Advanced
topics

Prevention is the goal of any cybersecurity strategy, along with timely detection and an effective response to the inevitable intrusion. Equally important is gaining a deep understanding of the attack and an ongoing effort to continually improve your systems. Forensic analysis Forensic analysis, while using some of the same means and methods as the incident response team, has different objectives. In addition to determining what happened, and how a particular breach might be prevented in the future, forensic analysis is the process of examining what is left behind that might be of value to investigators. The three primary elements of forensic analysis include system-level analysis, storage analysis, and network analysis. System-level analysis. If we know a system has been breached, the first level of analysis would involve examining the individual, compromised system for “footprints in the sand” to determine what changes were made.Storage analysis. The size of today’s databases and the advent of cloud environments complicate storage analysis. A particular complication of cloud environments with respect to forensic analysis involves the external ownership of the servers containing the data. While a subpoena can be issued to the owner of a hard drive containing data that you want to analyze, the data that you may be interested in may have been deleted and overwritten.Network analysis. Collecting and analyzing network data ‘traffic’ provide different perspectives. While network monitoring does not provide information about the content of what is coming and going, it does provide information about who is coming and going.Malware analysisIf malware is located on the system, especially if the malware is a piece of unauthorized software, it is important to deeply understand what the malware does.Reverse engineering. The first step is to reverse engineer the piece of malware and determine how it works and what it does.Penetration testingThe purpose of penetration testing is to find the weak points in your software before adversaries find them. If weaknesses are found, it may be possible to fix them. Otherwise, it may be possible to introduce a detection mechanism to block an intrusion. The first step for penetration testing is to identify all the components on a network. This would include all the ‘smart’ devices that have IoT components, as well as home computer system computers, printers, televisions, and other devices that might serve as points of access for an intrusion. Software securityDesign review. This involves looking for design or architectural weaknesses. Areas of sensitivity are customer records, intellectual property, and payment information.Code review. This includes looking at key areas of sensitivity such as verification and authentication processes and common areas of programming weakness. Security testing. While penetration testing involves testing the resilience against some set of known software vulnerabilities, security testing is diving deeply into software to verify that security requirements are being properly performed. Development security and operations (DevSecOps) In a traditional environment, developed software is deployed according to a planned schedule that includes testing protocols. Many organizations, especially those in cloud-native environments, have adopted a more continuous software development process. This DevOps approach leverages the combined resources of development and operations teams to speed up development and deployment. While this approach has advantages, especially with digital transformation strategies and agile methodologies, these benefits are not without accompanying risks. DevSecOps is the practice of building a security layer into the DevOps process. This DevSecOps security layer is an automated process that can provide continuous scanning to identify potential vulnerabilities or misconfigurations that developers may not be aware of so that remediation can take place prior to deployment.Extended detection and response Extended detection and response (XDR) technologies and tools provide a more integrated, or holistic, approach to security, threat protection, and remediation across an enterprise. By utilizing AI and machine learning, XDR solutions examine and analyze large quantities of data from multiple sources and devices. This results in a better understanding of threat activity and the ability to create profiles of suspicious behavior, enabling a more proactive and adaptive approach. Secure by design The CISA has developed Secure by Design principles that include additional security features such as multifactor authentication out-of-the box. More than 200 software companies have pledged ‘to take specific measurable action on these principles’.¹⁵

Every technology provider must take ownership at the executive level to ensure their products are secure by design.

Secure by Design
Cybersecurity & Infrastructure Security Agency