The Evolution of Incident Analysis

Recently I have participated in a number of forensic and malware challenges, including the FireEye Flare, GrrCON Forensic Capture the Flag and most recently, the SAN’S ICS challenge. I find them as a great way to sharpen my skills as my past life of a DFIR analyst. These technical challenges are great, however, my role with ACD extends past individual incidents to managing programs and effecting change at a divisional level.

This brings me a newfound perspective concluding that in-depth analysis (e.g., reverse engineering or full disk forensics) is mentally rewarding for most DFIR analysts, but how does it scale for enterprises with 20,000+ nodes and 20+ malware infections a day? The reality is there isn’t enough skilled analysts to go around and organizations that do have these analysts can’t allocate enough time for them to perform advanced tasks such as, decoding a malware’s command and control infrastructure or extracting evidence from shadow volumes. Instead they have tight service level objectives to adhere to, other incidents to investigate and additional security related tasks such as tool maintenance and security projects. All of which make it harder to perform any type of in-depth analysis. The questions I kept asking myself regarding these challenges are; Is the need for in-depth analysis even needed? Could my customers even build this type of analysis into their workflow, is it worth the investment? What is the return on investment for in-depth analysis?

I don’t have all the answers to these questions, but my unbiased opinion is that this type of analysis is still needed, but the depth and delivery has changed:

1.  Companies are more likely to rely on external vendors and resources to provide them with in-depth analysis for only critical incidents or confirmed breaches.

2. Organizations are spending more time and effort on using threat intelligence to confirm compromise without the need for additional analysis.

3. Technology is becoming more advanced in detection and prevention of malicious behavior without any need for additional analysis.

4. Analysts are improving triage capabilities to perform quick and targeted analysis to confirm an incident and pull indicators of compromise without exceeding their SLO’s.

The above bullet points represent a shift in the roles and responsibilities of a malware or forensic analyst and some organizations may decide they don’t even need or want that level of expertise. Is in-depth analysis truly dead? I think not, as there will always be incidents that arise where an organization won’t be able to find all of the answers by just skimming the surface.

The post The Evolution of Incident Analysis appeared first on Speaking of Security - The RSA Blog and Podcast.