As the first stage, organizations must clearly understand the “who, where, what, when, why, and how” motives for investing time, money, and resources into a digital forensics readiness program. To better gain this understanding, a risk assessment is performed to identify the potential impacts on business operation from diverse types of digital crimes, disputes, incidents, and events.
This risk assessment will be used, from the business perspective, to describe where digital evidence is required and its benefit in reducing impact to business operations, such as alleviating efforts to reactively collect digital evidence. Generally, if the identified business risks and the potential benefits of a digital forensics readiness program indicate that the organization will realize a positive return on investment (ROI), then there is a need to consider proactively gathering digital evidence to mitigate the identified business risk scenarios.
Generally, business risk implies a level of uncertainty due to unforeseen events happening that present a threat of impact to the organization. Business risks can directly or indirectly impact an organization but collectively can be grouped as being influenced by two major types of risk contributors:
• Internal events are those risks that can be controlled and take place within the boundaries of the organization, including:
• Technology (i.e., outages, degradations)
• Workplace health and safety (i.e., accidents, ergonomics)
• Information/physical security (i.e., theft, data loss, fraud)
• Staffing (human error, conflict management)
• External events are those risks that occur outside of the organization’s control, including:
• Natural disasters (i.e., floods, storms, and drought)
• Global events (i.e., pandemics, climate change)
• Regulatory and government policy (i.e., taxes, restrictions)
• Suppliers (i.e., supply chain, business interruptions)
Internal and external events that have the potential to create an impact depend on the type of business operations offered by an organization (e.g., financial, records management) and should not be treated as universally equivalent. Putting these risks into a business context, internal and external events can be grouped into five major types of risk classifications:
• Strategic risk is associated with the organization’s core business functions and commonly occurs because of:
• Business interactions where goods and services are purchased and sold, varying supply and demand, adjustments to competitive structures, and the emergence of new or innovative technologies
• Transactions resulting in asset relocation from mergers and acquisitions, spin-offs, alliances, or joint ventures
• Strategies for investment relations management and communicating with stakeholders who have invested in the organization
• Financial risk is associated with the financial structure, stability, and transactions of the organization.
• Operational risk is associated with the organization’s business, operational, and administrative procedures.
• Legal risk is associated with the need to comply with the rules and regulations of the governing bodies.
• Other risks are associated with indirect, non-business factors such as natural disasters and others as identified based on the individual characteristics of the organization.
Without knowing the assets that are most critical and equally what threats, vulnerabilities, or risks can impact the organization, it is not possible for key decision-makers to response with appropriate protection strategies. As part of the overall risk management approach, a risk assessment should be completed to evaluate:
• Vulnerabilities that exist in the environment;
• Threats targeting organizational assets;
• Likelihood of threats creating actual impact;
• Severity of the impact that could be realized; and
• Risk associated with each threat.
Addendum E, “Risk Assessment,” further discusses the overall approach and process for how organizations can complete a risk assessment.
Like the business risk contributors noted previously, within the context of digital forensics readiness there are also a series of direct and indirect influences that organizations must identify and develop strategies to manage exposure of digital evidence. To illustrate the business risks where digital forensics readiness can demonstrate positive benefit, each risk scenario will be explained following the “who, where, what, when, why, and how” motives to justify investing time, money, and resources.
Scenario #1: Reduce the Impact of Cybercrime
Having technology play such an integral part of most core business functions increasingly exposes organizations to the potential impact of cybercrime and a constantly evolving threat landscape. Completing a risk assessment for this scenario first requires organizations to understand the security properties of their business functions that they need to safeguard. The list below describes the security properties that organizations must protect:
• Confidentiality: Ensuring that objects and assets are only made available to the subjects they are intended for
• Integrity: Validating that change to objects and assets is done following approved processes and by approved subjects
• Availability: Guaranteeing that objects and assets are accessible when needed and that performance is delivered to the highest possible standards
• Continuity: Ability to recover the loss of processing capabilities within an acceptable time
• Authentication: Establishing that access to objects and assets identifies the requesting subject; or alternatively a risk acceptance is approved to permit alternate means of subject access
• Authorization: Explicitly denying or permitting subjects access to objects and assets
• Non-repudiation: Protecting against falsely denying a subject ownership over an action
Reducing the impact of cybercrime should be a consideration for all security properties listed above. However, it is not enough to only consider these security properties. Further analysis needs to be done to understand exactly how individual security threats pose business risk and can potentially impact operational functions.
Using a threat modeling methodology, as discussed in Addendum F, “Threat Modeling,” allows organizations to become better equipped to identify, quantify, and address security threats that present a risk. Resulting from the threat modeling, a structured representation can be created into the ways that threat actors can go about executing attacks and how their tactics, techniques, and procedures can be used to impact an organization.
