COVID-19, Digital Forensics, and Incident Response

COVID-19, A Major Disruptor to Business as Usual in the Digital Forensics and Incident Response Practices

Background

To “flatten the curve” of the spread of the novel coronavirus COVID-19, many businesses and organizations are asking employees to leave the normal confines of their offices and work remotely from home. The US Government has instituted mandatory remote work edicts on the government and contractor workforces. Both public and private sector organizations have institutionalized no travel policies. These actions and restrictions are going to have a tremendous impact on ‘business as usual’ forensics investigation, e-Discovery collection, and incident response (IR) methodologies and procedures. 

COVID-19 Disruption to the Incident Response and Digital Forensics Industry

Cybersecurity firms are reporting increased attack activity against a range of targets using the COVID-19 pandemic to dupe their targets into launching malware as large portions of the world to have their attention turned toward the virus. With employees being distracted by juggling unanticipated work from home, closed schools, potentially sick relatives, and limited office resources, they will be less vigilant in ensuring that every link in a multitude of email messages is a safe one. All these indicators indicate that the number of forensic and incident response engagements will dramatically increase in the immediate future.

Additionally, the COVID-19 virus has impacted travel capabilities for IT security units that often work on-site with customers, such as Incident Response (IR) and eDiscovery collection teams. Because of the limitations imposed by both legacy incident response investigation software platforms and unchallenged legacy procedural thinking, most companies engaging in incident response work send teams of individuals—billable by the hour—on-site to create tens, dozens, or hundreds of image copies of potentially affected computer systems which they then bring back to the lab for analysis separately or in small batches. This methodology puts a company’s staff and customers at risk during a viral pandemic and reflects an inefficiency in the Incident Response market driven by the limitations of common legacy software platforms in the field.

It is clear that this legacy methodology will not provide adequate response and investigative support in view of the current crisis and restrictions. By necessity, both industry and security providers will have to change their methodologies and thinking to a “remote enterprise investigation first” methodology to meet the challenges of the increased security incidents. Now some might simply try to turn to the FEDEX model where they rely on the client to image memory and hard drives, then ship them to the team for analysis. Some might try to rely on singular remote drive mounting and remote imaging. Both of these methods are not scalable, sustainable or adequate the completeness of investigation that competent investigation requires. How complete is the investigation if the team only analyzes 10 systems out of 10,000? Technologies, like CyFIR Enterprise, currently exist that enable teams to move away from the legacy IR methods and take a remote “investigate the enterprise first” approach. Enterprise-wide keyword searching, API automation and forensic grade analysis at enterprise wide-scale and speeds now enable investigators, IR teams and e-Discovery collectors to change how they are doing business. Travel is no longer a requirement. Forensic fidelity in enterprise searching is no longer a restriction.

It is critical that the forensics and IR communities change the way they are thinking with respect to incident engagement and response. The stakes are high, security is at risk and the ability to investigate remotely is critical to the continued functioning of our government and economy. 

I have personal experience with technologies such as CyFIR to fully recommend innovative remote approaches to IR as a way to maximize IR productivity and best practices to promote health safety. Please feel free to contact me at [email protected] if you would like to know more about remote incident response capabilities!