The changing face of DFIR: why don't the good guys always win?

“It’s not about the if, it’s about the when.”

That saying now resonates with pretty much everybody. For years, we worked in a reactive mode. Companies were keen to ensure a blue team was on standby, ready to react almost instantly when a breach occurred. Fast forward 10 years, and the focus shifted to improving early detections, spotting any breach as early in the kill chain as possible. Today, readiness has become the key principle in any good response plan.

A key player to facilitate readiness in this ecosystem is the digital forensics and incident response (DFIR) team. DFIR teams have slowly evolved to continuously introduce new ways to enhance a company’s response capabilities to active threats alongside being ready to deliver pure responsive services to a breach. Looking at the panoramic unfolding of the offering in 2022, it has become clear that CERT team (and therefore DFIR Teams), internal or external, have increased their services focus around readiness. Service retainer proposals are now largely tailored to much-needed year-long programs to increase a company’s maturity and ability to face crisis. In other words, CERT teams now preemptively ensure processes and artifacts conservation, to name only a few, align with the requirements for them to run a comprehensive forensic or incident response investigation.

While CERT teams will always rely on DFIR specialists, the typical profile we now find on the team includes two key abilities: understanding the aspects and requirements of dealing with a compromise, and delivering an investigation plan when an attacker is still active on the breached environment. Nobody likes to see the good guys lose, so it’s only logical for our DFIR specialists to pause their high processing forensics instances and describe what they needed to improve the odds of success or better translate those past experience in assessments and exercises for the company to face real life scenario during the testing of their response plans.

In 2022, the most sought-after expertise therefore became responders with experience dealing with company-wide compromise. Less so to be dealing with a breach than it was with the ability to turn this experience into practical workshops in preparation for a potential breach. Perhaps another testament to this ongoing change of approach are the many frameworks now being drafted by notable organizations and institutions, such as SANS or CIS, to uniformize response planning.

Whether it is defining playbooks, running crisis simulations or auditing log retention policies, another marked change this year was perhaps the increased professionalism in which those services are being run and expected to be run. For example, in tabletop exercises — a critical part of readiness— we have seen more and more tools and platforms that support and ease the delivery of those exercises. With these new delivery methods on the horizon, it’s out with the dusty PowerPoint presentations, and in with SaaS adaptive platforms that enable reactive and dynamic scenarios, integrates secure communications and automated reporting.

While most of the service assessments mentioned earlier now come with the perfect SaaS solution, one of the key trends that impacted our community of responders in 2022 were the detection and response tools (D&Rs).

As boundaries between responding and monitoring functions are fading, Endpoint Detection and Response (EDR) solutions — and by extension Network Detection and Response (NDR) and eXtended Detection and Response (xDR) solutions — are an important lever in responder toolkits. This is certainly not new, since EDR solutions have been around for quite some time, but this does raise the question: What will the future of our profession rely on?

If you paid attention to a typical CERT analyst job description this year, you know that its keywords almost certainly included some flavor of an EDR solution, whereas in the past, the emphasis would have been on enterprise forensic tooling. Going down the list of required skillsets, a deep knowledge of the MITRE ATT&CK framework would come a close second as well as some mention of threat hunting capabilities. While this may not allude to the fact that digital forensic has ceased being a desired skill, it may indicate the shift we mentioned earlier to a more proactive approach when choosing or educating key stakeholders in charge of responding to breaches.

It may still be too early to predict exactly where cyber incident response will end up. Looking back at the leaps and bounds we have made in the past years, it might even be a little pretentious to guesstimate. However, it is clear that detect now goes hand-in-hand with remediating as emerging solutions make analysts’ daily work more efficient during an enterprise-wide compromise. Threat intelligence, along with an increasing openness about sharing details of compromises will continue to be key in our ability to better protect ourselves.

Whatever this year may have shown us, and in an industry more than ever lead by solution providers, it is still important to remember that regardless of the tools we may use, the quality of the solution is always determined by the people managing them… at least until we go full quantum. But that’s most likely a story for another decade.