Why You Need Forensics in Incident Response—and How to Do It Right

Incident response is a crucial aspect of cybersecurity, especially for midsized organizations struggling to stay ahead of cyberattacks that threaten their sensitive data and systems. 

When responding to a threat, many companies focus on quick detection and remediation. But failing to apply proper context and forensic investigation can lead to critical mistakes, leaving systems vulnerable to further attacks.

When conducted under client-attorney privilege, forensic investigations help:

• Minimize risk exposure by keeping sensitive findings confidential.

• Provide legal teams with crucial forensic evidence to assess liability and compliance obligations.

• Determine whether a breach is notifiable under regulations such as GDPR, CCPA, HIPAA, and SEC cybersecurity rules.

This is the third article in our series delving into data breach risks and how to mitigate them. In this article, we’ll explore the importance of forensic investigations and analysis in incident response, the limitations of traditional methods, and a share a better, more effective approach to incident response.

The Rush to Remediate Without Context

A common mistake during incident response is detecting a threat and immediately assuming its origin without a thorough forensic investigation. For example, your team may receive an alert indicating that remote access software was installed on a system and automatically conclude that the threat came via a phishing attack.

This assumption, while plausible, may be incorrect. A proper forensic investigation might have revealed that the compromise occurred through an unpatched vulnerability in a public-facing application—not via phishing. It would have also revealed the full attack path the hacker took to achieve their objectives.

Remediation without understanding every step of the attack path can result in:

• Persistent threats: The real entry point remains open for attackers to exploit again.

• Incomplete recovery: Additional malicious activity, such as data exfiltration, may go unnoticed.

• Regulatory and legal consequences: If an organization underestimates the breach impact, it may fail to comply with disclosure regulations, leading to fines and lawsuits.

To address these issues, organizations must adopt a forensic-first approach to incident response, using methodologies like the Cyber Kill Chain and the MITRE ATT&CK framework to understand and validate how an attack unfolded. 

Understanding the Cyber Kill Chain and the MITRE ATT&CK Matrix

Lockheed Martin developed the Cyber Kill Chain, a seven-step model that outlines the logical progression of a cyber-attack: 

1. Reconnaissance: The attacker gathers information about the target.

2. Weaponization: The attacker creates or configures malware for deployment.

3. Delivery: The malware is delivered (e.g., via phishing, drive-by downloads).

4. Exploitation: The attacker exploits a vulnerability to execute malware. 

5. Installation: The malware is installed on the compromised system. 

6. Command & Control (C2): The attacker establishes communication with the compromised system.

7. Actions on Objectives: The attacker achieves their goal, such as data theft or ransomware deployment.

Incident response teams are most often brought in at later stages of the kill chain, especially the Installation and Actions on Objectives phases. The cyber kill chain provides a valuable reference point for forensic investigation. If ransomware is installed, then the forensic analyst can logically conclude that something happened before and after the attack. 

While the kill chain provides a high-level attack progression, the MITRE ATT&CK framework breaks it down into specific techniques that adversaries use. It categorizes tactics like initial access, persistence, privilege escalation, and exfiltration, with real-world techniques observed in attacks.

By mapping detected activities to MITRE ATT&CK techniques, organizations gain precise insights into how an attacker infiltrated their systems and what actions they took.

Curious how our platform can help you apply the Cyber Kill Chain and MITRE ATT&CK?

Request a demo to see it in action.

The Role of Forensics in Incident Response: A Case Study

The diagram above shows a hypothetical event—the installation  of remote access software—and two possible ways to respond to the incident. In the first instance, the red arrow shows how a member of the security team:

• Fails to account for the steps between the event and the initial access point—in other words, they don’t apply context. Thus, they mistakenly conclude the event was due to a phishing attack. 

• Also, doesn’t use context to account for what happens after the remote access software was installed—that data was exfiltrated and encrypted, a potential data breach.

As the green arrows show, forensics takes two concurrent paths. The forensic analyst:

• Works backward, step by step, from the detected event to correctly identify the initial access point—exploiting a vulnerability in a public-facing application, not via phishing. 

• Identifies the attack aftermath. Since there was unauthorized data exposure, the incident response team can properly remediate and contain the incident. 

