As internal Digital Forensics and Incident Response (DFIR) teams struggle to manage the volume of investigations and demanding reporting timelines, they are increasingly reliant on external forensic service providers to augment their range of capabilities, software, and bandwidth.
To manage this growing demand and volume of clients, forensic examiners need to leverage the right software tools at the right time to be able to work efficiently and provide their clients with quick and comprehensive results.
Challenges Facing Service Providers
Working as extensions of their client’s DFIR teams, service providers experience many of the same challenges as the internal digital forensics team – such as managing the growing volume of data in cases and accessing data on dispersed endpoints. The right toolset is instrumental in addressing the DFIR challenges of a modern remote workforce and the onslaught of cybersecurity threats.
Across the Cybersecurity industry there is a skills shortage, in the IDC eBook, sponsored by Magnet Forensics, 2022 State of Enterprise Digital Forensics and Incident Response (doc #CA48870522BRO, March 2022), skill shortage was identified as one of the Top 5 Challenges facing Digital Forensics. The need to leverage tools that mitigate manual and repetitive tasks is key to optimizing service provider’s time, enabling them to work effectively and focus on the activities that require their specialized skill sets.
In addition to the challenges shared with their clients, service providers also face unique challenges working on client networks. Internal teams often need to provide the necessary access to the affected systems, or data, so that the investigation can get underway. When the need arises to access a client’s network to conduct a compromise assessment and acquire data for an investigation, service providers need to act quickly and effectively which can become difficult if they’re waiting on access from other stakeholders.
The majority of investigations conducted by forensic service providers also include legal and insurance teams who help manage the investigation and disclosure requirements, adding to the number of parties reviewing the findings. The ability to provide clear and easily reviewable reports is necessary to help stakeholders understand the root cause of an incident.
The Right Tools for the Job
IDC MarketScape recently named Magnet Forensics a leader in worldwide digital forensics in their independent report exploring the challenges forensic practitioners face and the need for solutions to address these challenges.
“Technologically, Magnet Forensics’ solutions are focused on alleviating the central pain points in today’s large-scale, complex investigations.”IDC MarketScape: Worldwide Digital Forensics in Public Safety 2022 Vendor Assessment1
Magnet Forensics provides a range of modern DFIR solutions that enable forensic service providers to work quickly and efficiently, overcoming common challenges so that they can provide their clients with thorough and timely results.
Triaging Endpoints to Determine Next Steps
When called in to investigate a customer’s security incident, the first hurdle is gaining access to triage the endpoints to determine the extent of the incident and collect essential data. This critical step is required to kick-off the investigation and it needs to be completed as quickly and efficiently as possible, at whatever time and location is required.
Magnet IGNITE enables rapid compromise assessment of remote endpoints—helping you quickly gather high-level details for investigations and identify where and when a full forensics analysis is required. As a cloud-based SaaS solution, you can access IGNITE at any time to deploy a remote agent and identify malicious activity or if data has been exfiltrated from an endpoint.
IGNITE’s prebuilt templates for common investigations combined with concurrent collection of multiple endpoints provides fast insights into IOCs. Keyword searches and time filters can be applied to the collected data to provide the high-level insights needed to determine next steps in the investigation. The Triage results collected by IGNITE can be shared with stakeholders or used for further forensic analysis in AXIOM Cyber.
“With IGNITE, we conduct very quick and rapid initial triage with endpoint sweeping. Compared to traditional forensics with scripted tools, we see a 70% time-savings on data gathering and initial endpoint sweeping.”– Ted Joffs, National Incident Response Manager, Fortis by Sentinel
Full Forensic Root Cause Analysis
Once the plan of action for an investigation has been determined, there is still a large volume of data to work through to determine the root cause of the incident. This can require collecting additional data from sources related to the affected endpoints to fully understand how a breach or incident occurred.
Magnet AXIOM Cyber provides a versatile foundation for a range of investigations and enables examiners to uncover and report on the root cause of cyber security incidents. With AXIOM Cyber you can quickly and covertly collect data from mobile, computer, IoT and cloud sources, including Mac, Windows, and Linux endpoints, even when they aren’t connected to a corporate network.
AXIOM Cyber’s artifacts-first approach immediately presents the evidence needed to work through a case with ease and efficiency. Time-saving features help to mitigate manual and repetitive tasks to keep teams working effectively while powerful analytics create actionable intelligence to rapidly connect the dots between the various artifacts.
“Using AXIOM Cyber’s Timeline feature, we were able to identify what happened within the malware infection. Honestly, I don’t think we would have found the details we were looking for if we were using another tool.”– DFIR Analyst, Cybersecurity Threat Analysis Center, US-Based Energy and Defense Corporation
Combined Capabilities to Respond Quickly and Thoroughly
Used independently, IGNITE and AXIOM Cyber are both valuable tools for DFIR investigations but when combined they are a force multiplier, providing rapid insight into incidents and seamlessly transitioning those insights into deep dive analysis.
The remote, concurrent scans and initial analysis of endpoints enabled by IGNITE allow you to quickly assess the scope of the investigation by identifying which endpoints require further deep dive analysis. Triage results collected in IGNITE can then be exported as an MFDB file which is then ingested by AXIOM Cyber for a full forensic analysis.
“I like using Magnet IGNITE and AXIOM together, because as we start acquiring an image with IGNITE it starts processing so I can get the high-level details to pass on to my IR team but then also at the end of acquisition I can move that MFDB over to AXIOM for a lot deeper investigation.”– Mason Henson, Senior Cyber Security Forensics Examiner
The Continued Need for Outsourcing
With more incidents and investigations than internal teams can manage, service providers will continue to be an integral part of the overall DFIR landscape. In a recent survey of corporate DFIR professionals, 78% of organizations outsourced some portion of their DFIR tasks to third parties.
With the unpredictable nature of cybersecurity incidents, forensic service providers are often called on to use their specialized skill set and tools to work on high-impact investigations such as ransomware and data breach cases. To learn more about how IGNITE and AXIOM Cyber can be used in combination for these investigations, check out our blog posts outlining these investigations:
With the right solutions, service providers can collect, analyze and report on cybersecurity incidents with speed and efficiency to help their clients understand the root cause of an incident– building both trust and long-term relationships.
To learn more about Magnet Forensics’ solutions for Forensic Service Providers visit: https://www.magnetforensics.com/for-service-providers/ or get in touch with us to discuss the tool that fits your requirements.
1Source: IDC MarketScape: Worldwide Digital Forensics in Public Safety 2022 Vendor Assessment (doc #US48999722, April 2022)