How digital forensics can prevent cybercrime

A conversation with security expert Andrew Morrison

digital forensics and cybercrime

Since the 1970s, security firms and law enforcement agencies have relied on a niche investigative discipline, digital forensics, to track down and recover stolen data from computer systems, and identify bad actors.

In the early days, digital forensics was fairly straightforward: investigators could copy a physical hard drive to recover data. They used criminals’ digital fingerprints to apprehend and prosecute them.

The practice has expanded greatly today, along with the complexity of computing and an explosion of cybercrime. The annual global market for forensics software and services is projected to grow from $3.4 billion in 2018 to $5.9 billion by 2024, according to Mordor Intelligence.

How should CISOs today deploy forensics technology and expertise to stop costly data breaches before they happen? Workflow sat down with digital security expert Andrew Morrison, a principal with Deloitte’s Cyber Risk Services, to understand how these tactics fit into overall security strategy.

How does digital forensics fit into modern cybersecurity?

It’s an integral part of any cybersecurity strategy. Historically, digital forensics grew up outside of cyber. Companies used it for fraud investigations or legal discovery—duplicating evidence, preserving it in a clean state, then analyzing it and producing a report.

With digital forensics tools for behavior analysis, CISOs can do forensics in real-time rather than against static data.

Now it’s being used in incident response strategy. Although it’s important to preserve evidence and make sure you’re doing things right, now you can use next-generation forensics tools to restore business operations as quickly as possible. The prosecution of a cyber event is secondary to that.

What are some of its new capabilities?

Today we’re reinventing the wheel a little bit. We’re collapsing the forensics mindset into the analytics mindset, and taking it beyond alert optimization. With alert optimization, companies look at the matrix of known threat risks, looking at existing data, developing models to analyze the threat and reporting back on what you found. That’s been happening a long time.

What’s new is shifting that matrix into unknown vectors and unknown risks. With digital forensics tools around behavior analysis, CISOs can try to do forensics in real-time rather than against static data, giving you the ability to react faster to threats that are moving faster than you can consume huge quantities of data.

So it’s shifting from an investigative to a preventive methodology?

Yes. The concept of forensics as prevention is “cyber hunting.” Cyber hunting is the application of digital forensics to identify a compromise that has not yet detonated. Let’s say someone is in your network doing something, but they haven’t yet had an end result. Forensics can help reduce what we call the “dwell time” of a vulnerability.

Once a threat has gotten through your firewall, you have a very limited window to act before it becomes a breach or something nefarious. Where most enterprises see a lot of the value in this space is capturing an adversary before damage has occurred, but after their protective measures have failed.

Does it make more sense to use third-party vendors for digital forensics, or build resources in-house?

You’ll probably need both. You’ll need an in-house team that is doing continuous forensics, investigation, and analysis. But you also need a highly specialized skill set for deeper investigations.

In the wake of an incident, companies need a team of cyber hunters that just don’t exist in the market in great quantity. It’s difficult to keep them on staff, and their real worth is in the wake of an incident, to very quickly use forensics to determine the scale and severity of the damage.

According to Accenture, 69% of security professionals face insider security threats. How can forensics help companies deal with that challenge?

Forensics can look at your entire population of employees and contractors and do predictive risk scoring about who is most likely to become an insider threat.

It’s interesting how deep that can go, with people who are job-seeking, people who are demanding pay increases, people who are disgruntled or underperforming. You can add layers of monitoring using forensic tools to better scrutinize their activity. There’s an entire discipline around that, but forensics is probably the most useful tool companies have to stave off insider threats.