Are you a Sleuth?
A Sleuth’s main role is to perform digital forensics analysis. The process of cyber attribution is crucial in identifying who and what is responsible for a breach. During Cyber attribution a collection of evidence, the building of timelines, and trying to piece together evidence in the wake of a cyber attack is crucial.
Within the context of an incident response, attribution attempts to address the ancillary questions surrounding the “who” and the “why” of an attack, as opposed to the more immediate concerns of “what”, “when”, “where” and “how”. As with any forensic process, answering these questions is not something that can be completed quickly and will usually require significant amounts of time and resources. Furthermore, in many cases, the process involves a significant amount of educated guesswork—and even analytical leaps—meaning results can often be subject to debate and difficult to back up with hard facts.
Links with CyberEPQ Modules:
7. Information Security Incident Management & Conducting and Managing Digital Forensic Examinations
9. Information Security Identity and Access Management
What does a Sleuth do?
The first requirement of a sleuth during cyber attribution is to gain extensive knowledge and unencumbered visibility into the IT environment, including the solutions used by the adversary, such as free cloud services. For many organizations, this is the biggest stumbling block of all. Without this insight, anyone attempting to carry out the long task of attribution is virtually guaranteed to fail because they simply won’t know what signs to look for; nor will they have the expertise to thread it into a cohesive timeline. Key indicators will be...Read more