Date: May 3, 2023
From: DFRWS Board of Directors
To: Acting Director Kemba Walden
The White House
1600 Pennsylvania Avenue, N.W.
Washington, DC 20500
Dear Acting Director Walden:
The Digital Forensics Research Conference (DFRWS.org) commends the Administration for creating the National Cybersecurity Strategy to bolster protective measures, increase operational resilience, and fuel future innovation. We stand ready to assist with knowledge generation and capability development in Digital Forensics and Incident Response (DFIR), and offer four thoughts on implementation.
1) DFIR Reinforces Cybersecurity
Updating regulations as outlined in Strategic Objective 1.1 is essential to enhance cybersecurity. It is important to emphasize that DFIR is a critical complement to successful security and resilience. When cybersecurity fails, DFIR prevails. To fix a problem, you must understand the problem. DFIR is used to investigate cyberattacks, uncover clues, and find root causes of cyber incidents, fueling continuous improvement in the defensive capabilities of the organization. Forensic findings fuel Cyber Threat Intelligence (CTI) to strengthen security of critical infrastructure and to prevent attacks targeting specific organizations or an entire industry sector. Ultimately, DFIR is instrumental in understanding adversary behavior and indicting cybercriminals. Law enforcement agencies nationally and internationally depend on information from digital forensic investigations to identify, arrested, and successfully prosecuted cybercriminals. In addition to producing court-admissible evidence to apprehend perpetrators and secure prosecutions, DFIR fuels operations to disrupt and dismantle criminals and state-sponsored actors.
Despite its importance, DFIR receives insufficient attention in cybersecurity frameworks and regulations. The CISA Cybersecurity Performance Goals (CPGs) recommend having an incident response plan, but lack specifics on DFIR preparedness and capability maturity. The NIST Cyber Security Framework (CSF), and by association the Framework for Improving Critical Infrastructure Cybersecurity, restrains DFIR to rapid containment and remediation activities, which is wrong for two reasons. Firstly, incident management is an integral part of the cybersecurity lifecycle and is a process of continuous improvement, as detailed in NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide). Secondly, quick containment and recovery raises the risks of incomplete scope assessment such as undetected compromised machines, domain level administrator access, unknown attacker objectives, and alerting perpetrators that their activities have been noticed, which allows them to take evasive action and entrench themselves more stealthily. Modern cyber attacks are carefully planned and executed to make detection and recovery difficult, targeting multiple systems simultaneously to maximize impact and taking precautions to conceal traces of exploitation and compromise. Effective incident response and recovery depends on DFIR to assess the scope of an incident to inform subsequent decisions.
Given the importance of DFIR to successful security and resilience, the NIST CSF, CISA CPGs, and cybersecurity regulations should be updated with the NIST Guide to Integrating Forensic Techniques into Incident Response (SP 800-86) and the NIST Guide for Cybersecurity Event Recovery (SP 800-184).
2) DFIR: United we Stand, Divided we Fall
As noted in Strategic Objective 1.2, information sharing has made significant advances in recent years. However, adoption and implementation have been slow to enable machine-to-machine exchange of DFIR details between systems, organizations, and countries.
DFIR interoperability is needed for collaboration at the speed and scale of operational collaboration models needed at organizations such as the Department of Energy (DOE)’s Energy Threat Analysis Center (ETAC) pilot, DoD’s Defense Industrial Base Collaborative Information Sharing Environment (DCISE), and the National Security Agency (NSA)’s Cybersecurity Collaboration Center. DFIR interoperability is needed to strengthen and integrate the Federal Government’s operational capabilities and improve integration of the Federal Cybersecurity Centers.
There is a pressing need for widespread adoption of standards for automatically representing and sharing DFIR information to streamline strengthening cybersecurity. For example, the Cyber-investigation Analysis Standard Expression (CASE) is an open source standard under the Linux Foundation and supported by DFRWS, with hundreds of participants in industry, government, and academia around the globe. Federal agencies should set a deadline for commercial tool/system vendors to implement DFIR interoperability standards, at which point purchases and renewals will require implementation of machine-to-machine sharing of data.
3) DFIR Research and Development
Strategic Objective 4.2 focuses research, development, and demonstration (RD&D) on preventing and mitigating cybersecurity risks in existing and next generation technologies. For over two decades, DFRWS conferences have brought together international researchers, practitioners, industry, academics, law enforcement, and military to address the emerging challenges in DFIR. Many new developments in DFIR have their roots in plenary and breakout discussions at DFRWS events. The result of the inaugural DFRWS conference was the technical report “A Road Map for Digital Forensic Research” that is frequently referenced as a foundational framework for the domain. Since 2005, DFRWS has held annual international challenges to help drive the direction of research and development. These digital forensic challenges have generated novel methods and spawned a new specialization in our discipline (forensic analysis of computer memory).
In addition to the areas listed under Strategic Objective 4.2 that are already being actively explored by the DFIR RD&D community, the upcoming DFRWS USA 2023 conference will concentrate on aerospace forensics, including satellites and autonomous aerial vehicles as sources of evidence and targets of attack. Increasing funding of DFIR RD&D will have a profound impact on cybersecurity, uncovering vulnerabilities that can be exploited to access protected information, exposing weaknesses that can be leveraged to circumvent security, and enabling forensic analysis of data structures to gain deeper, evidence-based insights.
4) DFIR Affordable for All (4n6 4$0)
The strategy rightly states that “When incidents occur, Federal response efforts must be coordinated and tightly integrated with private sector and State, local, Tribal, and territorial (SLTT) partners.” while acknowledging that “too much of the responsibility for cybersecurity has fallen on individual users and small organizations.” Many organizations cannot afford commercial DFIR services, particularly for state, local, Tribal, and territorial governments. To accomplish coordinated and integrated incident management, DFIR must be made affordable to these organizations.
There are a number of ways that DFIR could be made more affordable:
- Fund non-profit DFIR organizations to develop and deliver free high quality training, tools, and services to state, local, Tribal, and territorial governments.
- Cyber insurers provide DFIR support for free to their clients to motivate more effective risk management, security, and resilience.
- Managed security service providers (MSSPs) cover the cost of DFIR in their agreements, so that when they fail to prevent a breach, their DFIR services are free.
Any attempt to commoditize DFIR requires more efficient forensic analysis and incident response, leveraging automation and AI. To support these efforts, there is a growing need for more funding for applied research and development in DFIR.