Table 7.1 Threat Category to Security Property Relationship
Threat Category | Security Property |
Spoofing | Authentication |
Tampering | Integrity |
Repudiation | Non-repudiation |
Information disclosure | Confidentiality |
Denial of service | Availability continuity |
Elevation of privilege | Authorization |
Detailed information collected from the threat modeling exercise must now be translated into a business language that aligns with strategies for reducing the impact of cybercrime. Using a series of threat categories, individual security threats can be placed into larger groupings based on commonalities in their tactics, techniques, and procedures. As discussed in Addendum F, “Threat Modeling,” the STRIDE threat model describes the six threat categories into which individual security threats can be grouped. Illustrated in Table 7.1, the relationships between security properties and threat categories can be correlated to further enhance the alignment of individual security threat with focus areas for reducing the impact of cybercrime.
Scenario #2: Validate the Impact of Cybercrime or Disputes
When cybercrime occurs, organizations must be prepared to show the amount of impact the incident had on its business operations, functions, and assets. To do so requires supporting evidence to be gathered and made readily available when an incident is declared. Inadequate preparations can lead to delayed validation or insufficient results.
The total cost an incident has on an organization should not be limited to only those business operations, functions, and assets that were directly impacted. To gain a complete and accurate view of the entire cost of an incident, organizations should consider both indirect and collateral contributors as part of validating the impact of cybercrime or disputes.
The constantly evolving threat landscape brings about new and/or transformed cybercrimes which must be identified and assessed to determine relevance and potential impact. Using threat tree workflows, such as the one illustrated in Addendum F, “Threat Modeling,” organizations can leverage the outputs of risk mitigation controls to validate the impact of an incident. Generally, controls can be implemented as:
• Preventive: Stop loss, harm, or damage from occurring
• Detective: Monitor activity to identify errors or irregularities
• Corrective: Restore objects and information to a known good state
Depending on the type of control there will be distinct types of log files generated that contain relevant, meaningful, and valuable information for validating the impact of an incident. Regardless of whether the control was implemented as a component (e.g., host-based malware prevention) or standalone (e.g., network-based firewall), at a minimum the following log file types should be maintained:
• Application: Records actions, as predetermined by the application, taken by secondary systems components and processes
• Security: Records actions, as chosen by the organization, taken by non-system subjects relating to authorization and authentication activities into the system and contained objects
• System: Records actions, as predetermined by the system, taken by system components and processes
Refer to Chapter 3, “Digital Evidence Management,” for further discussion about sources and types of log files.
The time it takes to contain and remediate an incident depends on the amount of impact suffered. However, when an incident occurs, the costs associated with the overall business impact are commonly scoped down to the loss, harm, or damage of assets and operations. While these are essential considerations in determining the overall impact of an incident, the overhead cost of managing the incident can sometimes be overlooked as a contributor to the overall business impact.
Generally, as a best practice the overhead cost required to run the incident response program should be included in the overall cost of the incident. This requires that organizations maintain accurate time tracking to ensure that the total amount of time invested by resources assigned to the incident response process are recorded. Without tracking overhead costs, organizations cannot effectively demonstrate the resource time and effort required to manage the incident.
Generally, an incident requires a team of specialized resources to participate in one or more of the incident response stages. Additionally, it is not uncommon for resources to participate in the incident response process in addition to having daily functions and operations they perform.
Under these circumstances, the time and effort required for these resources to participate in the incident response process create a cascading effect where other business operations and functions are subsequently impacted by the incident. Using time tracking, the costs associated with the inability to perform normal duties should be taken into consideration as a contributor to the overall impact of the incident.
Recovery and Continuity Expenses
Following the threat tree workflows illustrated in Addendum F, “Threat Modeling,” the progression from potential threat to business impact includes technical impact. Incidents that generate a technical impact where assets are harmed, lost, or damaged requires several steps to ensure the organization’s recovery time objectives are met.
In these circumstances, the overall impact of the incident should include disaster recovery and business continuity costs. While the inclusion of these costs is different for each organization, at a minimum these costs should include:
• The overhead time and effort to restore business operations;
• Indirect productivity loss due to unavailable systems;
• New hardware to replace harmed/damaged hardware (if needed); and
• Restoration of information lost due to harmed/damaged hardware
Scenario #3: Produce Evidence to Support Organizational Disciplinary Issues
For the most part, organizations require that employees comply with their business code of conduct. The organizational goal related to having a business code of conduct is to promote a positive work environment that strengthens the confidence of employees and stakeholders alike.
By signing this document and agreeing to comply, employees are held to the organization’s expectations related to ethical behavior in the work environment, when performing operational duties, or as part of their relationship with external parties. Employees who violate the guidelines set out in the business code of conduct could be subject to appropriate disciplinary actions, and in the process, supporting digital evidence may need to be gathered and processed.
With any disciplinary actions, there is the potential that the employee could decide to escalate the matter into a legal problem. To prevent this from happening, the organization must approach the situation fairly and reasonably, using consistent procedures that, at a minimum:
• Are in writing;
• Are specific and clear;
• Do not discriminate;
• Allow the matter to be dealt with quickly;
• Ensure gathered evidence is kept confidential;
• Inform the employee(s) of what disciplinary actions might be taken;
• Indicate what authority each level of management has for different disciplinary actions;
• Inform the employee(s) of the complaints against them with supporting evidence;
• Provide the employee(s) with an opportunity to appeal before a decision is made;
• Allow the employee(s) to be accompanied (e.g., by human resources);
• Ensure no employee(s) is dismissed for a first offense, except in circumstances of gross misconduct; and
• Require a complete investigation be performed before disciplinary action is taken.
