Revisiting NIST Forensics Guidance in a Cloud Age

There’s a less well-known NIST guide from 2006, part of the “beloved” 800 series, but important nonetheless, and still as pertinent today as it ever was. NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response is not as well known as the NIST Computer Security Incident Handling Guide, and only covers a fraction of the overall NIST 800-53 controls framework. However NIST 800-86 gives vital guidance to anyone building or operating a forensics function, and giving this attention becomes ever more important in the cloud age.

NIST 800-86 essentially breaks down into two main areas:

1. Organizing a Forensics Capability covers staffing a team with the right skillset, defining the right policies and procedures, and putting in the necessary preparations and toolsets to perform forensics when the time comes.

2. Performing the Forensics Process breaks down the process into four main steps.
   • Collecting data from various sources
   • Examining the collected data
   • Analyzing the data to identify the cause of the incident
   • Reporting the findings

NIST SP 800-86 places a big emphasis on creating a consistent process for applying digital forensic techniques.

Cado can be a vital partner in extending NIST 800-86 into an environment with dynamic and elastic cloud resources

Cado as an enablement and investigation support partner helps you to devise strategy, architecture and enablement for your team to extend your forensic capabilities into the cloud, whether you would be using in-house personnel, or third-party or a combination of the two.

Cado as a platform for a consistent process and central point for forensics lets you create a consistent, methodical approach to performing forensics after an incident occurs. Cado lets you:

1. Define and test automated data collection processes both for cloud resources, and endpoints through EDR/XDR integration. Cado allows you to set up and test accesses, and rules around what to collect in different scenarios. Cado then automates data collection of logs, disk and volatile resources across VMs, containers and serverless functions when an incident happens.
2. Automatically process and examine diverse sets of data across multiple cloud providers and operating systems. Cado processes multiple file formats, filesystems, extracts files, parses logs and command histories, rebuilds file directory structures and a full timeline of activities across the systems.
3. Centralize a platform for analyzing and searching across datasets to understand root cause and scope. Cado applies both built-in and customer-supplied threat intelligence over processed data to identify known indicators of compromise. Cado then has a rich search interface to help the responder understand the attacker intent. Finally, Cado ships with - and allows customers to define their own - saved searches they can apply to processed data to adopt a methodical approach to data analysis.
4. Streamline reporting for different audiences to create reports at multiple levels. Cado can export the results of deep technical queries, metrics and dashboards related to a given project, and automated investigation reports that look to identify the most pertinent events in an investigation. Cado also allows LLM integration in order to translate events into readable English and provide recommendations on next steps.

Although SP 800-86 is 17 years old, it still provides a great basis on which to build a forensics capability, and Cado helps to bring it into the cloud age.