This approach illustrates how a forensic analyst can use the Mitre ATT&CK matrix within the context of the cyber kill chain to hypothesize how an attack occurred. 

The kill chain framework says that something happened before the software was installed and that something will occur as a result of the installation. Based on this reasoning, the analyst can use the ATT&CK matrix to determine each step the attacker took, from initial access point to final impact. 

Conducting a forensic investigation within the context of these two frameworks offers three critical benefits: 

• Uncovering the full attack chain, to accurately identify each step the attacker took to achieve their objectives, such as exfiltrating data.

•  Enabling full remediation. Rather than removing a non-existent phishing threat, the incident response team can patch the vulnerability in the external-facing application. The team could also remediate other techniques the attacker used to achieve their objectives.

• Mitigating the legal and regulatory impact of a potential breach, by properly identifying what data was accessed, and when and how it was accessed.

Best Practices for Forensics in Incident Response

If your organization is like most, you have limited cybersecurity resources, and implementing a robust incident response process may seem daunting. However, building your incident response plan on accurate and complete forensic findings can reduce your breach risk. Lowering your risk helps minimize business impact, preserve your reputation, and comply with regulatory and compliance obligations.

Here are a few best practices for midsized organizations to consider:

Develop an incident response plan ahead of time.

• Define roles and responsibilities for security, IT, and legal teams.

• Establish escalation procedures for when forensic investigation is necessary.

• Identify external forensic experts or incident response firms to engage when needed.

Train your security team to apply context to forensic investigations.

• Encourage security teams to question assumptions rather than jumping to conclusions.

• Train staff on the MITRE ATT&CK framework to recognize possible attack paths.

• Implement tabletop exercises to simulate forensic-driven incident response scenarios.

Apply holistic threat detection across your organization. 

• Use managed detection and response (MDR) software to collect and analyze data from endpoints, network, logs, identity systems, cloud, apps, and IoT devices. 

• With intelligence from your MDR solution, gain a complete, real-time view of threat activity and capture detailed forensic data.

• Support your technology with human intelligence. A security operations center staffed with analysts, threat hunters, and incident responders can conduct accurate forensic investigations to support breach determination.

Let the forensics guide your remediation.

• Conduct a forensic investigation before taking action. For example, a vulnerability scan will detect thousands of vulnerabilities in your systems. Rather than addressing them all, let forensics identify and recommend fixing the one vulnerability that the attacker used. 

• Avoid prematurely deleting compromised systems or logs. Otherwise, critical evidence may go missing, and you may have to assume a worst-case scenario. This means fixing all possible problems not only the one that actually occurred. 

Learn from incident data.

• Use forensic findings from an incident to improve security defenses proactively.

• Leverage threat intelligence reports to prioritize vulnerability patching.

• Build your security defenses based on accumulated findings from incident response casework.

Remember legal considerations. 

• Conduct forensic investigation under attorney-client privilege to protect sensitive findings. 

• Understand forensics reports may be considered factual evidence, making them subject to subpoenas.

• Maintain clear documentation of all findings and remediation actions.

• Plan how to share your findings. It’s a race against time—providing answers to the IT team before legal counsel focuses on what data was accessed or exfiltrated and thus invokes privilege over the investigation. After all, data access is what ultimately drives fines and class action risks.

  
  

Right-size your incident response.

• Use an independent forensics and incident response team, and apply privilege only for severe incidents that could be breaches.

• Have your existing security team use these forensic techniques for less-severe incidents. This ensures you accurately determine and can remediate the vulnerability the attacker exploited to gain entry into your systems.

Conclusion: Think Like a Forensic Investigator

Incident response is more than just detecting and remediating threats—it’s about understanding how and why an attack happened to prevent future incidents. Midsized organizations must move beyond surface-level analysis and adopt a forensic mindset, using methodologies like the cyber kill chain and MITRE ATT&CK framework to get to the truth.

By slowing down and applying context to what was detected before taking action, organizations can ensure that their response is accurate, comprehensive, and legally defensible—ultimately reducing their breach risks.

Experiencing a breach?

Contact us: 888-385-1720