Forensic analysis of a cyberattack is complex at the best of times. Even with traditional IT equipment and cloud technologies, collecting forensic information can mean extensive manual data collection and manipulation to unify disparate types of intelligence into a coherent whole. With Internet of Things (IoT) devices, the struggle of collecting forensic information and transforming it into something useful is compounded. 

Forensic analysis as a practice also helps security teams evaluate their defenses and discover possible weaknesses in their posture management. Any effective forensic investigation into a cyberattack, whether successful or not, includes that element of evaluation. So it’s imperative that there is good data collected from every aspect of the network, including the IoT devices that may stymie investigations because of the challenge of collecting data. 

As such, there’s a critical need for a solution that can gather data from IoT devices and integrate it into reporting for effective investigation. This has also taken on new importance because of regulatory reporting requirements on security incidents. Unfortunately, gathering forensic data from connected devices is often not that easy.

The Forensic Analysis Challenge for IoT Security

Forensic analysis at a fundamental level is the retrospective examination of security incidents that have already occurred. As part of this process, IT and security teams collect data from their defensive tools and networked systems to understand the tactics, techniques, and procedures that cyberattackers use. 

Effective forensic analysis has taken on new urgency in the modern security landscape. There were more than 3,200 data breaches in 2023, according to recent data. Understanding how these breaches occurred and determining ways to prevent them in the future, is the key value of forensic analysis. 

Traditional information technology and even cloud-based solutions often provide raw datasets that can be readily uploaded to analytics tools as part of this process. These datasets are not necessarily easy to extract, but they’re built to be readily pulled from the tools and used as part of digital forensics. 

By contrast, IoT devices do not often provide readily extractable data for analysis. This complicates performing forensic investigations on the connected equipment, as any sort of intelligence must be gathered through alternate tools to understand how an attack that originated in an IoT device proceeded through your systems. Ultimately, the raw traffic generated by a device becomes the only sure dataset from any connected IoT device.

The tooling analyzing these datasets could include tools for anomalous behavior detection, as well as a solution designed to automatically inventory network-accessible devices and determine information about them. This information about IoT devices on your network could include model number, MAC address, and any communication protocol they may be using. 

Resolving these challenges has taken on new importance in the wake of regulatory changes to reporting security incidents for public companies.

Regulatory Changes Require Enhanced Forensic Capabilities 

In 2023, the Securities and Exchange Commission (SEC) released new requirements requiring reporting material cybersecurity incidents to the market. The new rules require public companies to disclose cybersecurity incidents on Form 8-K in new item 1.05 and their cybersecurity risk management practices on their annual Form 10-K filing. Foreign corporations who trade securities in the United States aren’t exempt from these rules; they need to file the same information on Form 6-K and Form 20-F respectively. 

The Form 8-K reporting needs to occur four days after the companies become aware of the incident. Incident notifications issued since the rules took effect on December 18, 2023, have typically taken the form of brief 8-K notices that an incident occurred but the company is investigating further. The notification from UnitedHealth Group about the recent Change Healthcare ransomware attack is one example. 

As these rules continue to be enforced, companies will likely seek out ways to provide more effective forensic information to regulators. Large-scale breaches like the Change Healthcare ransomware attack will trigger government involvement and regulator questions. This reality means that organizations need robust forensic analysis capabilities for every piece of their network-accessible infrastructure. This includes IoT devices.

How Asimily Helps Improve IoT Forensic Analysis 

The Asimily platform is designed to augment forensic analysis, especially for companies with a lot of IoT devices attached to their network. Asimily does this with a few core capabilities, including: 

• Automated inventory creation through passive network traffic monitoring to discover new or unknown IoT devices attached to your systems. 
• Anomalous behavior detection can identify when IoT devices are behaving unusually and alert security teams to investigate. 
• Onboard Packet Capture makes it easy to capture network packet information on a continuous basis to improve IoT device forensics. 

These capabilities of the Asimily platform mean that customers can gather the insight they need from IoT devices to conduct accurate forensic analysis. It doesn’t matter if they do the forensic analysis themselves, or through a retained incident responder.

Automatic inventory creation is especially key in the context of digital forensics. Without an accurate IoT device landscape, security teams may not know where an attack originated or how it progressed. Knowing the complete inventory of network-accessible IoT devices and keeping that up to date means that security teams more readily know where to focus their forensic data gathering. 

The Asimily anomaly detection engine is designed to automatically detect all traffic to and from IoT devices and track potential suspicious activity. This might include indicators of compromise and attempted breaches, as well as risky activity such as communicating with third-parties without being aware of it. Asimily also has policy management features that enable security teams to detect incidents and trace them to their source. 

The Packet Capture capability is a key tool for forensic analysis. It captures raw network traffic, either on command or automatically in response to suspicious activity depending on the policy. You can define these policies on what counts as an attack, an exploit, or other malicious activities and program them as triggers to immediately record any information on what the attacker is doing in real time.

The functionality of Asimily also includes several types of reports that streamline forensic analysis, including:

Asimily also streamlines forensic analysis through its: 

• Topology Report that shows which devices and systems the IoT device in question was communicating with. This data can be used to determine any possible lateral movement through the organization through an accurate map of device relationships in the organization. 
• Flow Analysis to determine which protocols a device is talking on and to what systems. Using this information, security teams can track any data that the device might be sending to other systems. 
• Packet Capture for any monitored device that captures the traffic flowing to or from connected devices in a secure, local file. This data can be used for incident response and forensic analysis to reveal tactics, techniques, and procedures that cyberattackers use. 
• Device Timelines that give a complete history of all changes made by people or software to a device, including when vulnerabilities were discovered or mitigated.

These reports and the investigation technology of Asimily empower its customers with the ability to readily discover the root cause of cyberattacks. Its reporting and forensic tools also enable better insights to respond to regulatory requirements and inform better defensive strategies. Forensic analysis will always be complex, but Asimily can make it easier for IoT systems.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.