Kristy Gulsvig

Post-Incident Forensics:  Piecing Together the Puzzle After a Cyberattack

By Kristy Gulsvig
No Comments
Kristy Gulsvig

In cybersecurity, digital forensics plays a pivotal role in revealing hidden weaknesses that lead to breaches, and in pinpointing the origins of an attack. While post-incident analysis can’t undo the harm already done, it offers valuable insights that can help deter similar breaches in the future.

We live in an age where cybersecurity risks are everywhere—from the emails we receive to the online platforms we use. And industries, such as the food industry, that are part of our nation’s critical infrastructure are key targets for cybercriminals.

In September 2021, the FBI’s Cyber Division alerted companies that the Food and Agriculture industry was among the most susceptible to cyberattacks in the U.S. Since that alert, numerous attacks have taken place, many of them impacting global supply chains and endangering consumer safety.

The Connection Between Food Safety and Strong Cybersecurity

The food and agriculture supply chain is incredibly complex and consists of a web of interconnected systems and procedures. Farms and food processing plants have become heavily digitized in an effort to speed up production and add higher levels of efficiency.

Most farms and food processing facilities use advanced monitoring systems to check everything from temperature to packaging standards. And because many of these systems are automated, any interference or tampering could lead to severe consequences. This is why it is imperative that companies implement post-incident forensics techniques into their operations.

The Role of Post-Incident Forensics

In cybersecurity, digital forensics play a pivotal role in revealing hidden weaknesses that lead to breaches, and in pinpointing the origins of a cyberattack. While a post-incident forensic analysis can’t undo the harm already done, it can offer valuable insights to help deter similar breaches in the future.

These forensic investigations involve a lengthy and thorough process that requires a number of important steps that include:

Identification. During or in the early stages after a cyberattack, companies need to clearly identify the type of incident that has taken place. This is where investing in threat intelligence platforms and security information and event management (SIEM) solutions becomes important. These tools, along with human intervention, can be used to isolate specific events and locate the source of potential breaches in progress or ones that have recently taken place.

Preservation. During a criminal investigation, law enforcement agencies and detectives work diligently to preserve all forms of evidence; the same is expected when completing digital forensics. Because digital breadcrumbs can be modified or removed over time, it is important to isolate and mark specific information relevant to the investigation with a chain of custody. This ensures that anyone with access to files or systems for analysis is properly authorized to do so and can be accounted for.

Collection. A post-incident forensic analysis is all about data collection. There are any number of areas where data can be pulled to paint a bigger picture of the event. Relevant data from a cyberattack can be stored in equipment logs, hard drives or on cloud databases. Investigators will need a methodical process for locating and storing data so it can be analyzed in the future. They often use specialized technology such as forensic imaging software to create a copy of drives in their original state and pull in information without potentially damaging the original evidence.

Analysis. In the analysis stage of a digital forensic investigation, investigators comb through the gathered data to understand its significance. This phase can last from a few weeks to several months, based on the depth and impact of the cyber attack. This step is pivotal because it sheds light on vital details, helping cybersecurity teams understand exactly how the breach happened and formulate strategies to ward off future incidents.

Reporting. Once the analysis is concluded, it is the investigative team’s responsibility to draft a comprehensive report outlining key findings from their study. This report should be written in a way that is accessible to both technical experts and a non-technical audience, ensuring everyone clearly understands how the attack took place. This report is important not only for the organization to learn and adapt, but also to meet legal or regulatory standards. Some of these reports might be publicized, so it’s essential they accurately reflect the depth of the investigation and any necessary steps to take moving forward.

Challenges of Post-Incident Forensics in Food Safety

The food and agriculture sector presents unique hurdles when executing post-incident forensics. A primary obstacle for cybersecurity experts responding to an incident is the expansive nature of food and beverage supply chains. With large distribution networks, as well as various partnerships with suppliers, manufacturers and retailers, the potential for cyberattacks increases exponentially. This complexity often leads to longer timeframes required to trace the origins of an attack.

It’s also important to know that most major cyberattacks don’t stem from a singular breach. Typically, cybercriminals will invest considerable resources to infiltrate several systems or networks over a long period of time. Investigators will then often find themselves in a “Russian doll” scenario, where uncovering one level of the attacks reveals another one underneath it.

Over the years, it has also become significantly harder to source well-trained cybersecurity professionals who have both the industry knowledge and the forensic expertise necessary to tackle more complicated attacks. This often leads to organizations taking dangerous shortcuts and not adequately budgeting their incident response programs.

Best Security Practices for Food and Beverage Industries

To ensure that organizations are well-positioned to complete thorough post-incident investigations, there are some important cybersecurity best practices that should be implemented.

Invest in the Right Cybersecurity Infrastructure. Not every industry has the right infrastructure in place to protect themselves or successfully recover from a large-scale security event such as ransomware recovery. This is why investing in firewalls, intrusion detection systems and other cybersecurity solutions is integral to securing your systems. While these tools may not eliminate all the risks associated with modern cyber threats, they will help to significantly minimize attack surfaces.

Create a Comprehensive Disaster Recovery Plan. Though preventing attacks is a top priority for organizations, it’s just one aspect of a strong defense. For businesses in the food and agriculture sector, it’s crucial to also have a thorough disaster recovery strategy in place. The foundation of a successful post-incident forensics investigation is proper planning and clearly documented processes. Disaster recovery plans give organizations the ability to create a clear and methodical roadmap for how to proceed once a major issue has been identified.

Conduct Regular Security Audits. Given the evolving nature of technology, even the best-prepared organizations might inadvertently introduce vulnerabilities into their systems over time. This makes it crucial for organizations to routinely check their systems by conducting an SOC audit or undergoing a risk assessment to spot and address any potential flaws in their cybersecurity measures.

Collaborate With Outside Security Experts. Every industry has unique security challenges to address. But rather than tackling these issues on their own, critical infrastructure organizations can—and should—lean heavily on the security experts in their sectors. This includes partnering with risk assessment specialists and managed service providers that can help identify where gaps may exist in an organization’s security and work closely with stakeholders to address them.

Establish the Right Security Culture. Post-incident forensics investigations are an important part of building a strong, more resilient food and agriculture sector. Although equipping an organization with the appropriate technology and processes is essential, establishing a culture of security awareness and accountability is beneficial for everyone involved. By following a well-outlined plan and collaborating with established cybersecurity experts, organizations can better safeguard against modern threats and reduce the damages when events occur.

Related Articles

About The Author

Kristy Gulsvig

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.