Someone has probably written a joke about the forensic analyst that was late to the incident response party. There is the seed of a joke in the idea at least but of course, you need to understand the distinctions between incident response and forensic analysis to appreciate the potential for humor.
Incident response and forensic analysis are related disciplines that can leverage similar tools and related data sets but also have some important differences. There are four particularly important distinctions between incident response and forensic analysis:
- Data requirements
- Team skills
The difference in the goals of incident response and forensic analysis is perhaps the most important. Incident response is focused on determining a quick (i.e., near real time) reaction to an immediate threat or issue. For example, a house is on fire and the firemen that show up to put that fire out are involved in incident response. Forensic analysis is typically performed as part of a scheduled compliance, legal discovery, or law enforcement investigation. For example, a fire investigator might examine the remains of that house fire to determine the total damage to the house, the cause of the fire, and whether the root cause was such that other houses are also at risk. In other words, incident response is focused on containment of a threat or issue, while forensic analysis is focused on a full understanding and thorough remediation of a breach.
A second major distinction between the disciplines is the data resources required to achieve the goals. Incident response teams typically only require short-term data sources, often no more than a month or so, while forensic analysis teams typically require much longer lived logs and files. Keep in mind that the average dwell time of a successful attack is somewhere between 150 and 300 days.
While there is commonality in the personnel skills of incident response and forensic analysis teams, and in fact incident response is often considered a subset of the border forensic discipline, there are important distinctions in job requirements. Both types of research require strong log analysis and malware analysis capabilities. Incident response requires the ability to quickly isolate an infected device and to develop means to remediate or quarantine the device. Interactions tend to be with other security and operations team members. Forensic analysis typically requires interactions with a much broader set of departments, including operations, legal, HR, and compliance.
Not surprisingly, the perceived benefits of these activities also differ.
The ability to eliminate a threat on one machine in near real time is a major determinate in keeping breaches isolated and limited in impact. Incident response, and proactive threat hunting, is first line of defense in security operations. Forensic analysis is incident responses’ less glamorous relative. However, the benefits of this work are undeniable. A thorough forensic investigation allows the remediation of all threats with the careful analysis of an entire attack chain of events. And that is no laughing matter.
Do your endpoint security processes and procedures accommodate both immediate incident response, and long-term historical forensic analysis?