Digital Guardian recently asked a group of cyber security experts what the most important step is following a data breach. Several answered with some variation of ‘find out how it happened’.
This might seem counterproductive: with so much post-breach chaos, from isolating the incident and letting staff know what’s going on to getting back to work and notifying affected individuals, surely it’s a time to be looking forward, not backward.
But as the experts explained, understanding the cause of the incident is an essential part of the incident response process.
So how should you approach a data breach investigation?
The crime scene
Your investigation should begin at the scene of the incident. This might be, for example,the victim’s computer, a web page or a physical space in which documents were compromised.
Senior Vice President and Chair of the Litigation Practice of LEVICK Jason Maloni said that, although “few people care what got you into this situation”, your organisation needs this information so you can communicate how you’re addressing the problem.
You should therefore approach data breaches in the same way police tackle physical crime. You probably don’t have any first-hand experience doing that, but the chances are that you’re familiar with the three core aspects that establish how a crime occurred:
Motive: why did the criminal launch the attack? Most breaches are the result of criminals attempting to steal data, but it could have been caused by an employee, either accidentally or maliciously.
Means: the tools that were used to commit the crime, such as malware, hacking expertise or access to a user’s login credentials.
Opportunity: how and when did the perpetrator commit the attack? Some data breaches can only occur during a small window, such as when vendors release patches for system vulnerabilities, whereas others are persistent threats.
Unlike a criminal investigation, however, there’s a good chance that the culprit wasn’t acting with criminal intent. Many data breaches are accidents caused by employee negligence or process failures.
The scene of the incident will generally provide you with the clues you need to work out – or at least make an educated guess regarding – who was responsible for the breach and how it occurred.
Gathering the evidence
Now you know what to look for, it’s time to identify and interpret those clues.
The most effective method is digital forensics.
This is the collection and interpretation of electronic data in an attempt to “preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events”.
Digital forensic investigation requires a combination of technological tools and an expert understanding of how to use them.
In recent years, digital forensics has become more effective and accessible to organisations. However, it’s still unaffordable or impractical for many, so you might be forced to rely on more hands-on investigative techniques.
Fortunately, most IT departments have the necessary tools to unearth vital clues. Log files are key, as they will show you who accessed or modified files and their IP address.
You should also interview relevant employees to find out if they know anything about the breach. This might be to verify information from log files or to ask questions about their team’s processes, which you can use to identify anything out of the ordinary.
Whether you use digital forensics or manual investigation, you should be able to find the cause of the breach within a few hours, enabling you to progress to the recovery process.
What should you do when you’re under attack?
When your defences fail and your organisation is compromised, every second counts. You must respond quickly and follow a systematic, structured approach to the recovery process.
That is, of course, easier said than done, particularly if you don’t have a cyber security expert onboard. Fortunately, IT Governance is here to help.
With our cyber security incident response service, expert consultants will guide you through the recovery process, from identifying the source of the breach and how to stem the damage to notifying the appropriate people and returning to business as usual.
Read more: itgovernance.co.uk