Information technology incident response, especially in the private sector, typically

focuses on re-establishing the defences of IT infrastructure, patching vulnerabilities, filtering

and blocking malicious activity, cleaning up damage, and reporting to management. Digital

forensics, if it is included at all, is often seen as a peripheral or secondary priority in

managing incidents. The typical incident landscape has changed over the past few years,

becoming more complex, more global, and typically involves multiple organizations. There

are growing benefits to positioning digital forensics as a central and fundamental component

of incident response, and conversely, there are increasing risks to leaving it peripheral. This

article encourages further research and advancement in the area of incident response in

relation to digital forensics, and presents a number of areas where further study would be

valuable to the community. The types of research include both theoretical and practical, and

may include abstract conceptual models, legal research, standard operating procedures,

creating international standards for evidence exchange, and developing technical capabilities

for acquisition and analysis of digital evidence across multiple jurisdictions. The examination

of incident case studies is also encouraged to identify 'real world' factors contributing to

successful outcomes, and revealing pitfalls to avoid.

If the organization on the Internet means that the organization is accessible from

around the world, and can be targeted by any malicious group or individual. he implications

to forensics here are primarily jurisdictional. For example, suppose an organization is located

in country A, has an incident involving an attacker from country B, who uses

anonymizer/relay services in country C, to compromise infrastructure via an outsourcing

partner in country D, and finally ex filtrates data to a dropzone in the country E. This

example crosses five jurisdictions and is typical of incidents nowadays. Collecting digital

evidence for incidents involving multiple countries and jurisdictions is a challenge, especially

in cyber-criminal incidents where multiple law enforcement agencies may need to be

1
engaged. There are opportunities for research here, to explore cross border and multi-

jurisdictional aspects to incident response, evidence collection, evidence exchange, the role of

threat intelligence, and forensic investigation processes.

Forensic readiness is a decade old concept that many organizations have taken steps

to address and implement. It involves taking steps of preparation in anticipation of a

particular type of incident. This includes ensuring adequate logging for monitoring, detection,

post-mortem investigation, and event reconstruction. It includes enabling investigative access

into IT infrastructure, and developing investigation and incident response processes in

advance. It may include testing playbooks and running exercises. There have been recent

industry cyber exercises that various organizations have participated in, sometimes

coordinated by regulators and governmental bodies. Forensic readiness ensures that adequate

staff , training, tools, and external support (retainer contracts, partnerships, etc.) are all in

place in advance. In the event of an incident, appropriate action can be swiftly taken to

manage the incident, collect and preserve forensic evidence, investigate the incident to

conclusion, and appropriately communicate to relevant parties (both internally and external to

an organization). Forensic readiness is becoming a crucial part of risk management, and good

incident preparedness helps to increase efficiency, reduce the costs of incident response, and

help organizations prioritize resources. While forensic readiness is well developed today, it

tends to be internally focused in organizations. In the area of multi-party outsourcing

arrangements in particular, forensic readiness needs further research and study with regard to

incident response and digital forensics.

Responding to incidents and triggering appropriate forensic processes depends on the

type of incident experienced. There are criminal incidents which may need law enforcement

involvement, policy violations which may trigger internal organizational processes, industry

specific incidents which may require regulatory reporting or involve regulatory bodies,

2
incidents which may lead to civil litigation activity (either for or against an organization), and

also "accident" incidents which might not be a violation at all, but still have an impact on an

organization. All of these incident types may affect how incident response is conducted, and

influence the corresponding digital forensic activity needed. Research work to more clearly

describe the different incident types in this context would be helpful in further developing

appropriate digital forensic processes and strategies. Comparative analysis and the use of case

studies will help to illustrate the various incident types, their similarities, differences, and

challenges faced.

There are many types of incidents that affect all industries. For example, malware

outbreaks, DDoS attacks, website defacements, spam waves, etc. affect all organizations.

There are also incidents that are more industry specific, and create a heightened threat to

some organizations, while being less of a problem to others. For example, the banking

industry deals more with phishing attacks and banking malware targeting online banking

applications, the music and entertainment industry deals more with copyright violation issues

like le sharing, the pharmaceuticals industry deals more with intellectual property theft that

may lead to cloning/copying drugs, internet marketing and advertising firms deal more with

click fraud, etc. Each industry has a particular pain point that they deal with more than their

peers in other industries. It is useful to recognize and understand those incident types that a

affect each industry, and give them special consideration and focus when developing incident

response and forensic capabilities. There are possibilities for research here, in particular,

clearly understanding and documenting industry specific incidents, and providing guidance to

incident responders and forensic practitioners working in those affected industries.

