The field of digital forensics has matured rapidly in the past two decades and has even given rise to special disciplines in which professionals apply the principles and skills of digital forensics for various purposes. A critical illustration of this is Digital Forensics and Incident Response (DFIR), which applies forensics to cybersecurity incidents such as a data breach or a malware attack.
Cybersecurity threats continue to grow in sophistication and the costs of these incidents are more substantial than ever. Consider these sobering statistics:
- Security breaches have increased by 11% since 2018 and 67% since 2014.
- Hackers attack every 39 seconds; on average 2,244 times a day.
- The average time to identify a breach in 2019 was 206 days.
- The average lifecycle of a breach is now 314 days, from breach to containment.
And while dealing with data breaches is a serious challenge for private industry, it is especially problematic for the public sector as they often lack the resources to mount an adequate defense against attacks and to effectively conduct DFIR investigations afterwards.
One example is ransomware. “Ransomware is a textbook case of extortion and it’s happening more and more frequently to local governments,” reports Governing Magazine in October 2019. “This isn’t happening by mistake—attackers are actively targeting governments because they may not have the cybersecurity protections in place due to outdated solutions or budgetary constraints.” These bold attacks are becoming increasingly costly to government agencies. A 2019 study by Coveware found that the average ransomware payment from a government rose to $338,700, compared to $36,295 for private-sector victims.
Other examples include malware attacks and theft of government records that can be monetized by crime rings in both the U.S. and abroad. Even cybersecurity attacks that do not escalate to the point of extortion, such as the December 2019 hack into the information systems for the City of New Orleans, can paralyze an entire municipal government.
Based on our conversations with digital forensics professionals who work in the public sector, here are five DFIR trends to watch out for in 2020:
1. Use of advanced tech by bad actors
Cybercriminals are growing more sophisticated in their use of technologies that allow them to hide their conduct better than ever. Viruses are increasingly planted through virtual sessions and other remote techniques that make individual workers unwitting participants in cyber intrusions that wreak havoc on government networks. Public sector DFIR professionals are preparing for the nefarious use of technologies in 2020 that we can’t even imagine yet.
2. Growth of mobile device capabilities
Mobile devices can now perform virtually any computing task that a laptop—or even a desktop—computer can execute. This means that cybercrime teams no longer need a secluded “war room” from which to plan and implement their attempted breaches, carried out with the aid of large servers and networks. Any bad actors can launch cyberattacks with the phones in their pockets; an ominous trend that experts in the field expect to accelerate in the year ahead.
3. Targeting of data in the cloud
All sorts of personal data is now stored in the cloud, from personal financial information and confidential legal documents to protected medical records and private government communications. A 2019 report from Skybox Security found that data security threats to prominent cloud service providers is rising but so far the number of successful attacks has been extremely limited. DFIR professionals in the public sector anticipate that cloud storage will become an even more intense battleground in 2020 between cyber criminals and law enforcement agencies.
4. More collaboration between investigators
DFIR workflows tend to be quite different in the public and private sectors, which is the result of unequal levels of available resources and much different budget allocation timeframes. However, our customers in both environments are dealing with similar cybersecurity threats and DFIR challenges. The experts we spoke to predicted that the industry will see more collaboration next year between digital forensics professionals working for government agencies and corporations, as they try to help each other deal with a series of common challenges.
5. Greater focus on incident response
Digital Forensics (DF) is well known as an important discipline for law enforcement investigations of various types, but many experts believe there is not enough attention placed on the Incident Response (IR) piece of the equation. A good IR plan helps government teams map their data perimeter in advance of a possible attack and then inform their investigation in the crucial early hours after an incident by helping them find where the breached data resides as quickly as possible. Public sector DFIR professionals believe that we will see more emphasis on IR in 2020 and beyond.
Digital forensics professionals who work in the public sector need to have access to a full range of advanced software products in their toolkits if they are going to be prepared to conduct effective DFIR investigations in 2020. AccessData has been an industry leader in developing and delivering tools that assist government agencies with post-breach digital forensics investigations and incident response.
Earlier this year, we introduced a new version of AD Enterprise, our software for managing internal forensic investigations and post-breach analysis, which included first-to-market integration with cybersecurity platforms to automate the early stages of data collection. AD Enterprise is a powerful tool for post-breach analysis, offering live data preview at the endpoint. It can be deployed in the cloud quickly and securely, which is an attractive option for many public sector clients that need a tool for post-breach analysis but lack the time and resources to spin up their own technology infrastructure when they’re in the chaos of a cyber incident. AD Enterprise can be up and running within a matter of hours.
We have extended this focus on innovation with post-breach software tools by creating the first API that helps to automate the crucial early stages of data collection and forensics captures immediately following a cyber incident. With the AccessData API, AD Enterprise can connect with any government agency’s cybersecurity software platform of choice. If the cybersecurity software detects an attack, it triggers an alert via the API that is received by AD Enterprise, which initiates a collection job within moments at a designated endpoint or affected asset. This saves precious time in the initial stages of the incident response by preserving data related to the root cause of the breach, as well as preservation of critical data and important time sensitive forensics.
Cybersecurity threats continue to evolve in both number and sophistication, a trend that experts concede will continue in the year ahead. But access to the right information, collaboration with other professionals in the DFIR community and use of leading-edge software tools can help public sector digital forensics professionals be better prepared for attacks and accelerate their incident response efforts.