Security Incident Management and Forensics /Digital Forensics and Incident Response (DFIR)
Security Incidents in Digital Forensics and Incident Response (DFIR) is a field within cybersecurity that focuses on the identification, investigation, and remediation of cyberattacks.
DFIR has two main components:
- Digital Forensics: A subset of forensic science that examines system data, user activity, and other pieces of digital evidence to determine if an attack is in progress and who may be behind the activity.
- Incident Response: The overarching process that an organization will follow in order to prepare for, detect, contain, and recover from a data breach.
Due to the proliferation of endpoints and an escalation of cybersecurity attacks in general, DFIR has become a central capability within the organization’s security strategy and threat hunting capabilities. The shift to the cloud, as well as the acceleration of remote-based work, has further heightened the need for organizations to ensure protection from a wide variety of threats across all devices that are connected to the network.
Though DFIR is traditionally a reactive security function, sophisticated tooling and advanced technology, such as artificial intelligence (AI) and machine learning (ML), have enabled some organizations to leverage DFIR activity to influence and inform preventative measures. In such cases, DFIR can also be considered a component within the proactive security strategy.
How is Digital Forensics Used in the Security Incident sResponse Plan
Security Incidents in Digital forensics provides the necessary information and evidence that the computer emergency response team (CERT) or computer security incident response team (CSIRT) needs to respond to a security incident.
Digital forensics may include:
- File System Forensics: Analyzing file systems within the endpoint for signs of compromise.
- Memory Forensics: Analyzing memory for attack indicators that may not appear within the file system.
- Network Forensics: Reviewing network activity, including emailing, messaging and web browsing, to identify an attack, understand the cybercriminal’s attack techniques and gauge the scope of the incident.
- Log Analysis: Reviewing and interpreting activity records or logs to identify suspicious activity or anomalous events.
In addition to helping the team respond to attacks, digital forensics also plays an important role in the full remediation process. Digital Forensics may also include providing evidence to support litigation or documentation to show auditors.
Further, analysis from the digital forensics team can help shape and strengthen preventative security measures. This can enable the organization to reduce overall risk, as well as speed future response times.
Security Incidents Questions and Answers
Q.1 Which of the following are the phases of the incident response process as defined by NIST?
A. Preparation > Detection > Analysis > Containment B. Detection > Analysis > Containment and Eradicaton > Recovery C. Preparation > Detection and Analysis > Containment, Eradication, and Recovery >Post-Incident Activity D. Detection > Analysis > Containment and Eradicaton > Post Incident Recovery
Correct Answer : Preparation > Detection and Analysis > Containment, Eradication, and Recovery >Post-Incident Activity
Q.2 Which of the following are useful incident analysis resources?
A. Phones and contact information B. Documentation, network diagrams, critical file hash values C. Removable media, forensic software, digital cameras, etc.
Correct Answer : Documentation, network diagrams, critical file hash values
Q.3 Which of the following tricks the user into thinking they are on a real system but in reality is a virtual environment to collect incidents?
A. Honeypot B. Sandboxes C. IDS
Correct Answer : Sandboxes
Q.4 “All incidents are events but an event is not necessarily an security incidents”.
A. True B. False
Correct Answer : True
Q.5 It is ok if minor alterations occur in the evidence during forensic analysis.
A. True B. False
Correct Answer : False
Q.6 Which of the following can be considered as information assets?
A. Client Data B. Application Software C. System Software D. Corporate Data E. All of these
Correct Answer : All of these
Q.7 Which of the following pertains to legal evidence found in computers and digital storage media?
A. Security Incident Management B. Monitoring C. Logging D. Computer Forensics
Correct Answer : Computer Forensics
Q.8 Which of the following is primarily used to collect device logs from several different machines in a central location for monitoring and review?
A. Syslog B. SerLog C. Network log
Correct Answer : Syslog
Q.9 What does live forensic acquisition acknowledge?
A. Volatility of the evidence B. Integrity of the evidence C. Confidentiality of evidence
Correct Answer : Volatility of the evidence
Q.10 Which of the following are steps in the digital forensic process?
A. Seizure >Acquisition and analysis of digital media > Production of a report B. Preparation > Detection > Analysis > Containment
Correct Answer : Seizure >Acquisition and analysis of digital media > Production of a report