6 Threat Intelligence Sources That Will Help Enhance Digital Forensics Readiness | By Jonathan Zhang

| sponsored post |

6 Threat Intelligence Sources That Will Help Enhance Digital Forensics Readiness

It only takes a few minutes for adversaries to compromise an organization’s computer systems. Yet cyberattacks often go unnoticed for months—206 days or sometimes more. 

Now here is where it can really hurt: The longer it takes for an organization to detect an infiltration, the more time and resources it takes to investigate the incident, and the more severe and expensive the damages become.

As such, shortening the reaction time to cyber attacks is a must. Among the strategies that can be employed for that purpose, this post looks at the importance of cyberforensic preparedness and how threat intelligence data feeds are here to support prompt action-taking against.

What Is Digital Forensic Readiness?

The growing inevitability and sophistication of cyber attacks had led to a shift from cybersecurity to cyber resiliency—the ability of organizations to promptly react to and investigate cybersecurity incidents. 

As part of this, digital forensic readiness (DFR) refers to the ability of an organization to minimize the cost of a data breach investigation using digital evidence. It is not a replacement for existing prevention strategies but a helpful addition.  

Central to DFR is the collection and preservation of digital intelligence surrounding business aspects or processes where cyberthreats are present. DFR programs take into account both internal and external intelligence data that are fed to an organization’s security systems.

Internal threat intelligence can be obtained from log management tools or security information and event management (SIEM) solutions, which examine an organization’s entire infrastructure—software and hardware.

External threat intelligence, on the other hand, comes from open sources and third-party providers. Here are some examples of said intelligence and brief descriptions of why they may be useful to enhance DFR.

1. WHOIS Records

WHOIS records, contained in a WHOIS database, allow digital forensics response teams to obtain domain registration information. Such records can help them find out or make educated guesses about who is behind an online property since these detail technical, administrative, and billing contacts upon registration. The data also includes registration and modifications dates, making it possible to identify patterns indicative of phishing such as mass registration by the same owner over a short period of time.

2. Website Content

A website’s content such as third-party ads that may actually be malvertisements can damage the reputation of a domain. Any ties to malicious content can land a site on a blacklist. Digital forensics specialists can verify the nature of suspicious content by cross-referencing links embedded in sites with external threat intelligence.

3. Malware Databases

Domains that end up in malware data feeds are automatically considered malicious and blocked on users’ browsers. Forensics experts tasked to oversee the integrity of their organizations’ domains can easily identify if their domains are part of any such feed and begin the cleanup process so their domains can become accessible to all.

4. IP Resolution

Any domain that resolves to an IP address with ties to malicious activity may suffer the same fate—blocking from visitor access. Digital forensics experts can determine if any of the IP addresses their domains point to are on any blacklist and fix issues from there.

5. Server Records

As a rule, all of the records tied to companies’ digital properties should have matching information. Forensics analysts can spot record mismatches and correct these to keep their domains’ integrity intact.

6. SSL Certificates

Valid Secure Sockets Layer (SSL) certificates and a properly configured chain are marks of secure sites. Digital forensics experts can be alerted to address the existence of expired certificates and misconfigurations immediately.

External threat intelligence helps security teams detect the presence of threats so they can react in a timely and appropriate manner. When used in conjunction with a DFR program, it becomes a reliable source of digital evidence that enables organizations to better address cybersecurity incidents.

About the Author

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API family, a trusted intelligence vendor by over 50,000 clients.

December 10, 2019
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013