Forensic investigations in a zero trust environment: What Indian businesses need

Zero trust is a buzzword that is growing increasingly popular among businesses in India. And rightly so owing to the explosion of cyberattacks. In the first half of 2022, India witnessed 6.7 million cyber attacks. The expanding risk of cyber attacks led the Ministry of Electronics and Information Technology to issue guidelines regarding the adoption of a zero-trust architecture earlier this year.

Zero trust architecture has arisen as a response to today’s perimeter-less networks. Employees today work from offices, their homes, through mobile devices, and even use Wi-Fi networks at cafes, opening up the threat landscape like never before. Threats to security arise from outside the organization—and within—in the form of social engineering attacks, malware-infected devices and malicious insiders. Securing the perimeter no longer protects an organization from cyberthreats, which is why zero-trust principles are gaining popularity.

In India, a third of the businesses have already implemented zero-trust architecture with many more planning to implement it. The foundational tenet of the Zero Trust Model is that no user, system, network, or service operating outside or within the security perimeter can be trusted. Instead, it relies on verifying anything and everything attempting to establish access.

On the other hand, there is also an increase in the need for forensic investigations as they help companies understand the scope of breaches and its impact on the business. Enterprises and fast growing mid-market companies are conducting more than six internal investigations per month and expect investigatory workloads to increase. But with zero trust architecture, this can be a daunting task.

Identifying the problem set

Digital forensic investigators detect and respond to incidents on all devices, and log, analyze, and share learnings from these incidents. For instance, in case of a data breach, a digital forensics team would examine the network and identify signs of malware, unauthorized user accounts, or accounts with unauthorized privileges. These investigators can determine if an attack is still ongoing, and identify whether the damage can be halted. For these teams to perform their tasks effectively, the technology they use must ideally have:

○ Admin access across the network
○ Deploy agents to remote devices
○ Inventory all devices and the ability to respond to incidents on these devices
○ Operate across platforms including Mac, Windows and Linux
○ Image and collect data forensically across an encrypted connection
○ Remediate incidents such as deleting files, closing ports, or potentially deactivating users
○ Monitor endpoints to analyze files in use, programs running, and connected services in real time

Granting forensic investigators full admin access to conduct investigations is in direct conflict with the principles of zero trust — where users, devices, and applications access information on a need-to-know basis. Most digital forensic solutions are connected to the internet, which in turn adds to the existing security risks, obliging organizations to provide forensic investigators with multiple devices for different functions. Such solutions would only increase costs exponentially.

Adopting secure digital forensic tools

Solutions capable of conducting secure forensic investigations can go a long way in strengthening internal investigation functions for Indian businesses. Technology that can be installed on-premise but secured on a server controlled by IT is ideal. Forensic investigators can then carry on investigations in a web browser interface without disrupting the zero-trust architecture.

Besides, other experts involved in an investigation such as HR or financial specialists, will have the capacity to review relevant elements of the case without needing administrative access or a dedicated forensic device. With the right technology, investigating teams can sidestep the extensive software lockdowns required to minimize non-authorized access in zero-trust environments, while maintaining the integrity of security controls.

The rapid adoption of hybrid and work-from-anywhere models calls for technology that is nimble and can remain secure in remote environments. Businesses need portable solutions that use self-contained review platforms with case details outside the perimeter. Portable solutions that can be loaded on a USB, jump drive or to the cloud are ideal. They allow investigators to access the application from its self-contained directory, ensuring that principal investigators are in sync with remote investigations.

With public site server facilities capable of responding to security incidents on all distributed devices, businesses can centralize investigations. Public site servers that reside in a secured environment on the network ensures that investigators can communicate with it anytime they are connected to the internet without the risk of disrupting the zero-trust environment.

Businesses can deploy instructions on the public site server, while remote agents can carry out critical incident logging, analysis, and remediation tasks. These public site servers enable IT to communicate with devices that are not connected to a virtual or an internal network in the event of a breach, ensuring that incident investigation and response is not delayed. IT teams would then be able to perform necessary actions to secure devices, the network, all while abiding by the zero trust mandate.

In an increasingly complex threat landscape, digital forensics technologies that can adhere to zero-trust principles are quickly becoming one of the critical technologies companies need to piece together clues for a comprehensive investigation. With the right solutions, businesses can identify the size and scope of incidents and stem the damage, while also identifying ways to prevent future breaches.