What is Digital Forensics and How Does it Relate to Incident Response?

At eSentire we pride ourselves on being the Authority in Managed Detection and Response (MDR) services. When your preventative security controls fail – and they will – we’re there to contain and disrupt threats before they become business-impacting events.

Every cybersecurity professional understands that there is no end to cyber risk and, of course, there is no perfect end state when it comes to cybersecurity. We’re on a continuous improvement journey together and “perfect security” simply doesn’t exist.

Our objective is to prevent a security incident that may impact your organization’s critical assets and overall ability to operate – mitigating legal, regulatory and reputational consequences. It’s imperative that you invest in a capability to disrupt and respond to threats, and it is equally critical that you plan ahead for the worst-case scenario. If a threat actor is successful in achieving their mission and solidifying their presence within your environment, having a Digital Forensics and Incident Response (DFIR) team engaged and on retainer is the most time- and cost-effective way to reduce the impact of a breach.

As our Chief Services Officer, Bryan Sartin, says in a post at the Cloud Security Alliance, “In the midst of a crisis, you need to move quickly — and with purpose. Big decisions need to be made, and it’s important to be decisive. It’s not the time to Google ‘best practices for responding to a data breach.’”

eSentire has the digital forensics and incident response expertise to support your security response needs, end to end—from threat detection, investigation, response and when required complete incident handling. But you may be wondering…

What is Digital Forensics?

How is Incident Response different from Managed Detection and Response?
How do you know which team to engage when?

Managed Detection and Response (MDR), Incident Response (IR) and Digital Forensics (DF)

Safeguarding against threats, investigating incidents and responding to them can involve several security activities:

• Managed Detection and Response (MDR)
• Incident Response (IR)
• Digital Forensics (DF)

These services are largely distinct, occasionally intersecting and frequently interdependent—for each, it’s important to understand what it is, and what it isn’t, so you can ensure your organization has the necessary capabilities and provider relationships in place before an incident arises.

What is Managed Detection and Response (MDR)?

“Managed Detection and Response” was officially coined in 2016, when Gartner released their inaugural Gartner Market Guide for Managed Detection and Response Services[i]. This report broke described an emerging category of security service providers—and specifically profiled 12 of them, including eSentire, as representative vendors—that “improve threat detection monitoring and incident response capabilities via a turnkey approach to detecting threats that have bypassed other controls.”

However, in terms of functionality and outcomes, MDR existed well before 2016. For example, eSentire was providing “Collaborative Threat Management” and “Embedded Incident Response” services as far back as 2001. We believe in multi-signal managed detection and response, powered by our cloud-native, XDR platform, and 24/7 threat hunting. Put simply, we hunt, contain and disrupt threats that bypass your preventative controls, so you don’t have a business impacting event.

What is Incident Response (IR)?

Incident Response (IR) focuses on understanding and investigating security incidents, limiting their effects, assisting with recovery efforts and ensuring your organization is better prepared for the future.

In practice, there’s some overlap between the “response” services included within MDR and IR:

• Typically, MDR provides remote Incident Response support, including threat containment and investigative capabilities, in addition to a range of cybersecurity services
• IR, on the other hand, can provide on-site response and extends into very specific areas including compliance reporting, legal assistance (e.g., expert witness testimony) and recovery efforts

Because timing is crucial to containment, investigation and recovery, it’s essential that companies have an IR partner on retainer—you simply don’t have the time or cycles to look for an IR provider when an incident is unfolding.

An effective IR function depends upon having cybersecurity tools in place proactively. These tools provide the response team, which includes members of your own organization and your IR partner, with the capabilities needed to contain and investigate incidents and to restore information and systems.

Just as important to a successful response is having well-defined IR processes, which clarify roles and provide clear instructions for everyone involved while also ensuring you’re able to fulfill notification requirements (whether contractual or regulatory).

What is Digital Forensics (DF)?

Digital forensics is a branch of forensic science that focuses on acquiring, analyzing and reporting on evidence from digital systems.

The field has existed since at least the late 1970s, gained traction within law enforcement agencies starting in the early 2000s and rose to greater prominence in recent years as international standards and training programs emerged.

As the diversity and impact of cyberthreats grew, digital forensics has become increasingly common to support evidence handling and root cause analysis. While DF often appears within cybersecurity and incident response plans, it is not limited to cybercrime; for instance, investigating workplace harassment is an unfortunately common use case.

Working in synergy

Organizations looking to improve their overall threat response and incident resolution capabilities need to find a balance between MDR, IR and DF services:

• Managed Detection and Response capabilities empower organizations to respond to incidents systematically, ensuring that incidents are handled consistently and that all appropriate actions are taken
• Managed Detection and Response also helps organizations to minimize loss or theft of information, to contain security incidents in order to limit disruption and damage, to identify gaps in defenses and to recover from incidents as effectively and as quickly as possible
• Incident Response helps organizations to recover from potentially business-altering incidents and to determine how prevention, policies, plans and procedures can be improved
• Digital Forensics can be essential for root cause analysis and for pursuing judicial actions

The combination of all three services can be critical not only to threat detection, security incident resolution and security program improvement, but also when adhering to regional or industry-specific compliance requirements relating to managing incidents and notifying third parties.

What constitutes an “incident”?

In cybersecurity, an “incident” could be as simple as a laptop being lost or a violation of security policies. Or it can be as complex as an advanced persistent threat in which an embedded attacker conducts prolonged cyberespionage or extracts personally identifiable information before suddenly encrypting critical information and making vital systems inoperable.

How you respond to an incident is very much dependent on the nature of the incident itself. For instance, eSentire’s Pragmatic Security Event Management Playbook includes incident response playbooks for 14 different security event types:

• Malware Compromise: Workstation
• Ransomware
• Malware Compromise: Server
• Infrastructure Outage (Internal)
• Local Access without Authorization (Non-Malware)
• Successful Remote Access without Authorization
• Lost/Stolen Devices
• Inappropriate Behavior
• Cloud Service Access without Authorization
• Data Loss/Extrusion
• Direct Financial Loss (Non-Physical Theft, including Attempts)
• Denial of Service (External)
• Physical Breach
• Social Engineering

As an example, pictured below is the recommended process for responding to ransomware incidents. Of course, it’s important to note that each organization differs in culture, hierarchy, critical data and systems. As such, it is vital that this framework be modified to customize the actions your organization needs to take.

To make sure everyone is on the same page, we recommend aligning with your Incident Response provider to define what “incident” means; that way, all parties involved know when it’s appropriate to use the term and when to invoke Incident Response playbook actions.

Conclusions

It should go without saying—but allow us to reiterate—that organizations must have the ability to detect and respond to threats. eSentire also highly recommends engaging a service provider for emergency preparedness planning and Incident Response support.

Managed Detection and Response, Digital Forensics and Incident Response are vital parts of an overall response capability. The right security provider will be able to assist your organization with assessing your needs and defining your policies, plans and procedures, all of which are crucial to ensuring that you can respond to incidents effectively, efficiently and consistently.

To learn more about eSentire’s approach to Incident Response, read Bryan’s latest blog: Planning Through Recovery: Five Things to Keep in Mind.

To learn more about eSentire’s approach to Managed Detection and Response services visit (https://www.esentire.com/what-we-do) or contact a security specialist today (https://www.esentire.com/get-started )

[i] Market Guide for Managed Detection and Response Services, Toby Bussa, Craig Lawson, Kelly M. Kavanagh, 10 May 2016