For Brad Rounding, director of the U.S. Department of Agriculture Security Operations Center (ASOC), managing the risks associated with cyberthreats and vulnerabilities are top priorities every day.
The experience and focused efforts of his team of IT professionals are the keys to success in this regard, he says. But also critical is a relatively new set of tools they’re using to refine their security posture all the time.
With these forensic tools, Rounding says, “we can capture data on an endpoint or on the network after an incident takes place, and then we can take that information and use it to figure out exactly what went wrong.
“Did the user open an email they shouldn’t have? Did they click on a phishing link and pull down malware that way? Whatever we find, we can use it to make changes that will hopefully prevent similar incidents in the future.”
The ASOC has developed several forensic solutions in-house, Rounding says, but the agency also relies on a selection of commercial tools that includes EnCase Forensic Software from OpenText and Forensic Toolkit (or FTK) from AccessData.
“Forensics,” Rounding says, “helps us get progressively better. It’s not just about detecting an infection or seeing what it’s doing on our system. It’s really about telling us how that infection occurred — the story of where it came from and how it got to where it is.”
Forensic Cybersecurity Tools Have Evolved to Fit New Needs
The USDA isn’t the only federal organization relying on forensic tools to bolster network security. The U.S. Coast Guard, for example, has used a real-time file-monitoring solution from Tripwire that not only alerts it to changes that may indicate a breach but also collects and delivers relevant forensic data that may help support incident response.
And both the Navy and the Centers for Disease Control and Prevention have turned to SolarWinds’ Network Performance Monitor, which allows them to conduct regular forensic analyses of their respective networks.
Most of these agencies have deemed forensic IT tools essential to their security kits for years, says Keatron Evans, lead technical cybersecurity instructor at Infosec. The main difference now is how those tools are evolving to suit the changing needs of a typical large enterprise.
Traditionally, notes Evans, digital forensics had to do with hard drives — retrieving data from people’s computers. But most big organizations today have transitioned to storing computer data in the cloud.
“Now,” Evans says, “we don’t have a physical hard drive we can access, because it’s basically a memory bank sitting in a data center.”
Today’s cutting-edge investigative IT solutions, he adds, tend to focus on network and memory forensics as a result. “We’re still seeing some hard-drive forensics, but the cloud is getting most of the attention right now.”
Army Takes a Proactive Approach to IT Security
The Army’s Criminal Investigation Command currently relies on nearly 20 forensic tools, including FTK and EnCase Forensic Software.
EnCase is a favorite of law enforcement agencies, which deploy it to uncover digital evidence that can be used in court. FTK is also popular in that sector, valued for its simple interface and rapid processing speeds.
Both solutions include time-saving features such as automated data filtering and searching, and both allow anyone conducting a forensic analysis to access and analyze deleted or modified files.
The IT team at the Army Cyber Command uses many of the same solutions to shore up the Army’s computer systems, says Charlie Stadtlander, the command’s communications director.
“Forensics for us involves things like log data analysis to identify what happened in a given incident and get to its root cause,” he says.
The military’s networks “are constantly under attack,” he says, and forensic tools are an important component of the Army’s strategy for dealing with those attacks.
“We’re not going to take a passive approach to a threat; we won’t treat it like the weather and just hope it goes away.”
Rather, Stadtlander says, with forensics in their security toolbox, “we’re going to work to determine attribution — and then we’re going to do what we can do to improve.”
The tools, however, “are only as good as the people who are using them,” says Rounding.
His recommendation: At least half of any investment an organization makes in forensics should go toward improving the skills of its IT team.
“They need to be trained to know what they’re looking at — like, what’s normal on an endpoint?” he says. “If you don’t know what normal is for your system, you can do forensics all day long and it’s not going to get you anywhere.”