Threat Intelligence: Taking a Fresh Look at Digital Forensics Backlogs
The prevalence, complexity, and storage capacity of modern devices have led to an ever-growing digital forensics backlog problem. And that problem, quantified in terabytes or petabytes of data, slows down investigations and court cases. But how do backlogs form exactly? And why do we see them taking over in normal forensics investigations?
Well, backlogs basically represent the giant queue that results from the exponential number of phones, laptops, and other machines potentially used to conduct cybercrime, meanwhile the number of forensics specialists capable of telling right from wrong remains finite. This situation generates a discrepancy where delays become the norm as analysts need more and more time to identify and make sense of potential pieces of evidence.
Digital forensics is not the only field undergoing data-related challenges, however. Gigantic volumes of data haunt cybersecurity professionals due to expanding networks and infrastructure and their corresponding databases — all of which are preys to a burgeoning number of cyber attacks.
As a result, organizations must find ways to stay on top, notably by using threat intelligence (TI) as an instrument to prioritize their security efforts, detect and fix their most salient exploitable vulnerabilities, and speed up incident response.
In this article, let’s draw some parallels between TI and digital forensics and discuss how the principles of the former could be used to tackle or at least reduce the magnitude of backlogs.
Not So Distant Cousins
Though they seem to have little in common at first sight, digital forensics and TI overlap in several ways.
Both fields play an important role in the investigation of cybercrime. Digital forensics techniques help retrieve and validate digital information present in devices knowingly used to conduct criminal and fraudulent activities — e.g., hacking, intellectual property infringement, and illicit content consumption and production.
Similarly, TI processes enable cybersecurity specialists to examine their online assets — e.g., websites, applications, APIs, etc. — to understand how hackers and scammers have managed to strike (or will do so in the near future).
Moreover, both digital forensics and TI rely heavily on data. But not just any type of data. The focus is on the use of verifiable information based on which actions can be taken. In that sense, digital forensics experts examine physical devices to evidence crime. TI analysts, on their end, review unambiguous parameters such as server configurations and file extensions.
Applying Threat Intelligence to Backlogs
Due to the commonalities of the two fields, it’s possible to start looking at how some core working principles of TI — which enable the prompt analysis of substantial amounts of data to keep systems and users protected — can be applied to digital forensics as a means to mitigate backlogs.
Targeted data extraction
An advantage of TI processes is that they can be tailored for targeted data extraction. Let’s say you want to spot attempts of impersonation. A fraud may be detected when retrieving data about domain owners and their registration details, and comparing it to the information shared via email, on a website, or elsewhere to check for inconsistencies — e.g., contact details that do not match, business pretending to be operating for a long time with a freshly registered domain name, etc.
Following this principle in the context of digital forensics, it is possible to design particular applications where confiscated devices are explicitly checked for, among other examples, unauthorized network intrusions or unlawful communications. This approach where data is extracted with focal points in mind can speed up the identification of pieces of evidence since information is narrowly categorized and pre-interpreted — therefore avoiding the legwork and reducing the amount of time spent on each piece of hardware.
Data crosslinking and analysis
TI practitioners manage to navigate today’s fast-changing cyber threat landscape effectively by embedding different cybersecurity insights into applications and systems through APIs. These APIs serve as shortcuts as there is no need to compile sources of data manually, allowing to move directly to the analysis of critical online assets.
Additionally, TI is increasingly incorporating machine learning capabilities, meaning it’s better able to help fight emerging threats over time as more raw data is accumulated. For example, TI processes working with natural language processing technology can spot pressing words used to conduct email fraud such as “urgent,” “service disruption,” and “penalties.”
Therefore, enjoying a richer perspective, cybersecurity staff can assess the overall safety of an application, website, or network considering various threats and their likelihood of occurrence at once while getting more accurate analysis after analysis.
In a similar fashion, digital forensic specialists could identify and examine devices based on their likelihood of containing proofs of crime by taking an overarching view built from a variety of factors — e.g., the frequency of interaction, amount of data exchanged, keywords indicating data leakages, and malicious or password-protected files. In turn, these bits of information become the parameters of an overall profile built for each confiscated device, thereby quickly allowing the assessment of cybercrime.
Digital forensics and threat intelligence have more in common than it seems, and the principles of the latter can help tackle ever-growing backlogs through the targeted extraction of data and its overarching analysis.
About the Author
Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP) — a data, tool, and API provider that specializes in automated threat detection, security analysis and threat intelligence solutions for Fortune 1000 and cyber-security companies. TIP is part of the Whois API Inc. family which is a trusted intelligence vendor by over 50,000 clients.