Recently, a colleague asked for software recommendations to perform digital forensics for e-discovery. Without knowing many details, I provided information regarding various commercial and open source options but offered the following caveat: “If this is important, hire someone. I wouldn't recommend doing this yourself if there's a lot riding on it."
I advised that it's possible to taint the evidence, which could cause problems with a cyber insurance claim or in a court case. I warned that forensics is the one place you don't want to take any chances.
The information security landscape has changed significantly over the last decade and there’s much more at stake for today’s enterprise when handling a security incident. When I first started in academia, I was a member and sometimes the lead of the incident response team. I dealt with all types of security events, including compromised accounts, spam, Digital Millennium Copyright Act (DMCA) and Motion Picture Association of America (MPAA) complaints, malware, even DoS attacks. In the late ‘90’s, the incidents seemed fairly pedestrian and represented just another “day in the life” of managing systems in a very open and exposed university environment.
However, this was before many of the large and embarrassing data breaches that occurred in the education sector, which exposed student and staff Social Security numbers. In an effort to meet compliance requirements and protect the reputation of the institution, we eventually built an independent security group with some very talented people who handled everything internally and it worked well. I ultimately ended up in security engineering and architecture, deciding I liked building better than breaking, writing policy or trying to catch the bad guys.
Fast forward to the present and there are now dozens of different information security specialties. There are dedicated incident responders, information assurance and risk assessment professionals, application vulnerability experts and penetration testers. These specialties have evolved in response to the increasingly complex practice of information security and digital forensics.
[Read how a well-defined incident response plan can help facilitate communication between the security team and operations in "Security Analysts and the Island of Misfit Toys."]
Between the overwhelming number of regulations, compliance requirements, and increased threats, I find it hard to imagine that even the most robust enterprise security teams wouldn’t need outside expertise on occasion.
While most in-house teams are comfortable responding to spam and abuse complaints or addressing malware breakouts, they don’t always have the knowledge or spare cycles for in-depth analysis and reverse engineering. This can be a critical step in differentiating between something that appears to be innocuous, but is actually more insidious by creating persistent entry points for malicious parties in the enterprise. Developing this expertise internally can be time-consuming and expensive, so while an organization is building a team proficient in these skills, calling in outsiders can be a good choice.
Then there are the legal questions that arise with the collection of digital evidence. It’s probably a good idea for an organization of any size to have a retainer agreement with a reputable security company specializing in digital forensics.
Failing to make this arrangement before you actually need it is like waiting for the fire to break out before buying a fire extinguisher. It’s usually going to be too late and you could make critical errors in handling evidence that could impact your company’s ability to take legal action, meet breach notification requirements or file a cyber insurance claim.
Your organization's incident response plan should the answer the question of whether DIY is the right approach or whether it's time to call an expert. A good plan will include input from all relevant stakeholders, with this question addressed by everyone who has an interest in the outcome. Once the rules of the road are well established, in writing, there should be less question of what is appropriate when you hit the panic button.