Tasawar Jalali, CISSP, CISM-
Tasawar Jalali is the co-founder and CEO of Securenode & Co-founder of Smashon Inc, an online health and wellness portal based in silicon valley. He is also the Chairman of the Ibaadatkhana Foundation. The views expressed are his own.
It is evident from recent breaches such as SolarWinds, MS Exchange, and Colonial Pipeline, the number, type, and complexity of cyberattacks keep growing every day. The truth is that no organization is immune to a cyberattack. The financial impact of Cyber-attacks has been largely limited to businesses, federal, state, or local agencies. This year, common consumers woke up to a steep increase in gas prices at the local gas station due to a cyber-attack on Colonial Pipeline, which disrupted the supply. If a cyber adversary is determined, especially if orchestrated by a nation-state actor, it is just a matter of time when a cyber breach is experienced.
The minutes, hours, and days after a data breach can be quite stressful, chaotic, and confusing. Responding to a security incident requires planning, preparation, and supportive leadership. The obvious question we ask is, what is next when an organization becomes a victim of a cyber breach?
Inadequacy of cybersecurity staff in almost all organizations makes it challenging to review and respond to all alerts and investigate incidents effectively. The number of organizations that have a dedicated incident response team is fairly small or non-existent. While some organizations have an ad-hoc incident response team, more organizations are outsourcing the incident response to Security-as-a-Service (SaaS). Whether you have a dedicated response team or not, engaging different business units within an organization can supplement the lack of resources. It is imperative to enable a timely response to an incident by having a tested Incident Response (IR) plan and coordinating the effort with all department heads within an organization.
The first thing as a cybersecurity professional manager or CISO, you must notify the management and any other agency that you may be required to by law. If your organization has cybersecurity insurance, they must be notified as soon you find out about the incidence.
The mechanics of Cyber insurance satisfying its retention under the policy depends on the order in which the forensics and possibly outside legal counsel invoices are presented and paid. Any services provided by the forensic investigators beyond those identified in the Statement of Work, will require a revised SOW, outlining the proposed additional work and the estimated cost for the Insurance provider’s review and approval. Should the investigation develop such that your organization wants to take up any other Breach Response Services concerning the incident, such requests must be communicated with the insurance provider immediately to ensure coverage under the terms, conditions, and limitations of the Policy. In the event the cyber insurance coverage is exhausted, you as an organization will need to be ready to cover such costs. For instance, a policy aggregate limit of $5,000,000 liability may include “Breach Response” services limit of liability of 1,000,000 notified Individuals and $2,500,000 for legal, forensic, and public relations/crisis management. If the investigative costs exceed the coverage i.e., $2.5 million, in this case, your organization will need to cover the difference. The $2.5M coverage may seem adequate but you shouldn’t be surprised that costs may very well exceed the limit, given the average cost of a data breach is $3.8 million (IBM Security Report, 2020).
Detection/Identification
The speed of containment can significantly impact breach costs, hence being prepared is a must. However, the remnants of the attack may dither for months if not years after a potential breach. According to a report published by IBM, the average time to identify and contain a data breach is 280 days. The longer it takes to identify and contain the breach, the more costly it becomes for the organization.
When a breach is identified, the most important step you must take is to change passwords on accounts that may have been compromised and terminate any active sessions, disconnect affected devices from the internet, review remote access sessions and protocols, and update critical patches on systems exposed to the internet. If you don’t have multi-factor authentication enabled, this might be the time to do so.
Engage a cyber forensic firm if your organization does not have the necessary tools or expertise to identify and contain a cyber-attack. Cyber forensic firms use highly sophisticated tools, most of which are homegrown to track the origins of cyber-attacks and contain them. The objective of engaging these firms is to help resource-starved organizations to leverage the skillset and acquire the necessary advanced tools for effective investigation of the incident.
To satisfy the demand for digital forensics, the government offers several programs through Cybersecurity and Infrastructure Security Agency (CISA), Northern California Regional Intelligence Center (NCRIC), California Cybersecurity Integration Center (Cal-CSIC), and other agencies to help state, local, and federal organizations with the forensic investigations. These organizations can help with the qualified skill sets to conduct the forensic investigation but are usually inundated with urgent and time-sensitive investigations affecting critical government infrastructure. Hence these institutes largely remain inaccessible unless the data breach involves critical national infrastructure. Most likely you will need to engage an outside firm for forensic investigation. The services these firms offer consist of the following:
– Digital forensics, log analysis, and malware analysis support
– Incident remediation assistance
– Deployment support of incident response technologies
– Regular status reporting and project management-related activities
– Reporting and/or presentations associated with findings and recommendations
The forensic investigation may include analysis and examination of information regarding the breach. The forensic analysis includes methods and practices to unveil the target and extent of a cyber-attack against your organization and as such, they may request at least the following from your IT department:
– List of running applications and processes
– List of user and system accounts
– List of services and applications configured to run on system start-up and user logon
– List of files and their associated timestamps that indicate the time that the files were created and last modified
– List of deleted files on the file system
– Date and time of the system
– Contents of event or system logs
– Active or recent network connections
– Network configuration
– Contents of the Windows registry
Containment
After forensic examiners obtain forensic data they must get original evidence, they need to make a working copy and guard the original’s chain of custody. The examiners make sure the copy in their possession is intact and unaltered. They typically do this by verifying a hash, or a digital fingerprint, of the evidence. Some of the evidence they may gather to proceed with the investigation may include logs and files, such as:
– Logon patterns that are not common in the environment
– Active network connections to external addresses not consistent with normal network connections
– Signs of suspicious activity in the event or system logs
– Processes with a suspicious file name, file location, or running time not consistent with normal process behavior
– Presence of malicious files, such as utilities used by an attacker or malware
– Presence of files with timestamps that align with periods of known attacker activity
During the investigation, the examiner may also collect images of volatile system memory from a live system before shutting it down and collect images of the attached storage drives. The examiner may need to remove the internal HDD from the system and connect it to a forensic “write-blocker” device to preserve file format such as Encase Ex01 to prevent modification of the drive by the system to which it is connected during imaging. For virtual systems, pause the virtual machines and create a copy of the virtual machine while it is in its suspended state.
