Skip to main content

Measuring Forensic Readiness

· 2 min read
Jan Starke
Jan Starke
Senior Forensic Analyst

Most of our customers need help in optimizing their infrastructure security. What does that mean? You want to

  • minimize your attack surface
  • prevent any successful attacks to (publicly) available services
  • limit the impact of successful attacks
  • be able to recover after a successful attack
  • know what actually happened

This last point, knowing what actually happened, can be achieved through various approaches:

  • You could do logging of all significant events
  • You could use a SIEM component to collect, correlate and evaluate all logging events and, if you want to, netflow data
  • You can do forensic analysis of your hard drives, log files, etc.

Forensic Readiness first seemed to us as the situation in which you are able to do forensics. But this is not precise enough. In fact, we can determine multiple levels of forensic readiness, in which you are able to answer the following questions:

  1. Did anything happen at all?
  2. What have been the symptoms of the incident?
  3. When did the symptoms first arise?
  4. Which systems are affected?
  5. What exactly happened to the affected systems?
  6. At which day and time did the attack start?
  7. Which other machines are compromised as well?
  8. From which machines did the attack originate?
  9. Which user account was used to initially run the attack?
  10. Which persons are able to use the user account that ran the attack

The more questions you was able to answer (in order) in the case an incident occurs, the more "forensic ready" are you.