Adding Forensics to Incident Response

Posted: August 27th, 2021

Week 8 Assignment 1: Adding Forensics to Incident Response

Name

Institutional Affiliation

Course

Instructor

Date

Week 8 Assignment 1: Adding Forensics to Incident Response

Describing How to Add Forensics to Incident Response

            Incident Response (IR) entails a structured methodology useful in handling security breaches, incidences, and cyber threats. The addition of digital forensic investigations (DFIs) to the IR is meant to manage threats effectively, thus reducing the associated damages of a security breach (Voigt, 2018). It is important to have a well-planned IR since it would help find and fix the root cause of cyber-security activities while seeking to safeguard against future attacks. The whole concept of adding forensics is intended to reduce the cost of cyber-attacks.

With the employment of DFIs to a post-event response to manage a serious information security event, the investigation team usually conducts a systemic, formalized, and regular examination. Such evaluation is meant to establish the admissibility of evidence regarding integrity, especially during PC’s confiscations from a suspect (Voigt, 2018). Hence, investigation teams need to embark on appropriate incident response guidelines to limit the following procedures’ damage in case of a cyber-security incident.

Preparation

The need to plan on the way to manage security incidents.

Detection and Analysis

The guideline consists of monitoring possible attack vectors, ranging from the identification to prioritization of incidental signs.

Containment, Eradication, and Recovery

It involves mounting a containment strategy, finding and alleviating the hosts and systems under cyber-attack, and planning for recovery.

Post-Incident Activity

The procedure revolves around the review of lessons learned and evidence retention plan.

Types of Changes Made to Client’s Incident Response Policies and Procedures

Concerning forensic readiness, there are key basic requirements that must be fulfilled before facilitating digital evidence collection and application. Such requirements are also policies and procedures intended to improve computer and network forensics (Rowlingson, 2018). They are six changes that must be constantly made to clients’ IR in a bid to suit the post-cyber-security breaches, namely retaining information, planning for the response, training, accelerating investigation, safeguarding against anonymous activities, and protecting evidence (Rowlingson, 2018). For example, there needs to be strict policies on the way clients retain their information on databases. Moreover, a policy on training needs to be adaptive in that staff get equipped with skills on how to initiate anti-malware and anti-threat security measures. Such changes on policies would alleviate the occurrences of similar cybersecurity threats in the future.

 Steps Taken to Prepare Client’s Staff

The following are the steps undertaken when preparing the client’s staff.

Step1.Assembling the team.

Step 2.Detecting and ascertaining the source of the cybersecurity threat or incidence.

Step 3.Containing and recovering the cyber-threats.

Step 4.Assessing the damage and its severity.

Step 5.Beginning the notification process through legal procedures.

Step 6.Starting to prevent any similar type of security event in the future through firewalls and anti-malware.

Impacts of Adding Forensics on IT Resources

The employment of forensic activity on incident response must involve the need to maximize the immediate environment’s ability for security investigation teams to collect credible digital evidence, which is subject to integrity (Rowlingson, 2018). The whole act must involve the application of superior computer systems necessary for gathering and examining evidence.Notably, the addition of forensics must impact IT resources in executing detection systems that would help find evidence.

Legal Implications of Forensic Activity During Computer Intrusions

During post-cyber-security breach or threats, there are many legal activities that the investigation team would have to partner with an external organization to conduct an integrity-based examination concerning the evidence (Arnes, 2017). In particular, monitoring and collecting relevant information regarding computer intrusion would involve potential dependencies and interactions with police and overseas prosecution authority courts to retrieve and examine detection software (Rowlingson, 2018). Therefore, such dependencies with policing authority might be financially overbearing to the clients in terms of costs.   

References

Arnes, A. (2017). Digital readiness. Wiley Publishers.

Rowlingson, R. (2018). A ten-step for forensic readiness. International Journal of Digital Evidence, 2(3), 1-28.

Voigt, L. (2018, September 29). Incident response steps: 6 steps for responding to security incidents.Exabeam.https://www.exabeam.com/incident-response/steps/