Interior Page Icon


Restoring Trust in the Enterprise

the big idea

Investigating cyber incidents provides organizational assurance that an incident has been contained and that the response has identified all exploited systems, user accounts, as well as all exfiltrated data. In addition, proper forensic processes preserve evidence for use in legal venues.

Cyber Resiliency Goals & Objectives

Forensics supports the Recover goal and the Reconstitute and Understand objectives.

Design Principles

The design principles for Forensics improve the ability to determine the entire scope of an incident and the affected assets, allowing accounts, systems, data and services to be reconstituted. Forensics also provides a means to preserve the evidence of what happened during an attack in a form that is suitable for court.

What Can Be Done Now

The following resiliency techniques can help transform business processes and redesign systems to use existing technologies more effectively.

The Right People & Policies

Creating a foundation of resiliency requires specific skills and policies:

Cyber Attack Lifecycle

Using the cyber resiliency techniques, Analytic Monitoring, Coordinated Defense, Segmentation, and Substantiated Integrity, as described above, defenders can detect the adversary's attack on the enterprise and limit the damage the malware causes. The use of Analytic Monitoring with Substantiated Integrity can detect to which systems the adversary has delivered malware. When the adversary attempts to, employ mechanisms to manage the initial victims, and execute the attack plan, the Coordinated Defense, Segmentation and the Substantiated Integrity techniques impede these efforts and limit their effects.

Synergies & Barriers

Synergies among practices include Analytic Monitoring, Segmentation, and Coordinated Defense. Coordinated Defense is more effective when applying various Analytic Monitoring solutions in an organization; and Coordinated Defense and Segmentation are synergistic in their efforts to provide isolation and layers of defensive.

Barriers to adoption include:

Just Ahead

The attack surface is expanding due to the advance of embedded technology (e.g., Internet of Things, cyber-physical systems, and medical devices) and policies such as bring-your-own-device (BYOD). With more potential exploitation points and places for adversaries to hide, synergies between Analytic Monitoring and Adaptive Response and support for Dynamic Positioning should be explored. In addition deception environments (e.g. honey nets) are becoming more common and easier to deploy. They provide new ways to balance the benefits of forensics on an attack with the need to remove the adversary quickly and thoroughly.

See Key Concepts and Terms for definitions

Previous Activity Back to Menu Next Activity