Cyber Forensics is a structured method of investigation to find out exactly what transpired on a computing device and/or network with a key aim to identify who and/or what was responsible for it, while maintaining a documented chain of evidence.
Initial evidences to locate:
In the case of a malware event
One of the steps before conducting an investigation, ensure that the compromised device is physically isolated from the environment to make sure that not only it cannot be contaminated accidently, but also prevent further spread of the threat in the infrastructure . Once the device is isolated a digital copy of the same must be prepared for investigation and the original device is locked safe to maintain its “as-is” state.
In the case of a suspected breach
A digital forensics team will examine the network and look for signs of a lingering attack, such as unauthorized user accounts, or accounts with unauthorized privileges. The team can determine if an attack is still ongoing, and strengthen the organizations defenses to halt continuing damage.
A Digital forensics team can assist the organization to further strengthen their detection & response controls in order to improve their network infrastructure and security.
In the case of a suspected insider threat
Insider threats in cyber security are threats posed by individuals from within an organization, such as current or former employees, contractors and partners. These individuals have the potential to misuse access to networks and assets to wittingly or unwittingly disclose, modify and delete sensitive information. Some common steps that can be considered to reduce insider threats are:
Recommend best practices for network and endpoint monitoring system to detect anomalous behavior.
Recommend best practices to closely manage the accounts and privileges of all employees and contractors.