Cyberinsurance: Another Reason Why You Need Digital Forensics Software

We all know that the risk of cyberattacks of all sorts is constantly increasing. Malware, ransomware, and data breaches continue to proliferate not just at large corporations, but also small- and medium-sized businesses including law firms and legal service providers. Overall, in 2021, businesses suffered 50% more cyberattacks per week than the previous year, and corporations around the globe expect an increase in attempted breaches to continue throughout 2022. Preventing cyberattacks is now so critical that cyberinsurance applications require organizations to answer more and more questions about their cybersecurity technology and practices.

The questions include some measures that are fairly broadly in-place, such as multi-factor authentication, but they also include questions about not just endpoint detection tools, but also endpoint response tools—in other words, digital forensic software like Exterro FTK®. If your forensic tools are not directly integrated with your cyber intrusion tools, you’re at risk of being unable to preserve the evidence needed to remediate the attack.

By integrating SIEM & SOAR platforms that specialize in endpoint detection with forensic investigation tools, organizations can preserve electronic evidence upon detection of an intrusion. And taking your response to the next level with a solution like FTK® Connect can automate the forensic collection from remote endpoints based on triggers from solutions like Splunk SOAR and Palo Alto SOAR. Again, this allows you to instantly preserve evidence upon detection of an intrusion, with no human interaction needed.

Once connected to the suspected/affected endpoint using FTK® Enterprise or FTK® Central’s remote agent technology, incident responders can use these FTK solutions to remove rogue files, kill malicious processes or services, and isolate systems from the network to contain the threat. Responders can then conduct live memory analysis or see a live preview of the data on the endpoint.

After performing a forensic collection, responders can take a deep dive into the collected data, carve out the memory, find artifacts in the registry or disk, pull out the deleted data, and recover partial files. Responders may analyze volatile data, system information, email/webmail, Internet artifacts, web history and cache, chat sessions, compressed files, backup files, encrypted files, network shares, deleted files, video, etc. They can run scans for Indicators of Compromise, and YARA and MISP Rules, and try to identify what happened, how it happened, who got in, what information they may have taken (exfiltrated), or if they implanted any malware or ransomware onto the endpoint.

It certainly makes sense why insurers want to understand the depth of your organization’s ability to respond to a cyberattack quickly and automatically before they underwrite a policy on your behalf!