Digital forensics and incident response (IR) have always been a matter of data, but these days they’re also a matter of Big Data, which is getting bigger all the time. Whether investigating a crime such as theft, fraud and racketeering, or a major cyber incident (which can also involve theft, fraud and racketeering), the webs of forensic evidence are getting bigger, more far-flung and more complex all the time.
For some crimes, investigating it is no longer just sifting through encrypted evidence on a hard drive retrieved from a home computer or laptop, or finding information on a smartphone. It requires tracking evidence into the cloud, though encrypted communications channels in multiple formats that circle the globe and back to a device that not only has encrypted software but encrypted hardware.
It is dealing not only with structured data, but unstructured data across emails, audio and video files, web pages and social media, and also can involve decrypting files and recovering deleted records. Digital forensic work crosses time zones (with no regard for normal business hours) and comes in terabytes, not megabytes. Responding to an incident such as a major security breach or denial-of-service attack has many of the same complications.
Because practically everything is done online these days, a greater percentage of cases of all kinds are going to involve digital forensics, with each of those cases creating mountains of data. For digital forensics and IR teams, it’s not just the types of evidence that has changed, but the ways in which they deal with it, involving more steps to access and analyze data across a wide range of digital environments and geographic distances.
No matter how big the amount of data or how long the trail of evidence, an organization’s leadership tends to want actionable intelligence immediately, if not sooner. After all, time is still money, and a serious breach or other crime will carry significant costs until it’s corrected.
Channels of Communication
The key for forensic and IR teams is often information sharing, through which they can collect, sort and analyze the huge data sets essential to their investigations. Efficient data exchange has become as important a tool as any in their arsenals.
While substantial efforts have been made to improve the collection and distribution of Big Data, communications can still be a challenge.
Teams have a number of open, community-driven tools designed to streamline data exchange, such as the technical specifications supported by the Homeland Security Department and US-CERT, which are international in scope and free to the public. They include:
- TAXII (Trusted Automated eXchange of Indicator Information), which enables sharing of actionable cyber threat information across organizational, product line and service boundaries.
- STIX (Structured Threat Information eXpression), a standardized, structured language to represent cyber threat information in a flexible, extensible, automatable format that is as human-readable as possible.
- CybOX (the Cyber Observable eXpression), a standardized schema for the specification, capture, characterization and communication of events or stateful properties that are observable in all system and network operations. It covers a variety of cybersecurity use cases that rely on information such as event management/logging, malware characterization, intrusion detection/prevention, incident response and digital forensics.
- MISP (Malware Information Sharing Platform), an open source threat intelligence platform used for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information and counter-terrorism information.
Other exchanges are also available. The Open Threat Exchange (OTX), developed and run by ATT Cybersecurity, is a crowd-sourced platform that shares information on up to 19 million threats a day. The ATT&CK framework by MITRE, which also contributes to STIX and TAXII among other standards, is a globally accessible knowledge base of tactics and techniques used in targeting networks.
As with other open standards and frameworks, the idea is to easily share threat information and promote collaboration, with each contributor bringing something new to the table. The National Institute of Standards and Technology’s Information Technology Laboratory also offers guidance on Cyber Threat Intelligence and Information Sharing, which is based on NIST SP 800-150.
Collaboration is Key
It’s also up to individual teams to make data exchanges work. No two cases are quite the same. They can involve different incidents, types of data, formats and jurisdictions. Collecting, analyzing and using that data requires intensive collaboration among people and tools, sometimes across continents, and typically with new wrinkles that haven’t been seen before.
Teams need to shape-shift as needed, tailoring their data sharing and analysis to each unique case while incorporating the efforts of other groups.
Digital forensics and IR, like the use of digital technologies overall, are an ever-expanding field. Focusing on data exchange and collaboration can go a long way toward making swift data collection, analysis and decision-making an ongoing reality.