In the past, organizations had a good overview of their infrastructure and IT asset

inventories, but this is becoming more difficult. BYOD is becoming more popular, staffs are

increasingly using mobile devices, more infrastructures is becoming outsourced and/or

3
operated in external cloud environments. Even the notion of a physical "system" or "device"

is changing as both servers and client desktops become virtualized. This has an impact on

digital forensics as traditional forensic methods in some cases can no longer be conducted in

the same way (SSD and ash memory for example). There are also new opportunities and

advantages arising, such as the trend towards increased logging (big data), new capabilities

such as CoW (Copy on Write) file systems allowing multiple snapshots across time, and the

ability to dump live memory with ease on virtual machines (without affecting the running

VM system). While much work is being done to understand technical forensic acquisition and

analysis capability in these areas, there is room for further study in linking this with incident

response and developing end-to-end integrated processes.

Cyber security incidents have moved well beyond traditional borders of IT and IT

infrastructure. Today, cyber security incidents typically involve multiple areas of an

organization. In addition to IT, these may include financial departments, public relations

units, human resources, legal and compliance teams, corporate security departments, and

other non-IT areas. Cyber incidents are no longer limited to technical exploitation of

vulnerabilities, but today include social engineering, social media incidents, cyber-bullying,

intellectual property infringement, brand abuse, and direct business impacting incidents. It

includes industry specific incidents like financial fraud, targeted phishing, click fraud,

industrial espionage, employee data leakage, and other incidents taking place outside the

traditional IT infrastructure domain. Larger organizations are also starting to experience a

split between traditional digital forensic and e-discovery.

In recent years, threat intelligence has become important, especially in large complex

organizations. Threat intelligence may come from sources both internal and external to an

organization, and may be both open source and from commercial vendors selling threat

intelligence data feeds. This information is useful to identify new vulnerabilities and newly

4
discovered threats, identifying stolen data (often from analyzing compromised datasets

published to the Internet by anonymous third parties), and for identifying past compromises.

The correlation of various data sources using analytical methods can also be used to discover

incidents that were not otherwise detected. Threat intelligence is useful for short term

operational/tactical actions, and may trigger new incident response processes, or aide on-

going investigations. Threat intelligence can be useful for more strategic purposes, allowing

management, architecture and design teams, risk units, etc. with longer term planning,

resource allocation and prioritization. Industry specific intelligence sharing groups and

communities also exist to facilitate threat information sharing between similar organizations,

and a corresponding set of protocols such as STIX and TAXII are being introduced. There is

a need to more formally research and develop the integration of current threat intelligence

activity into existing incident response and forensic investigation models.

Information security is a process that moves through phases building and

strengthening itself along the way. Security is a journey not a destination. Although the

Information security process has many strategies and activities, it can be classified into three

distinct phases which are prevention, detection and response. Each phase require a strategies

and activities that will move the process to the next phase. The dynamic growth of new

threats attacking vulnerabilities requires timely adjustments to the methodologies in the

prevention, detection, and response cycle. A change in one phase affects the entire process in

some form. A proactive strategy adjustment in the prevention phase will adjust the detection

and response activities.

Information security professionals must continuously mature their capabilities by

working smarter not harder. It is always better to prevent, then to pursue and prosecute.

Preventing an incident requires careful analysis and planning. Information is an asset that

requires protection commensurate with its value. Security measures must be taken to protect

5
information from unauthorized modification, destruction, or disclosure whether accidental or

intentional. During the prevention phase, security policies, controls and processes should be

designed and implemented. Security policies, security awareness programs and access control

procedures, are all interrelated and should be developed early on. The information security

policy is the cornerstone from which all else is built.

The first objective in developing a prevention strategy is to determine what must be

protected and document these whats in a formal policy. The policy must define the

responsibilities of the organization, the employees and management. It should also fix

responsibility for implementation, enforcement, audit and review. Additionally, the policy

must be clear, concise, coherent and cons is tent in order to be understood. Without clear

understanding, the policy will be poorly implemented and subsequent enforcement, audit and

review will be ineffective. Once management endorses a completed policy, the organization

needs to be made aware of its requirements.

Security awareness is a process that educates employees on the importance of

security, the use of security measures, reporting procedures for security violations, and their

responsibilities as outlined in the information security policy. Security awareness programs

should be utilized for this purpose. The program should be a continuous process that

maintains an awareness level for all employees. The program should be designed to address

organization wide issues as well as more focused specialized training needs. The program

should stress teamwork and the importance of active participation. To motivate individuals, a

recognition process should be adopted to give out awards or rewards for employees that

perform good security practices.