Eradication
Once you’ve contained the issue, you need to find and eliminate the root cause of the breach. This means all affected systems must be reimaged, malware is removed, systems should be patched, and the latest updates should be applied. Whether you do this yourself or hire a third-party forensic firm to do it, you need to ensure no traces of the attacker remain in the network.
Remediating a threat can seem straightforward, but to guarantee that the problem is fixed, and no traces of malware or security issues remain in your systems is not simple. Eradicating traces of malicious software where the attacker has created a backdoor in an authorized application can be an arduous task. Next-generation End Point Detection and response tools may address elements of an attack such as lateral movement, dropped payloads, running processes, and established persistence, these extra elements of an attack will be obfuscated in a Supply Chain Attacks. A software bill of materials that identifies and lists all software components, information about those components, and the relationship between them is essential to ensure that the threat can be identified and eradicated. Or else your organization may continue losing valuable data, which can lead to increased liability costs.
Recovery
Forensic investigation is not complete by eliminating bits of the incident, such as deleting a malware, changing passwords, disabling breached user accounts, or identifying and remediating vulnerabilities. All along with the investigation, the legal advisors and attorneys play a critical role in the initial hours and days after a data breach is discovered, including advising the business on evidence preservation, data breach notification requirements, and strategies for reducing damages. You will need to engage in-house and outside legal counsel to address the extent and nature of the confidential information that has been breached and a strategy for communicating with those whose data has been breached.
You may also be required to notify the individuals affected by the data breach. There is currently no federal cybersecurity regulation covering the entire US that obligates the organization to alert the public of a data breach. Data breach notification requirements are complex in the US, with various federal and state laws. The following site lists data breach notification requirements by each state – https://www.itgovernanceusa.com/data-breach-notification-laws.
Businesses that experience a very large data breach can be overwhelmed by the need to notify thousands of customers. The affected organization will need to notify its customers and business partners by mail, email, SMS text, or telephone and provide records of the completed notifications. Different states and regulations have different notification requirements, for instance, HIPAA requires breach notification letters to be sent within 60 days of the discovery of a breach unless a request to delay notifications has been made by law enforcement. In such cases, notifications should be sent as soon as that request has expired. If the breach involves the information of 500 people or more, you must notify the Federal Trade Commission (FTC) as soon as possible and within 10 business days after discovering the breach. As per FTC, the notice to individuals must be easy to understand and must include the following information:
– a brief description of what happened, including the date of the breach and the date you discovered the breach
– the kind of PHI involved in the breach – insurance information, SSN, DOB, financial accounts, medication information, etc.
– if the breach puts people at risk for identity theft or other possible harm, suggested steps they can take to protect themselves
– if the breach includes SSN, you might suggest that people get a free copy of their credit report from www.annualcreditreport.com, monitor it for signs of identity theft, and place a fraud alert on their credit report
– if the breach includes financial information, for example, a credit card or bank account number, you might suggest that people monitor their accounts for suspicious activity and contact their financial institution about closing any accounts that may have been compromised
– a brief description of the steps your business is taking to investigate the breach, protect against future breaches, and mitigate the harm from the breach; and
– how people can contact you for more information. Your notice must include a toll-free telephone number, email address, website, or mailing address.
In addition, legal counsel will guide you through the contract implications with third parties, customer and employee class actions, insurance coverage, and other potential litigation that may arise due to breach.
Several vendors offer notification services, which your organization may engage after the completion of the investigation. This is the last step to close the investigation. The notification services work closely with outside legal counsel who help draft the communication with the affected individuals or may have to deal with a potential lawsuit. The notification services usually include pricing and mailing services, a Call Center with a live agent, which may be dedicated or shared, and any other custom requests. These costs are usually covered by cyber insurance. Although the Insurance provider will help you identify the call center, you must ensure that call centers are compliant, have necessary security controls and processes in place, and are scalable to meet call volume demands. The Call Center should offer 24/7 live agent support to ensure full-time zone coverage.
Conclusion
Threats to data in computers, mobile devices, and information systems are always present and painful but the journey after you have been hacked is an even bigger challenge.
When you experience your next security incident, remember to follow these steps:
- Notify management, cyber insurance carrier, and any agency required by law
- Refer to Incident Response plan
- Disconnect affected systems from the internet
- Reset Passwords and associated sessions
- Don’t Destroy Evidence
- Document everything!
- Update your Incident Response Plan