Scenario #4: Demonstrating Compliance with Regulatory or Legal Requirements
The need for regulatory or legal compliance can be business-centric depending on several factors, such as the industry the organization operates within (e.g., financial) or the countries where business operations are conducted (e.g., Unites States, India, Great Britain). Laws and regulations can also be enforced by different entities having different requirements for managing compliance and non-compliance, such as:
• Self-policed by a community (i.e., “peer regulation”);
• Unilaterally by those in power (i.e., “fiat regulation”); or
• Delegated to an independent third-party authority (i.e., “statutory regulation”).
The importance of how these governing laws and regulations directly influence the way organizations operate must be clearly understood. Despite the grumblings of ensuring business operations follow the “red tape” of regulations, they are generally necessary to provide evidence of controls and show due care in circumstances where there is potential for negligence. While the types of regulations listed below may not be complete, the list provides an understanding of the categories that can be applicable to organizations:
• Economic regulations are a form of government regulation that adjusts prices and conditions of the economy (e.g., professional licenses to conduct business, telephony service fees).
• Social regulations are a form of government regulation that protects the interests of the public from economic activity such as health and the environment (e.g., accidental release of chemicals into air/water).
• Arbitrary regulations mandate the use of one out of several equally valid options (e.g., driving on the left/right side of the road).
• Good faith regulations establish a baseline of behavior for an area (e.g., restaurant health checks).
• Good conflict regulations recognize an inherent conflict between two goals and take control for the greater good (e.g., wearing seatbelts in vehicles).
• Process regulations dictate explicitly how tasks are to be completed (e.g., call centre scripts).
Scenario #5: Effectively Manage the Release of Court-Ordered Data
No matter how diligent an organization is, there are times when a dispute will end up before a court of law. When this happens, the organization must be able to quickly produce credible evidence that supports their case and will not be called into question during legal proceedings.
For the most part, all organizations have common types of electronically stored information (ESI) that are considered discoverable as digital evidence, such as email messages. However, the likelihood that the courts will require discovery of different ESI will vary depending on the nature of the dispute and the business performed by the organization.
With adequate preparation, routine follow-ups, and a thorough understanding of what is considered reasonable in a court of law, organizations can effectively manage this risk. The most critical aspect of managing this risk to the court’s expectations is to be diligent with validating and verifying the integrity of ESI and avoid any interaction or activity that will be viewed as practicing bad faith.
As discussed in Chapter 10, “Establishing Legal Admissibility,” Federal Rules of Evidence 803(6) describe ESI as being admissible as digital evidence in court if it demonstrates “records of regularly conducted activity” as a business record, such as an act, event, condition, opinion, or diagnosis. Ensuring compliance with this ruling requires organizations to implement a series of safeguards, precautions, and controls to ensure ESI is admissible in court and that it is authenticated to its original source.
Scenario #6: Support Contractual and Commercial Agreements
Depending on the nature of business performed, organizations can face disagreements that extend beyond disputes that commonly involve internal staff. Resulting in various actions from breach of contract terms, improper termination of contracts, or large-scale class action lawsuits, these disputes can involve external entities such as business partners, competitors, shareholders, suppliers, or customers.
The majority of the interactions involved with contractual and commercial agreements can take place electronically. With these interactions being largely electronic, organizations must ensure they capture and electronically preserve critical metadata about the agreements, such as details about the terms and conditions or the date the agreement was co-signed. Having this information available when needed can be extremely useful when it comes to preventing any type of loss (e.g., financial, productivity) or when using arbitration as an alternative resolution path.
ESI needed to support contractual and commercial disputes may require detailed documentary evidence that thoroughly describes the relationship between the organization and the external entities. To ensure information regarding contractual and commercial agreements is accurately captured, a contract management system can be used to standardize and preserve the metadata needed to provide sufficient grounds for supporting a dispute.
Of the five forensics readiness scenarios discussed previously, not all are relevant to every organization. To determine which scenarios are applicable to a particular organization requires that an assessment of each scenario be completed.
Determination of whether a scenario applies to an organization requires that both a qualitative and quantitative assessment, discussed further in Addendum E, “Risk Assessment,” be performed to ensure that a thorough understanding of the potential risks is achieved. Following the completion of these assessments, organizations will have a complete picture of all potential risks which can then be used to perform a cost-benefit analysis, discussed further in Addendum C, “Cost-Benefit Analysis,” to determine the likely benefits of being able to use digital evidence.
Generally, if a risk exists in any scenario, and it has been identified that there is a return on investment for forensics readiness, then consideration of what evidence sources need to be gathered should occur.
Defining the business risk scenarios that are the primary driver for establishing proactive investigative capabilities is the most critical aspect of practicing digital forensics readiness. Although each business risk scenario contains a series of unique use cases and requirements for proactively gathering digital evidence, there remains a degree of commonality in the justifications for why these data sources need to be readily available.