This week on our blog, we have a guest post from Thomas Padgett who is Senior Incident Response Analyst at NTT Security.

A cyber breach can be devastating. Knowing what to do in the first 72 hours could help minimize the impact and lessen stress. If data loss regulatory reporting requirements are missed, there could be possible financial ramifications, so the days of putting our heads down and doing a full investigation first is over. It is viably important to immediately involve legal counsel after the validation of breach. They will advise you on reporting procedures, know when to notify cyber insurance and be able to provide language on notification to stakeholders, clients and public if need be.  

Because of legal ramifications, today’s initial response is separated into two co-existing investigations: 

  • cyber breach ramification 
  • containment/root cause analysis  

It’s important that both types of investigation start immediately after incident validation. The first focuses on what, if any, data was compromised outside the organization while the second is necessary so a countermeasure can be implemented so the incident does not happen again. For forensic investigation purposes, evidence preservation should always be on the mind of the Incident Response Team, from the beginning. 

The evidence obtained during the investigation will play a major role during any type of criminal or civil litigation. The handling of the evidence and the documentation associated with the engagement along with the chain of custody can be a deciding factor in a litigation case. Often this small but important detail is inadvertently overlooked during the efforts to contain and mitigate the incident. Since some evidence can be volatile it may need to be collected prior to any other steps taken.

No matter what step you are in during the incident response process, one of the simplest but important tasks is to document. Every action from the identification to the remediation and all steps in between must be well documented. 

Step 1 Engage your organization’s Incident Response (IR) Team: 

  • Record date and time of initial notification of the cyber incident
  • Record date and time of IR team engagement 
  • Document all actions 
  • Identify correct incident level
  • Speak with the reporting party to determine any additional details

Step 2 Engage Legal:

  • Engage legal with initial discovery and keep them apprised of all findings
  • Determine if there are any specific reporting constraints/information requested that may affect the IR Team such as: 
    • Time constraints for legal
    • Restrictions on evidence being reviewed and where the evidence must reside 
    • Specific details needed by legal such as:
      •  Information accessed by attacker
      • Number of compromised accounts
      • Number of victims of compromised information
      • Specific locations of the affected systems/users 
    • Did Legal declare a breach based on information provided
      • What information is needed to determine if a breach occurred
    • Engagement of law enforcement to assist

Step 3 Evidence Preservation:

  • Preserve all artifacts that could be associated with the incident such as
    • Log files
    • Memory
    • VMDK Images or snapshots of VMDKs
    • Physical hard drives
    • Original email
    • Original Malware  
  •  Maintain proper chain of custody

Step 4 Containment: 

  • Isolate the affected system/network
  • Stop any additional data lose 
  • Consider outside forensic services if needed

After the initial bleeding has been halted the root cause analysis should determine the remediation steps to take. This may not occur until after the initial 72 hours of the incident, but this information is important. The remediation steps and the root cause investigation into the incident will be key factors and should be provided to legal and executive management. It is important to identify the gap in the system that perpetuated the incident.  The IR team should review:

  • System, security and application log files 
  • Network configuration details and settings 
  • User account and permissions
  • Running processes and scheduled task
  • AV alerts
  • OS setting and default programs

Step 5 Remediation:

  • Conduct updates and patching
  • Update AV software
  • Conduct any configuration change identified
  • End user training
  • Wipe and reimage the device

Involving legal counsel and the communications teams from the beginning of the incident will be the best way to comply will all reporting requirements and help minimize the legal impact. The work performed in the first 72 hours is essential and can have a lasting impact to the entire organization. The preparation and training conducted within your incident response team is the best countermeasure within the organization itself. The mindset that “our security controls will never be breached” only sets you up for failure. Proper planning and practice are essential in the IR Team’s ability to respond effectively, timely and properly during the first 72 hours of an incident.