When Protection Fails, Forensics can still win the game

November 3rd, 2019

The business is being disrupted by artificial intelligence (AI), security orchestration, and the Internet of Things. Many analysts also foresee an environment where computers and IoT devices replace robots for employees. Nevertheless, most futurists believe that technology will only grow to a virtual assistant’s level. Tasks will be split between artificial intelligence and human intelligence, they believe. Forensics, the Cybersecurity backbone, is a perfect example of this.

Here are some explanations why Digital Forensics and Incident Response (DFIR) in this universe of intelligent devices and software will gain traction.

The False Positive alerts the AI generates:

Artificial intelligence is improving the detection of threats. Yet AI has its downsides that keep responders busy. Many AI approaches are closer to human intelligence because they think statistically. The risk here is the biases that are present in the training data that model the AI. According to data scientists working with major vendors, the misfiring rates are still close to 20%. Filtering, signature detection and alarm suppressing are often mixed to relieve the user’s burden. That’s why the next Anti Viruses are still included with investigative capabilities allowing humans to vet their conclusion.

Forensic Skills and deep knowledge of practitioners.

Due to lack of profound knowledge in today’s practitioners, they work on mostly Tier 1 issues like light triaging, log file examination, monitoring etc. They hardly hack into forensic artifacts or do reverse engineering during an issue.

Most would accept that companies are hardly reaching into the forensic toolbox and that there are still not enough attention given to critical alerts. But the new Security Orchestration Automation and Response (SOAR) products automate incident response and the usage of forensic tools through playbooks. This could reduce the size of incident response teams but multiply the forensic force.

The biggest security hole is your user

The traditional computing is transitioned into Cloud, Mobile or IoT making it harder for the hackers to access the servers behind the SaaS and the vendor protected Mobiles or IoT. Your biggest security hole is your user who clicks phishing emails, browses unhealthy websites. This could drag them to the dark corners of the internet and infect them with a malicious code which then affects the application hosted in the cloud. A human intelligence is very much needed to investigate this human behavior.

Intelligence on both sides of the war

Government-funded cyber warfare and digital banking plundering opportunities pull bright minds to the dark side. The same level of talent working in security vendors and divisions of InfoSec is now focused on the development of bugs and malware. It’s the same people who do both at times!

Cybersecurity is a human arms race. Sure, AI supplements security analysts, but on both sides of the war, AI is now being deployed by humans. AI-powered hacking tools were released at last year’s hacker conference, DefCon, which learned to bypass AI detection. The balance between each side is why new attacks will always emerge and succeed, given security breakthroughs.

After our defenses are pierced by the onslaught of AI-based attacks, DFIR will have to be used to reduce hacker dwelling time as it always has.

It is still impossible to replace human intelligence. When protection fails, forensics can still win the game.