Use your computer fearlessly.

[ Security | Consulting | Research ]

Rapid Response to Breach, Part 6

by Brent Kirkpatrick

(Date Published: .)

Investigate with precision.

Recovering evidence is most properly done last. The chain of custody must be preserved by preventing hacking of the evidence before a legal case can be constructed. The technical steps taken to contain the hacking are response, not investigation.

Responding to a breach requires blocking the intrusion routes. While this is a technical step, it is done with haste, with little documentation, and often imprecisely. It may sometimes seem as if this technical response is an investigation, but it is not.

A proper investigation uses secured computers. The chain of custody must be well documented and the evidence unhacked during the investigation. If the evidence is hacked, the hackers could plant false evidence. Therefore chain of custody must be established during breach response. Before an investigation.

Many times an investigation is not done, because it is cost-prohibitive to find the trace evidence that reveals the identities of the hackers. Investigation can involve the use of digital forensics to rigorously obtain evidence of the facts. Log files are examined, after they are secured. Rarely, foreign machine code is isolated and examined. This last is rare due to the expense and technical skill involved.

defendIT. AI-driven security measures derived from security incident data.

© 2015, 2016, 2017, 2018 Intrepid Net Computing. All rights reserved.