Detection of a system compromise is extremely critical. With the ever-increasing

threat environment, no matter what level of protection a system may have, it will get

6
compromised given a greater level of motivation and s kill. There is no full proof silver

bullet security solution. A defence in layers strategy should be deployed so when each layer

fails, it fails safely to a known state and sounds an alarm. The most important element of this

strategy is timely detection and notification of a compromise. Intrusion detection systems

(IDS) are utilized for this purpose.

IDS have the capability of monitoring system activity and notify responsible persons

when activities warrant investigation. The systems can detect attack signatures and also

changes in files, configurations and activity. To be protected, the entire system should be

monitored. Intrusion detection tools should be strategically placed at the network and

application levels. However, monitoring a busy network or host is not a simple task. Intrusion

detection tools must have the ability to distinguish normal system activity from malicious

activity. This is more of an art than a science. The IDS must be fine-tuned or tweaked in

order for the IDS to work in accord with a particular network or host. This tuning process

must take into account known threats, as well as intruder types, methods and processes.

As previously indicated, intrusion detection is much more than an alarm. Although it

is an alarm, its an alarm with brains. Imagine a fire alarm that had the capability of detecting

a fire, distinguish the type of fire, pinpoint its source and path, and alert the building

occupants and fire department, and forward intelligence to the firehouse prior to their

response. A properly configured intrusion detection system is such a device.

For the detection process to have any value there must be a timely response. The

response to an incident should be planned well in advance. Making important decisions or

developing policy while under attack is a recipe for disaster. Many organizations spend a

tremendous amount of money and time preparing for dis asters such as tornados, earthquakes,

fires and floods. The fact is, the chances are greater that a computer security incident will

7
occur than any one of these scenarios. Equivalent if not more effort and resources should be

expanded on a computer security incident response plan.

The response plan should be written and ratified by appropriate levels of

management. It should clearly prioritize different types of events and require a level of

notification and/or response suitable for the level of event/threat. A Computer Security

Incident Response Team (CSIRT) should be established with specific roles and

responsibilities identified. These roles should be assigned to competent members of the

organization. A team leader/manager should be appointed and assigned the responsibility of

declaring an incident, coordinating the activities of the CSIRT, and communicating status

reports to upper management.

An organization may wish to cut off the intruders connection, eradicate the cause of

the incident and recover the effected system. This approach would be more feasible when

miss ion critical machines are affected and timely recovery is a priority. Another approach

would be to pursue and prosecute the attacker(s ). This approach is a riskier endeavour

requiring much more exposure. However, due diligence may require an organization to take

reasonable investigative measures to identify an attacker or an upstream organization that

may have been compromised by their system. Management must review each situation on a

case-by-case base and act accordingly. Whichever approach an organization decides, the

methodology of the response should be documented in the response plan. Responders will be

assigned tasks suited for their s kill set. Whether gathering forensic evidence, containing the

attack or recovering compromised systems, individuals participating in the response should

possess the skills required to success fully accomplish their assignments.

Data Loss Prevention solutions are perhaps the most powerful security tool in regards

to the amount of information that can be obtained via business process analysis. No other

8
security application yields the exact content that flows through an organizations electronic

nervous system in an easy to understand, non-technical format. When planned and managed

in a systematic method, DLP solutions can be easy to maintain and generate real-time and

meaningful information offering both risk reduction and operational efficiency opportunities.

That being said, DLP solutions can also be ineffective, burdensome and a complete

waste of capital if no planning has been done on the front end to develop an effective DLP

management program. In addition, a poorly managed DLP system may become detrimental to

the organization if the solution provides a false view of the organizations data handling

actions. Without having a DLP program that includes policy governance process and

associated quality assurance, there is no guarantee the DLP solution is providing valid

information.

Though the quality management approach to DLP may seem excessive, by initially

limiting the scope of the DLP program, an organization can operate a very effective DLP

system, and expand the scope over time leveraging the best practices of the quality

management system, and continuously improving the effectiveness of the DLP system. To

achieve this success, organizations must understand that DLP requires people to operate the

quality management system described in this document.

REFERENCES

9
1. Schneier, Bruce. Biometrics: Uses and Abuses. Counterpane. August 1999. URL:

http://www.counterpane.com/ins iderrisks 1.html

2. Malisow, Ben. Moments Notice: The Immediate Steps of Incident Handling. 7 July

2000. URL: http://www.securityfocus.com/focus/ih/articles /moments.html

3. Shipley, Greg. The Price of Vulnerability. 19 February 2001. URL:

http://www.nwc.com/1204/1204colshipley.html

4. Pipkin, L. Donald, Information Security: Protecting the Global Enterprise. (Prentice

Hall), May 2000.

5. Schneier, Bruce, Secrets & Lies: Digital Security In the Networked World, (Wiley)

August 2000.

10