Use your computer fearlessly.

Mission Services Articles Research

Accountability in Cybersecurity

by Brent Kirkpatrick

(Date Published: .)

Using incident response and deep forensics to encourage excellence in cybersecurity.

Encouraging excellence in cybersecurity is complicated by a dearth of ways to measure success. In particular, how do we hold weak performers accountable? How do we recognize very good cybersecurity professionals? The main tool we introduce is a cross-checking between exploits discovered by incident response and deep forensics. Since these two provide an ideal method for quality assessment.

Incident response is the high-energy process of responding to cyberattacks in progress. The goal of incident response is to remove all traces of hacking from computer and network systems. During incident response, cybersecurity teams will discover exploits that allow access via various intrusion routes. They should be able to make a list of the exploits they discover.

Digital forensics is the meticulous task of identifying the machine code of hacker exploits on compromised computers. Forensics is done carefully in a clean environment. Deep forensics is the process of trying to exhaustively discover all the exploits on a single computer. A forensics expert can make a list of exploits that they discover.

The list of exploits found by incident response teams and by digital forensics teams can be compared. If the incident response people find something that the forensics team misses, then the forensics was done too hastily, and vice versa.

There is one caveat to this comparison. Usually the incident response teams select a subset of the hacked computers to submit for forensics analysis. This means that if there is any disagreement, the incident response team should be responding to more exploits than were found by the forensics team.

The relative independence of the work done by these two teams is important. Often the incident response teams work for a different company than the digital forensics team. This means that their work can be cross-checked.

Weak performers in incident response would be ones that consistently fail to identify intrusions. Strong performers would find stop intrusions that even the forensics people have trouble finding. Weak forensics people would be given hacked computers and be unable to find anything. Good forensics people would find traces of hacks that the incident response teams were unable to detect.

Clean-Up. Incident response driven by data and AI.

Business Articles

Why Clean-Up Hacking?
Cascading Data Breaches
Rapid Containment of Intrusions
Rapid Response to Breach, Part 1. Introduction.

INC Logo

What Is New? | Contact | Tips

© 2015, 2016, 2017, 2018 Intrepid Net Computing. All rights reserved.