In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data.
The security operations center (whether in-house or outsourced) must have the necessary forensic data to develop situational awareness across the organization’s infrastructure. One solution identifies and collects security relevant system events, data, or images using an agent on the system. The agent transfers the events in real-time over a secure channel to a protected network enclave. Other solutions require physical access to the machine from which the data is gathered. Many individual system security tools such as anti-virus or endpoint detection and response (EDR) tools can create logs, access system information in real-time, or image memory for secure transfer to a central management server. These logs would allow a SOC to begin the investigation. The SOC should also consider software tools used to push software or patches to systems. This would provide an on-demand capability for the SOC to send a security application when needed for forensic data collection. Example You are responsible for security operations at your organization. You implement a central log collection tool and configure your organization’s laptops and desktops to send syslog and security event logs to this tool. The tool is used by the SOC staff to monitor for abnormal activity. When suspicious activity is detected, the SOC has access to an open source utility you have installed to collect additional forensic information from a target laptop or desktop about operating system process creation, network connections, and changes to files. This additional capability complements the security application forensic data. ADDITIONAL READING NIST Computer Security Incident Handling Guide: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final Cybersecurity
Organizations need to have the ability to gather attack forensics as part of responding to security incidents. During a cyberattack an attacker may seek to hide the activities taken to gain access, maintain persistence, and perform reconnaissance of an organization’s networks. However, in the course of their activities the attackers will leave artifacts that indicate their presence. This could be a local event indicating a system login, files associated with malware, or processes running in the system memory. To avoid detection an attacker may erase local logs or delete files. To allow for a thorough investigation the security operations center (SOC) should seek to collect forensic data from systems in real-time and be able to collect volatile data such as system memory when needed. Collection of the forensic data should be protected during transit and storage.