Thanks to CSI and the many other crime-solving shows that have grasped our collective imagination for decades, we're all at least somewhat familiar with the field of forensics and its unique appeal. At some point, anyone who's watched these series has probably envisioned themselves in the detective's shoes, piecing together the puzzle of a crime scene based on clues others might overlook — and bringing bad guys to justice at the end.
Cybersecurity lends itself particularly well to this analogy. It takes an expert eye and constant vigilance to stay a step ahead of the bad actors of the digital world. And after all, there aren't many other areas in the modern tech landscape where the matter at hand is actual crime.
Digital forensics and incident response (DFIR) brings detective-like skills and processes to the forefront of cybersecurity practice. But what does DFIR entail, and how does it fit into your organization's big-picture incident detection and response (IDR) approach? Let's take a closer look.
What is DFIR — and are you already doing it?
Security expert Scott J. Roberts defines DFIR as "a multidisciplinary profession that focuses on identifying, investigating, and remediating computer-network exploitation." If you hear that definition and think, "Hey, we're already doing that," that may because, in some sense, you already are.
Perhaps the best way to think of DFIR is not as a specific type of tech or category of tools, but rather as a methodology and a set of practices. Broadly speaking, it's a field within the larger landscape of cybersecurity, and it can be part of your team's incident response approach in the context of the IDR technology and workflows you're already using.
To be good at cybersecurity, you have to be something of a detective — and the detective-like elements of the security practice, like log analysis and incident investigation, fit nicely within the DFIR framework. That means your organization is likely already practicing DFIR at some level, even though you might not have the full picture in place just yet.
3 key components of DFIR
The question is, how do you go from doing some DFIR practices piecemeal to a more integrated approach? And what are the benefits when you do it well? Here are 3 key components of a well-formulated DFIR practice.
1. Multi-system forensics
One of the hallmarks of DFIR is the ability to monitor and query all critical systems and asset types for indications of foul play. Roberts breaks this down into a few core functions, including file-system forensics, memory forensics, and network forensics. Each of these involves monitoring activity for signs of an attack on the system in question.
He also includes log analysis in this category. Although this is largely a tool-driven process these days, a SIEM or detection-and-response solution like InsightIDR can help teams keep on top of their logs and respond to the alerts that really matter.
2. Attack intelligence
Like a detective scouring the scene of a crime for that one clue that cracks the case, spotting suspicious network activity means knowing what to look for. There's a reason why the person who solves the crime on our favorite detective shows is rarely the rookie and more often the grizzled veteran — a keen interpretative eye is formed by years of practice and skill-building.
For the practice of DFIR, this means developing the ability to think like an attacker, not only so you can identify and fix vulnerabilities in your own systems, but so that you can also spot the signs they've been exploited — if and when that happens. A pentesting tool like Metasploit provides a critical foundation for practicing DFIR with a high level of precision and insight.
3. Endpoint visibility
It's no secret there are now more endpoints in corporate networks than ever before. The huge uptick in remote work during the COVID-19 pandemic has only increased the number and types of devices accessing company data and applications.
To do DFIR well in this context, security teams need visibility into this complex system of endpoints — and a way to clearly organize and interpret data gathered from them. A tool like Velociraptor can be critical in this effort, helping teams quickly collect and view digital forensic evidence from all of their endpoints, as well as proactively monitor them for suspicious activity.
A team effort
The powerful role open-source tools like Metasploit and Velociraptor can have in DFIR reminds us that incident response is a collaborative effort. Joining forces with other like-minded practitioners across the industry helps detection-and-response teams more effectively spot and stop attacks.
Velociraptor has launched a friendly competition to encourage knowledge-sharing within the field of DFIR. They're looking for useful content and extensions to their open-source platform, with cash prizes for those that come up with submissions that add the most value and the best capabilities. The deadline is September 20, 2021, and there's $5,000 on the line for the top entry.