A cyber, or security incident, is defined as unexpected or unusual activity which may indicate that one or more devices, accounts or data repositories have been compromised. The cyber incident may be something as obvious as the identification of an encrypted computer from ransomware or something not as obvious as a phishing email with dubious origin. Depending on company policy, governing regulations or for other reasons you may have to research and analyze the cyber incident to determine with it rises to the level of a data breach. To answer this question, digital forensics is your tool.
The first step of any digital forensic analysis in response to a cyber incident is to identify the source of the incident. Digital forensic organizations like Vestige frequently assist organizations in this identification phase. Was the organization’s network infected by a ransomware attack and if so, which variant of ransomware and how did it get into the environment? Was an employee the victim of a phishing attack? Which device is “patient 0?” Most importantly, what else did the intruder do and did it involve the theft of any data.
Sometimes, the analysis follows a specific script. An example is the HAFNIUM exploit. The HAFNIUM exploit, initially disclosed by Microsoft in early March 2021, targeted several vulnerabilities on Microsoft Exchange servers. The HAFNIUM exploit exhibited a known series of actions and behavior on an Exchange server, which required specific analysis to accurately identify. Other times the analysis can be free flowing with each new finding leading the digital forensic team down a path that can be unexpected.
Goals of the forensic analysis
Digital forensics is well equipped to answer the numerous questions emanating from a cyber security incident. In the example of a phishing email that imitates an employee of a company, digital forensics can get to the bottom of where that email truly originated and whether an employee’s mailbox was compromised to facilitate sending the email, which would elevate the cyber security incident to a potential data breach. In the case of a ransomware attack, digital forensics can answer how it started and what machines were affected. What is common to all cyber security incidents is the question of whether the hacker still has access to an environment, if some type of malicious software (malware) exists in an environment and whether any data was stolen. Digital forensics is the process by which these questions are answered.
What to do when an incident occurs
Ideally, a company should have a plan created ahead of time to respond to a cyber security incident. That plan would include who to contact for legal, insurance and digital forensic purposes. The plan would also include what devices and systems are mission critical and the process for standing those devices back up if they have to be rebuilt and how that may affect the digital forensic analysis. It is often overlooked, but most important to understand, that the rebuilding of infected computers or servers can severely hamper a digital forensic analysis which can have legal and regulatory consequences.
Preparing for a cyber security incident ahead of time can help a company understand what crucial activity is logged, for how long and where it is kept. Just as important as not carelessly rebuilding computers needed for a digital forensic analysis is making sure that activity such as who is logging into what mailboxes, computers or other systems is kept for an appropriate amount of time, often 9 months to a year. It is often that the genesis of a cyber security incident occurred months prior to its discovery and not having the appropriate logging of activity can also be detrimental.
So ultimately, what do you do when an incident occurs? Follow your plan. If you don’t have a plan, make one — today. If you get caught in a cyber security incident without a plan, at least make sure you have contact information for insurance, outside counsel and digital forensics experts. Learn more about Vestige’s proactive BreachReady℠ service.
The Benefits of a Digital Forensic Analysis after an Incident
A thorough forensic analysis will review all aspects related to an incident. Whether the incident is a known attack or a zero-day malware, a forensic analysis will answer the many questions such an incident can pose. Vestige has the experience of working hundreds of incident response matters to provide clients with the intelligence required to navigate the ramifications of an incident and create a plan moving forward. CONTACT VESTIGE to learn more.
By Ian Finch, BS, GCFA,
Senior Forensic Analyst
Vestige Digital Investigations