Incident Response – Differences in Approach

One of the security services that Triaxiom Security offers is Incident Response assistance. We help an organization determine if a breach has occurred, what is the extent of that breach, was any sensitive data exfiltrated, and what was the initial point of compromise that allowed the breach. The scenarios that lead up to a full incident investigation can vary wildly. Similarly, the questions that an organization wants answered and the approach they are looking for concerning the investigation can vary as well. Today we’re going to take a look at the key differences in the approaches that we can take when undergoing an Incident Response, focusing on Legal Forensics vs. General Incident Analysis.

Legal Forensics vs. General Incident Analysis

Far and above, the most common approach we are asked to take when undergoing an investigation is that of a General Incident Analysis. This means that our client really just wants answers and wants to figure out how to stop this from happening again. With this approach, we’ll use everything at our disposal to help answer these critical questions and the activities can range from malware reverse engineering to employee interviews to log reviews in order to get the evidence to support a particular response. While this process is by no means fast, it can be more straightforward than alternative approaches. And less time spent equates to a smaller cost to your organization.

Alternatively, there are some cases that may require an organization to undergo a full legal investigation that includes the retention of forensic evidence to support legal proceedings. We refer to this approach as undergoing full legal forensics and it involves maintaining a chain of custody for evidence, more detailed logging of investigation timeline/actions, and the use of special tools (e.g. write-blockers) to avoid altering evidence during the investigation. Most of the time, the chances for legal action following a security incident are fairly slim. But if even resulted from an insider threat or known entity, then maybe the extra cost and time associated will be well worth it for some solid evidence that can be entered into a court of law.

Ultimately, it’s helpful to know that you’ve got two paths to choose from when embarking on the response to a security incident. And it’s a business decision to determine what path you want to head down and what resources are available to support this decision. In some cases, legal forensics may not even be possible if your IT team tried to “clean up” after an incident themselves or if you don’t have some kind of log aggregation that collects and stores log files for a long enough period of time. At any rate, we’re always here to help and walk you through the possibilities during a response scenario so that you can get some peace of mind without spending excessively to get there.