the needs for foren...
 
Notifications
Clear all

the needs for forensic readiness in the organization?

12 Posts
5 Users
0 Likes
544 Views
(@mas9256)
Posts: 6
Active Member
Topic starter
 

hi, i am working in one private organization. At there I was placed in the IT Department. But since I was working, I also was exposed with computer forensic. It was a new thing to me and very interesting. So, I think I want to propose new things in my company regarding computer forensic that my company can apply. I want to know should forensic readiness be implemented in the organization and what suitable situation it should be implement?

 
Posted : 02/05/2017 7:10 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Lots of questions in response

Normally, you do something called Incident response and go from there. Do you have an IR team already? Great - add Forensics to it. DFIR is a bit more than just shoving logs into splunk.

Also, does your company have anything worth protecting/investigating to warrant an entire IR team or even one individual, or could you use the current staff (skillwise and resourcewise) to do IR? Do you trust them? If it is a sensitive organisation, you should have dedicated staff to do IR/Insider threat management.

Incident history from yours and similar organisations is a good measurement of what type of DFIR capabilities you should have. Newspapers is a good source.

Ask questions to know what to look for Who is working off hours? Who have access to the keys to he organisations data? Do we have any new hires that act weird? Do we see any exfil from people who are about to quit?

One can become a bit paranoid asking these questions but it is necessary if you want effective DFIR, any lesser level of ambition is just compliance BS and management CYA security.

 
Posted : 02/05/2017 10:18 pm
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

I want to know should forensic readiness be implemented in the organization and what suitable situation it should be implement?

You're gonna hear "yes" in this group. If you want some reading material that might be helpful, I suggest to read NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response (PDF) as a starting point to educate yourself on forensics as a process and perhaps later get into the technology that supports it. Its one of many documents that will help you decide, but its one I like to go to often.

 
Posted : 02/05/2017 10:54 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

I want to know should forensic readiness be implemented in the organization and what suitable situation it should be implement?

You're gonna hear "yes" in this group. If you want some reading material that might be helpful, I suggest to read NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response (PDF) as a starting point to educate yourself on forensics as a process and perhaps later get into the technology that supports it. Its one of many documents that will help you decide, but its one I like to go to often.

That's a good starting document.

Sprinkle a large chunk of updated network forensics onto that document, a bit of Vm/Cloud aquisition and a bit of memory forensics, add a subscription to some indicators of compromise, start thinking cyber intelligence instead of compliance (which shold be kept faaaar away from DFIR, preferably on the other side of the planet), and an IT department that do what you ask them for (A security manager that listens to his/her analysts and acts in the organisation is key) and you can have a very functional DFIR.

 
Posted : 03/05/2017 11:35 am
(@athulin)
Posts: 1156
Noble Member
 

I want to know should forensic readiness be implemented in the organization and what suitable situation it should be implement?

It should be implemented in situation in which failure to get needed results from a forensic examination (regardless of who performs it) is viewed as a threat.

Start there what failures to investigate incident would get you fired? Failure to investigate adware on a laptop? Or failure to find out who accessed product plans for the next year?

Start where it really hurts.

It should not be confused with incident response – it's closely related, and there's some overlap, in the sense that failure to do timely IR may lead to failure to perform a forensic investigation. Nor should it be confused with Incident Detection/Discovery – although again, there may be some overlap ID often relies on the kind of data required by a forensic investigation. The NIST document cited by another poster muddles the picture somewhat it covers a much larger area (forensic capability). Section 2.4.3 comes fairly close to what I regard as basic Forensic Readiness, though.

For example, if you work in a company where IP is the crown jewels, any failure to investigate incidents regarding IP would probably be a threat. So are logs configured, extracted, archived? do you have a reliable source of time for those logs? do the logs use a common timestamp format, or do you have UTC in one log, and local time in another? do you avoid using group accounts, so that you can trace access to an individual, do you save key personnel HD drives when they leave, just in case they will be need to be examined later when it is found that that key person now works for a competing company? and so on and so forth. Many of the recommendations in most system hardening instructions (particularly regarding access and logging) are usually highly relevant for FR.

Forensic readiness is (to me) knowing what information you will need in important forensic examinations, and ensuring you have that information ready with a minimum of fuss, when you do need it.

