Artificial intelligence (AI), security orchestration and the Internet of Things (IoT) are disrupting our industry. Some bombastic pundits are even predicting a Jetsons-like world where computers and IoT devices replace workers with machines. Yet most futurists believe computing will only evolve to the level of a digital assistant. Tasks, they say, will be split between artificial and biologic intelligence. Forensics is a prime example of a human compliment to both AI and security automation.
Here are some reasons Digital Forensics and Incident Response (DFIR) will stay relevant in this world of intelligent devices and software that “thinks.”
1. Alerts produced by AI may actually increase incident response workload
Artificial intelligence is making threat detection better. Yet AI has two downsides which will keep responders busy. The first is higher rates of false positives in detecting malware.
[ Learn about top security certifications: Who they’re for, what they cost, and which you need. | Get the latest from CSO by signing up for our newsletters. ]
At the risk of oversimplifying, many AI approaches are closer to human intelligence because they think statistically. So far, AI trained with the prejudices ingrained in the data they’re modeled against, have produced high false positives. I’ve heard chief data scientists at major vendors admit misfiring at rates of 20%. Filters and traditional signature detection are often mixed in to alleviate the burden on the user. Yet excessively sensitive detection is why many AV 2.0 vendors include investigative capabilities allowing humans to vet their conclusions.
AI also passes limited information about the malware it detects, leaving forensics to fill in the rest. The traditional approach of discovering malware was through reverse engineering, or by monitoring it inside sandboxes. These both produced detailed reports of behavior, capabilities and other threat intelligence. Conversely, some AI based approaches only report that a threat was flagged by, “XYZ Threat Model.” Automatically flagging things on the wrong side of a machine learning statistical curve is a powerful approach. Yet it isn’t too helpful for those investigating incidents.
2. Orchestration and automation won’t replace forensic practitioners
When I talk friends with more than a decade in forensics, they often bemoan the lack of deep knowledge in today’s practitioner. The influx of new professionals does mainly Tier 1 work: light triage, log file examination and replaying “flight recorder” style continuous monitoring. They barely tap into forensic artifacts, and couldn’t do reverse engineering, or carve encryption keys from RAM during a ransomware case. For these things you need to hire the few remaining Tier 3 DFIR practitioners.
The new Security Orchestration Automation and Response (SOAR) products, typified by Demisto and Phantom, automate incident response and the usage of forensic tools through playbooks. This could reduce the size of incident response teams, but will it commoditize forensic tools and skills?
Most would agree that organizations are barely digging into the forensic toolbox and that important alerts still aren’t being given enough attention. SOAR opens the door to finally employ the proper variety and depth of forensics via automation. What I’ve seen so far in SOAR rollouts is their use as a forensics force multiplier.
3. IoT, mobile and cloud don’t change the fundamental issue
Sometimes I hear people predict that all traditional computing devices will transition into the cloud, mobile and IoT. Their next statement is usually that InfoSec departments and incident response activities will disappear too; taken over by cloud service provi
ders, or mobile and IoT device vendors.
While access to the servers behind SaaS and access into IoT devices make things a little tougher for hackers and forensics, that’s missing the point. Your biggest security hole is your user who clicks phishing emails, browses scary websites and inserts sketchy USB devices they pick up in the parking lot.
In the far-off future I don’t know what tablet, kiosk or Elon Musk brain ch
ip employees with be interfacing with. I do know that they will drag them into the dark corners of the internet and infect them with malicious code. Then they’re going to connect to your cloud-based CRM or proprietary source code repository. This is human nature and it’s not going away. Neither is the job investigating the people and devices connecting to your valuable assets.
4. There’s always a new detection approach…and sophisticated actors bypassing it
State funded cyber warfare and opportunities to pillage digital banking pull bright minds to the dark side. The same quality of talent working at security vendors and InfoSec departments now work to develop exploits and malware. Sometimes it’s the same people doing both!
Cybersecurity is a human arms race. Sure, AI is supplementing security analysts, but AI is now deployed by humans on both side of the war. AI-powered hacking tools that learn to bypass AI detection were released at last year’s hacker conference, DefCon. The parity between each side is why, despite security breakthroughs, new attacks will always appear and succeed.
After the onslaught of AI-based attacks pierce our defenses, DFIR will need to be employed to reduce hacker dwell time, as it always has. When protection fails, forensics can still prevail.