Should You Hire a Computer Forensics Specialist?

The need for computer and digital forensics experts is growing significantly due to the increase in cyberattacks, with digital forensics skillsets becoming a critical element in helping IT security teams learn from security incidents.

This type of knowledge, also referred to as computer forensics, allows IT security professionals to learn more about the techniques that cybercriminals use and abuse, so that they can implement security controls that makes those techniques less successful.

From that perspective, computer forensics is a key part of the organization’s risk management approach.

Should You Hire a Computer Forensics Specialist?

Dirk Schrader, global vice president of security research at New Net Technologies (NNT), said as the common understanding of cybersecurity is shifting away from “it only happens to others,” organizations need to have a computer forensic professional’s expertise at hand, because of tighter legal and compliance requirements that have to be fulfilled.

“One good reason for tapping into the knowledge of a computer forensic pro is the level of preparation an organization can achieve,” he said. “Once it is accepted that a successful attack will occur, forensics will prepare the company for it.”

He explained that their job is to preserve evidence for insurance claims, to document where a defense was ineffective and, by doing so, build up a solid foundation for the proof needed in front of any DPA that the company’s defensive and preventive measures were indeed appropriate.

Context is Critical

Schrader also noted that a key element of the qualifications one should be looking for in a computer forensics pro is the ability to learn about the surrounding context of the environment the company operates in, including the company’s business model and processes.

That skill must be layered on top of a good understanding of operating systems, software applications and networking, as well as hardware.

“When this knowledge isn’t put in the context of how all this is used in the organization, the prep work done by a forensic expert might be aiming at the wrong place,” he said.

With this ability emphasized, the cooperation between forensics and prevention and detection experts focuses on two groups of scenarios: what needs to be done in an organization to detect and prevent an attack vector from being successfully exploited, and what needs to be done should attackers be successful, despite that preparation.

Schrader explained that, in both scenario groups, forensics, prevention and detection will need to have detailed information about what has changed (or what attackers attempted to manipulate) in the infrastructure, and that they will need to have control over those changes to be efficient and successful.

An Ounce of Prevention

Joseph Carson, chief security scientist and advisory CISO at Thycotic, said he believes that IT security leaders must learn from digital forensics to help make sure the knowledge ultimately results in better prevention.

“In my opinion, organizations do not need to hire digital forensics professionals directly for their organizations, and [resources] would be better [spent] prioritizing incident response experts who would coordinate with third-party digital forensics experts,” Carson said.

Carson noted that because organizations could be dealing with different types of security incidents, such as unauthorized access, data theft or ransomware, having access to various skillsets is critical.

“This is one of the benefits of using an external professional incident response team, as not all security incidents are the same,” he added.

Tyler Shields, CMO at JupiterOne, said because the term ‘computer forensics’ is very narrow, computer forensics could (and should) be bundled into a broader incident response and handling type of program for an enterprise.

“Certainly, you need someone with the laser focus on reverse engineering what happens on an endpoint, but, additionally, you need to build a broader set of skills that can understand what might have happened in the cloud, on servers, in workloads, at a process level on an end host,” he said. “What is needed is larger than just looking at a single endpoint.”

The correct person for this role would need to understand cyber asset visibility all the way down to individual handling of endpoint analysis – cloud security, network security, host and endpoint understanding, as well as malware analysis skills are required.

Computer Forensics: Searching for a Unicorn?

“This is a very difficult person to find,” he said. “You may have to hire a team, or possibly outsource the services to a third party that can help at the time of need.”

Shields noted traditional computer forensics skills have been augmented with a superset of new technologies that the person must learn, including cloud, workload, endpoint, malware reverse engineering and much more; all of which is required to properly handle an incident.

“If focusing solely on the endpoint, you at least have to understand workloads in the cloud and general cloud operations and security – these are the new endpoints,” he said.

He explained communication between computer forensics specialists and other IT security professionals needs to focus on what is in the environment and how it all interoperates; that is paramount to successfully defending systems and infrastructure.

“IT professionals have a different view into the cyber asset universe than the forensics specialist, and together, these two views provide a much deeper context that will help all parties understand exactly what might have happened in detail,” Shields said.

Forensics Alternatives

He also pointed out that there are alternatives for organizations who want the expertise, but don’t want to make an additional hire.

“There are many MSSP and outsourced security firms that have incident response handling capabilities,” he said. “These firms provide just-in-time analysis and keep a depth of knowledge available on the bench to help in the time of need.”

Shields noted that, regardless of whether you outsource this capability or not, you still must maintain an active cyber asset database that understands what you have and how it all works together.

“If you keep this data at the ready, the outsourced team can leverage it to get up to speed much more quickly, lowering your actual time of risk,” he said.

Comments are closed.