn
nnBalaji Kapsikar (CISSP), head of technology and cyber risk, FundingnSocieties. The need to align cybersecurity with business objectives soundsnlike a statement of the obvious but how is it achieved in practice? Thisnpresentation provides a high-level view of how to assess, plan and implementncybersecurity processes in a way that makes technology the servant ofnbusiness strategy not its guide.n
]]>