It also touches on knowing how any necessary forensic investigation will be performed. Not necessarily in-house … but you know who to turn to before you have to do so.

 
Posted : 06/05/2017 12:37 pm
kacos
(@kacos)
Posts: 93
Trusted Member
 

I want to know should forensic readiness be implemented in the organization and what suitable situation it should be implement?

You're gonna hear "yes" in this group. If you want some reading material that might be helpful, I suggest to read NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response (PDF) as a starting point to educate yourself on forensics as a process and perhaps later get into the technology that supports it. Its one of many documents that will help you decide, but its one I like to go to often.

NIST's 800.86 is a good start indeed.

My recommendation would be

IAAC's Digital Evidence, Digital Investigations and E-Disclosure
A Guide to Forensic Readiness for Organisations, Security Advisers and Lawyers

 
Posted : 06/05/2017 9:02 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Forensic readiness is (to me) knowing what information you will need in important forensic examinations, and ensuring you have that information ready with a minimum of fuss, when you do need it.

And that mostly starts with an analyst staring at logs. DFIR need to be enterprise wide and envelop as much organisation as possible, it wont really help much with a bunch of encase certified guys collecting drives.

A good forensic capability as the document talks about ensures that you have that information. There has been many times when i have been missing information to provide to the client because someone didn't even consider activating logs, or implement it in a custom application, or provide metadata to a DB dump someone handed you, or provide PDF's instead of logs because a vendor walked all over the organisation, or didn't take requirements from forensics because so called "all knowing infosec people" love to screw up the situation with their "expertise".

If you operate in a large organisation with many actors you quickly learn to think bigger, and most of the time it's the forensics people who need to work overtime to get things done - no one else will care, they stick to some generic compliance document where forensics isn't even mentioned.

 
Posted : 07/05/2017 12:49 am
(@mas9256)
Posts: 6
Active Member
Topic starter
 

Lots of questions in response

Normally, you do something called Incident response and go from there. Do you have an IR team already? Great - add Forensics to it. DFIR is a bit more than just shoving logs into splunk.

Also, does your company have anything worth protecting/investigating to warrant an entire IR team or even one individual, or could you use the current staff (skillwise and resourcewise) to do IR? Do you trust them? If it is a sensitive organisation, you should have dedicated staff to do IR/Insider threat management.

Incident history from yours and similar organisations is a good measurement of what type of DFIR capabilities you should have. Newspapers is a good source.

Ask questions to know what to look for Who is working off hours? Who have access to the keys to he organisations data? Do we have any new hires that act weird? Do we see any exfil from people who are about to quit?

One can become a bit paranoid asking these questions but it is necessary if you want effective DFIR, any lesser level of ambition is just compliance BS and management CYA security.

Ok thank you Sir for your response. now my company try to set up one team on digital forensic

 
Posted : 16/06/2017 8:16 am
(@mas9256)
Posts: 6
Active Member
Topic starter
 

I want to know should forensic readiness be implemented in the organization and what suitable situation it should be implement?

You're gonna hear "yes" in this group. If you want some reading material that might be helpful, I suggest to read NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response (PDF) as a starting point to educate yourself on forensics as a process and perhaps later get into the technology that supports it. Its one of many documents that will help you decide, but its one I like to go to often.

Thank you Sir for your response. I appreciated it!

 
Posted : 16/06/2017 8:27 am
(@mas9256)
Posts: 6
Active Member
Topic starter
 

I want to know should forensic readiness be implemented in the organization and what suitable situation it should be implement?

You're gonna hear "yes" in this group. If you want some reading material that might be helpful, I suggest to read NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response (PDF) as a starting point to educate yourself on forensics as a process and perhaps later get into the technology that supports it. Its one of many documents that will help you decide, but its one I like to go to often.

That's a good starting document.

Sprinkle a large chunk of updated network forensics onto that document, a bit of Vm/Cloud aquisition and a bit of memory forensics, add a subscription to some indicators of compromise, start thinking cyber intelligence instead of compliance (which shold be kept faaaar away from DFIR, preferably on the other side of the planet), and an IT department that do what you ask them for (A security manager that listens to his/her analysts and acts in the organisation is key) and you can have a very functional DFIR.

Thank you Sir for your responses.

 
Posted : 16/06/2017 8:29 am
Page 1 / 2
Share: