Digital Forensics and Incident Response at a glance

Digital Forensics and Incident Response (DFIR) professionals identify, investigate and remediate cybersecurity incidents. When a data breach is identified, the security professionals must act quickly with the steps to mitigate the attack and it is crucial to be able to track down how the security incident had happened and ensure it never happens again.

For example, in the case of a ransomware attack, the Digital Forensics and Incident Response (DFIR) team must immediately identify, isolate, and disconnect infected systems from the network. This makes it easier for the forensic evidence to be preserved and ensures that the snapshot of the entire attack is sent for further forensic analysis.

Forensic evidence includes the content of all storage devices attached to the system at the time of the incident and even the contents stored in the memory of a running computer. A thorough forensic investigation allows one to establish an entire attack chain of events and helps to plan the remediation of all threats. The examination is done in a forensically sound manner that is acceptable in a court of law.

The key considerations for implementing an Incident Response plan:

  • Identifying critical business processes and requirements for continuing to operate during an emergency.
  • Regular audit of existing DFIR capabilities, including a focus on people, processes and technologies.
  • A well-documented playbook that would guide the Incident Response Team during an incident.
  • Always confirm that your incident response plan is at par with standard practices for eg: ISO 27001.

The cyber-attacks are on constant rise especially during the COVID-19 outbreak and organizations are not equipped to respond to a breach properly. A well-designed incident response plan is a way to protect the business assets from the inevitable cyber-attacks.

References:

Merkow & Breithaupt. (2014). Information Security: Principles and Practices, 2nd Edition. Pearson Prentice Hall.

Article written by:

Suhas Ganjikunta,

Cybersecurity MS, CEH, ACE

Nanotechnology M. Tech

Forensic Examiner & Cybersecurity Specialist