Developing an IR Team and Forensic Lab

Incident Coordinator Pressing INCIDENT RESPONSE

Computer hacking is growing in popularity among criminals who find themselves at the pinnacle of technological innovation. They are adept at finding new and inventive ways of breaking into computer networks and are growing bolder with each new brazen attempt. As a result, it has become more critical now than ever before for organizations to take a more proactive approach to defending their networks.

Network breaches are a systemic issue and are so bad in fact that now a new way of thinking has become prominent among most fortune 500 companies. According to Symantec’s Norton Cybersecurity Insights Report for 2016, within the last year alone, over 689 million people in 21 countries have experienced cybercrime first hand³. Additionally, cybercrime victims have collectively spent over $126 billion since the year before and 19.7 hours dealing with cybercrime³. Suffice it to say, organizations cannot afford to turn a blind eye by standing on the sidelines. It’s the simple matter of not if, but when an attack will occur. The time to take action is now.

As a result of the prominent growth of network data breaches, many organizations are finding value in the development of digital forensic incident response (DFIR) teams. The need for businesses to stay connected in today’s global economy is essential to their very survival and growth, thus, the need to, not only defend networks and prevent attacks, but also to effectively handle attacks after they have occurred.

DFIR is generally defined as “the use of scientific technology to: collect, examine, identify, and analyze data”. The development of a DFIR team plays a critical role in investigating cybercrimes that can help piece together the, when, what, where, and how’s of cyber criminology.

With proper incident handling and response procedures in place, organizations are afforded the opportunity to improve their defenses by modifying ineffective policies and procedures. Not only does this encourage customer confidence but also reassures stock holders that the organization is fully capable to compete on the global stage responsibly and reliably.

2. Local Incident Management Team

Successful recoveries from disasters require the complete coordination of all recovery and incident management activities. During a crises, it is imperative that team members know their roles and responsibilities. Additionally, they help ensure proper channels of communication helping contribute to the recovery’s overall success. The local incident management team will require a minimum staff size of five that will provide services commensurate with the size of the organization. We propose allocating $50,000/yr. for annual security awareness training for all organizational employees.

2.1 Roles and Responsibilities

2.1.1 Incident Response Manager

Number Required: 1
Salary: $82,000/yr.

Oversees the prioritization of actions throughout the detection, analysis, and containment, stages of the incident lifecycle. The IR manager is responsible for conveying any special requirements involved with high severity incidents to the rest of the organization.

2.1.2 Security Analysts

Number required: 2
Salary: $60,000/yr.

Works under the supervision of the IR manager by providing support that is related to work performed on the affected network, which includes details of the incident such as, location, and time of attack. The two types of analysts are:

Forensic Analyst: Responsible for the acquisition of key artifacts and evidence recovery while ensuring the integrity of collected evidence in pursuit of a forensically complete investigation.
Triage Analyst: Responsible for filtering out false positives in addition to observations for potential intrusions.

2.1.3 Threat Researchers

Number required: 2
Salary: $34,000/yr.

Works in direct support of the security analysts by providing specific threat intelligence as it pertains to the incident. Responsible for scouring the Internet in an effort to acquire additional relative investigative intelligence, which could have been reported externally. Also responsible for building and maintain databases of intelligence in combination with previous incidents.

2.2 Total Local Incident Management Team Budget

$270,000 per annum

3. Forensic Lab and Costs

At the core of incident response and handling is the DFIR lab. In order to carry out a sound and secure operation, DFIR labs need to remain secured at all times. This may involved air-gapped solutions, where the lab is totally disconnected from the Internet helping maintain the integrity of the operation. We propose allocating $20,000 of the annual budget towards building and maintain the DFIR lab.

The size of the DFIR lab is determined based on its purpose as well as availability of existing facilities. At a minimum, a DFIR lab should be comparable in size to that of the network it intends to support. Below are a list of criteria needed to fulfill the basic functional requirements of a DFIR:

Administrative subnet dedicated to hosting an active directory server.
An Anti-malware enterprise server.
Administrative workstations.
Printer server and network printer.
Local Storage Area Network (SAN) for backups.
VPN Firewall router
Next generation Application Firewall
Network Intrusion Prevention system

Additionally, in order to host forensic reviews of web applications, a semi-public DMZ will be required. The semi-public DMZ would also host its on separate subnet designed to manage network traffic and any email domain server to expedite incident management and communications.

Figure 1 below is an example of a larger DFIR Network Lab.

3.1 (Figure 1) Example DFIR Network Diagram¹

1234

3.1.1 Physical Layout

The physical layout of the DFIR lab facility should take into consideration the physical security and be strategically located within the building to help defend against intrusions through walls and exterior doors. Ideally, the DFIR lab would be located centrally inside the building. This will also help ensure that the use of any wireless DFIR technologies stay secured through the protection of exterior walls.

3.1.2 Furniture

Computer desk = $999.00 X5,
Ergo desk chair = $300 X 5

3.1.3 Computers

Windows workstation/keyboard/monitor/mouse = $650 X 3
Linux workstations/keyboard/monitor/mouse = $400 X 2
Desk Phone = $85 X 5
Active Directory Server = $999 X 1
Email Server = $500 X 1
Anti-Malware Enterprise Server = $500 X 1
VPN Firewall Router = $295 X 1
Next Generation Application Firewall = $1,500 X 1
Network Intrusion Prevention system = $1,500 X1

3.1.4 Forensic Tools

Kali Linux 2016.2 = Free
Backtrack Linux 5 = Free
Caine Linux = Free
SANS Investigative Forensics Toolkit (SIFT) = Free
EnCase Forensic Software License = $999 X 1

3.1.5 Total Lab Costs

Total Lab Costs = $16,913

3.2 Lab Security

Entrance to the lab will be monitored by existing front desk security personnel using existing procedures by validating access through ID smart cards. A biometric fingerprint reader will be stationed at the front door to the lab in addition to an electronic smart card reader (Cost = $600), and 10 digit key pad (Cost = $350) for entering a 6 digit PIN before access is granted to the DFIR lab.

Evidence storage will be included in a portion of the lab. All duplicate back-ups will be encrypted prior to leaving the primary facility and transported to offsite storage.