Understanding Digital Forensics In Cyber Penetration Testing and Incident Response

How does digital forensics link to incident response and penetration testing?

The Public Accounts Committee (PAC) announced today (5th June 2019), “the UK is more vulnerable than ever before to cyber attacks”, citing evidence that the National Cyber Security Centre have dealt with more than 1,100 incidents since its creation in October 2016.  Given the mounting concern over the UK’s openness to serious cyber breaches, it is more important than ever that we have the skills necessary to respond, including in the areas of incident response< and penetration testing.

It cannot be overstated how critical specialist technical cyber skills are to the proactive protection and resolution of breaches if and when they occur.  As such, there are too few individuals within the UK who possess the capability, experience and latest knowledge to thwart the intentions of the best cyber criminals.

One such invaluable skill set is that of digital forensics.  In this article, we will explain the role of forensics in cyber security prevention and response, and why it is so important to allow your cyber security teams to collaborate to ensure the best possible security of your operation.

What is Digital Forensics?

Anyone who has watched CSI will know that forensics is about finding, preserving, analysing and presenting evidence of crime.  Digital forensics is precisely the same.  Digital forensic specialists have the considerable challenge of working through the various ‘layers’ involved in electronic systems, including the networks, computers (server or client device), mobile devices, storage, software and data.  At every level, a vast set of skills is needed to make sense of and pursue clues which may lead to evidence to form a successful prosecution.

In the context of cyber crime, digital forensic experts may be involved in the investigation of fraud, IP theft, data breaches, malware attacks, DDoS attacks, phishing, identity theft, database injection attacks, Man-in-the-middle (MitM) attacks, or even social engineering.

What is the role of Digital Forensics in Penetration Testing?

Penetration testing is the endeavour by companies to test the effectiveness of their own network defences by proactively and deliberately trying to find vulnerabilities.  There is a common misconception that those who specialise in penetration testing are entirely separate from those in the role of digital forensics.  In fact, digital forensic skills can play a key role in penetration testing, in two main areas.  Firstly, digital forensic teams provide invaluable feedback from previous investigations regarding vulnerabilities found (either within the same or other organisations) which can then be used as the basis for a series of specific penetration tests.  This feedback loop is vital in ensuring that known vulnerabilities are resolved and tested.

Secondly, beyond providing feedback back into the penetration testing process, digital forensic expertise may be sought for specialist testing exercises.  While there are obvious cross-overs in terms of skills between digital forensics and penetration testing specialists, the former are more adept at understanding proprietary protocols and standards, and accessing and interpreting data on a wide range of electronic device types.  In addition, forensic teams are highly trained in finding patterns and correlations.  Where these skills are lacking in penetration testing teams, digital forensics specialists may be invited to assist in resolving specific challenges, adding to the effectiveness of penetration testing outcomes.

What is the role of Digital Forensics in Incident Response?

A rapid and effective incident response is essential in the event of a cyber security breach, to ensure any impact is halted, protect the reputation of the business involved, preserve any evidence of the crime, and ensure the event cannot happen again.  Digital forensics and incident response teams have a common goal of preserving this evidence, to secure the prosecution of any offender when the matter is brought to court.  Indeed, many firms now combine their digital forensics and incident response functions.

The main role of the incident response team is to immediately assess which systems are being affected, and how.  Experts in this field will work through a process of:

  • Detection
  • Analysis
  • Containment
  • Removal of the threat
  • Recovery
  • Post-incident recovery.

During the incident response process, digital evidence is often acquired, which requires analysis by digital forensic teams later.  As such, it is important that the incident team collect the evidence in a manner that is complete, preserved, and legally defensible.  In addition, for the incident response team to conclude the post-incident analysis phase of their work, they will frequently work hand in hand with digital forensic specialists to make better sense of what happened.  The output of this final stage can then be used to further improve the security of the systems.

Final words

Given the growth in complexity and diversity of systems which underpin modern businesses and organisations, the skills needed to afford protection, analysis, and resolution of cyber security breaches need to be increasingly agile and fluid.  Skills which are applicable in the domain of digital forensics can and do play a vital role in helping other cyber security teams to ensure the ongoing security of systems.  Ultimately, by working together, sharing knowledge, comparing ideas, and finding common solutions, those tasked with protecting our businesses and institutions from hidden cyber actors have the best chance of success in their challenging endeavour.

Lineal is a global leader in providing Cyber Security and Digital Forensics services, please call us on +44 (0)20 7940 4799 or email info@linealservices.com.