Incident Response Is Not Forensics

Professionals who handle computer security incident response traditionally have also been charged with forensics. They find the evidence of wrongdoing, and preserve it in a court-approved fashion. This best practice is a good one, even when saving data for law enforcement is not a necessity or a priority.When it's not necessary to save this data, immediately stopping and doing it properly can limit us, and damage the business. If we do not care about forensics, or due to real-time requirements cannot care about it, forensics is nothing but a nice-to-have perk.

There are many cases where stopping and preserving evidence, such as in time-sensitive operational environments where uptime is the most important factor, could mean failure. And in other cases, it simply does not matter. But because incident response and forensics have been tied together for so long, many professionals don't know any other way than to combine the two.

But if my highest priority is to reverse the damage or "make it stop hurting," I'll do so in any way I can. If I have the time to proceed with forensics, great. If I don't, I shouldn't.

I would use any tools available to me to achieve this goal -- even using the attacker's own exploits to gain access.

Yes, forensics is important. But it is high time it wasn't tied to incident response as the only course of action allowed. Because of this, today real-time operational incident response is often done by people who are not trained to do so -- either by forensic experts who don't necessarily know (even if they can make do) how to perform incident response in operational environments, or by people who are good system and network administrators, but not as qualified to perform incident response.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.