When faced with a data breach, the first order of business for companies is to find out what happened, and then how it happened and who did it. To aid in the process, which is unfortunately no longer a rare scenario, ISACA has issued a new set of guidelines that outline the digital forensics process and identify the key steps for organizations to consider when dealing with attacks.
Information is of course the key to establishing the attack vector and assessing the extent of the damage. To that end, in its just-released Overview of Digital Forensics, ISACA recommends seven considerations to help the attacked enterprise be prepared to effectively handle an incident:
- Perform regular system backups and maintain previous backups for a specific period of time
- Enable auditing on workstations, servers and network devices
- Forward audit records to secure centralized log servers
- Configure mission-critical applications to perform auditing and include the recording of all authentication attempts
- Maintain a database of file hashes for the files of common operating system and application deployments, and use file integrity checking software on particularly important assets
- Maintain records (e.g. baselines) of network and systems configurations
- Establish data retention policies that support historical reviews of system and network activity, comply with requests or requirements to preserve data that are related to ongoing litigation and investigations, and destroy data that is no longer needed.
If a company has done this pre-work, handling a breach is easier when one happens and forensics teams begin to acquire data to analyze.
The acquisition of data begins with seizure, imaging or collection of digital evidence to capture suspect media or network traffic and logs, post breach. Here is where another precaution comes into play.
“Enterprises typically assume that they have the right to monitor their internal networks and investigate their own equipment as long as they observe the privacy right of the employee,” the report noted. “Employee privacy rights and the enterprise rights should be in written policies that are communicated to employees.”
After evidence is collected, the analysis process begins. During this, digital forensic analysts may use specialized tools to uncover deleted or hidden material. And depending on the forensic request, the analyst can report findings about numerous types of information, e.g., email, chat logs, images, hacking software, documents and internet history.
Post-analysis, data is then assembled to reconstruct events or actions and identify people, places, items and events and determine how they are related. A report of the findings is delivered, which can include attribution of file ownership, chat logs, images and emails; detailed login/logoff times; entry into facility logs and anything that places the suspect at the device at the same time and location of an event.
The findings can be used by law enforcement (or managers, in civil cases) to confirm or disprove alibis and provided statements, or to prove intent.
“The number and severity of cyberattacks is escalating rapidly,” said Ramsés Gallego, international vice president of ISACA and security strategist and evangelist with Dell Software, in a statement. “Organizations need to take quick and thorough action when cyberattacks occur—and they can do that by addressing these digital forensics considerations.”