CHAPTER 3Technology Considerations in Cyber Breach Investigations
Technology is an essential part of every incident investigation. Depending on the nature of the investigation, incident responders may need to acquire forensic evidence in a defensible way, analyze event logs from a cloud-based service, or enumerate systems for evidence of malware execution.
In all of those cases, it is useful to understand the technologies that incident response teams leverage. Incident investigations can get complex very quickly as analysts uncover evidence of compromise and determine the attacker footprint in the compromised environment.
Given the criticality of logs and other historical artifacts to investigations, enterprises need to enact data retention policies and ensure that systems and software applications generate event logs and other data that incident responders can leverage during investigations. Furthermore, incident response teams need to build a toolkit consisting of tools that are necessary to acquire and analyze data efficiently.
This chapter discusses common technology considerations in incident response, from the perspective of both incident responders and cybersecurity managers.
Sourcing Technology
Incident response teams have numerous commercial and open source tools available at their disposal to acquire and preserve forensic data, perform analysis, and acquire cyber threat intelligence (CTI), among other tasks. It is also common for incident response teams to develop ...
Get Cyber Breach Response That Actually Works now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.