Accountability in Cybersecurity
by Brent Kirkpatrick
(Date Published: 5/4/2018.)
Incident response is the high-energy process of responding to cyberattacks in progress. The goal of incident response is to remove all traces of hacking from computer and network systems. During incident response, cybersecurity teams will discover exploits that allow access via various intrusion routes. They should be able to make a list of the exploits they discover.
Digital forensics is the meticulous task of identifying the machine code of hacker exploits on compromised computers. Forensics is done carefully in a clean environment. Deep forensics is the process of trying to exhaustively discover all the exploits on a single computer. A forensics expert can make a list of exploits that they discover.
The list of exploits found by incident response teams and by digital forensics teams can be compared. If the incident response people find something that the forensics team misses, then the forensics was done too hastily, and vice versa.
There is one caveat to this comparison. Usually the incident response teams select a subset of the hacked computers to submit for forensics analysis. This means that if there is any disagreement, the incident response team should be responding to more exploits than were found by the forensics team.
The relative independence of the work done by these two teams is important. Often the incident response teams work for a different company than the digital forensics team. This means that their work can be cross-checked.
Weak performers in incident response would be ones that consistently fail to identify intrusions. Strong performers would find stop intrusions that even the forensics people have trouble finding. Weak forensics people would be given hacked computers and be unable to find anything. Good forensics people would find traces of hacks that the incident response teams were unable to detect.
Clean-Up. Incident response driven by data and AI.