More serious compromises will often require some level of digital forensics. Depending on the severity of the circumstances, this typically involves a range of specialized forensic analysis capabilities, used by experienced (often certified) forensic Analysts, following strict “eDiscovery” processes for evidence gathering, analysis, and handling.
With the scope of responsibility for many Security Operations teams now growing to include any mobile device on their network, transient “container” systems running in off-premise “clouds” (= someone else’s datacenters), and even ICS/SCADA and IoT systems and devices, the challenge of Digital Forensics is growing exponentially.
The range of capabilities in this area is quite broad; including network forensics, computer forensics, mobile device forensics, database forensics, forensic data analysis, malware analysis (reverse engineering), tradecraft analysis, etc. Note that many of these forensics capabilities will rely upon the Instrumentation/Sensor capabilities and Security Controls already deployed across the organization.
Because of the demand here for Analysts with very specialized experience, and the range of forensic analysis capabilities involved, most small-to-medium size Security Operations teams choose to outsource this activity to companies that specialize in it. Something we strongly recommend.
Organizations that opt to perform some level of forensic analysis internally should plan to dedicate significant resources in both technology and the certified personnel to use it; and should plan to incrementally evolve their in-house team and capabilities over time.