The highly successful American TV show, The First 48, is a documentary television series on A&E. The TV audience is presented video recordings of real-life investigations as a camera crew follows homicide detectives during the critical first 48 hours of a murder investigation. The TV show producers provide unprecedented behind-the-scenes visual and audio footage to crime scenes, suspect interrogations, and various forensics examinations. The show’s premise is that most cases are solved within the first 48 hours and the success rate diminishes considerably as cases go on for days, weeks, months, and even years (cold cases).
Like the TV show, incident responders seek to determine the who, what, when, where, and how of cyber cases based upon a timeline. As cyber investigators, we are also always asked what to do in the next (or first) 48 hours when there is a cyber incident or breach. To effectively answer the question, it is imperative to first understand the chronological realities of a cyber incident as depicted in Figure 1.
For any given cyber incident, there are three 'cyber truths'. The first truth is the date and time the initial cyber incident occurred. Most cyber attacks go undiscovered for approximately 200 days. Even for cyber intrusion examiners, the ability to establish a timeline of when the cyber incident occurred is extremely difficult. Part of the difficulty with establishing when the cyber incident occurred is because cyber incidents happen along a Cyber Kill Chain.
Depending on the type of cyber crime, each stage of the Cyber Kill Chain may or may not be a cyber incident. For example, a malicious insider may have authority to access a server or application and, as a result, unlawful access would not be a cyber offense. So, an organization must first determine the Cyber Kill Chain stage of a cyber incident before establishing when the incident occurred. In addition, organizations cannot report what they don’t know. So establishing the first 48 hours of an undiscovered cyber incident is not possible.
Incident discovery, the second truth, is the time when an organization becomes aware that a cyber incident has occurred. This is when the organization is first learning a malicious cyber incident has occurred and is unable to articulate specifics regarding the cyber incident, beyond a system or application is behaving strangely. At this point, organizations may attempt to resolve the issue themselves. This effort typically can last between one to four weeks. During this period, besides seeking to determine the cause of why the system is behaving strangely, organizations are under enormous pressure to return the system or application back to normal business operation.
The pressure to investigate and understand the impact, as well as the root cause or restore to normal business operations as quickly as possible, can result into conflicting realities. The actions taken when restoring to normal could destroy valuable information of evidentiary value for the cyber investigator.
For cyber cases, the most precious commodity lost is volatile data which is directly linked to the erosion of data because of elapsed time or non-forensically sound activities of an overzealous IT administrator. The loss of volatile data is like the loss of fingerprints or DNA located on a window’s external glass when it starts to rain. Once gone, it is not recoverable. So, establishing the first 48 hours after the discovered cyber incident can be too late. The attacker most likely is long gone.
Incident reported, the third truth, is the moment when an organization contacts a cyber intrusion professional. For many, this zeitgeist (a special intersection of time and request for help), represents the start of the proverbial clock (the first 48 hours) for most organizations. So, does this truth represent the first 48 hours as related to a cyber incident or breach? Or is it just more lost time? Since the attacker is already long gone, establishing the first 48 hours seeking help or admitting there is a big problem is also too late.
So, which of the three truths (incident occurred, incident discovered, incident reported) represents the start of the time marker for the first 48 hours if the risk of losing volatile data, the compromise of additional systems, and the additional financial lost can occur? Just like the TV show, The First 48, the success rate of most cyber cases diminish considerably as cases go on for days, weeks, months or years. The accumulation of lost time only weakens exponentially the ability to resolve the cyber case.
In most cyber cases, once the cyber attack is discovered, approximately 200 days later, the damage is done, and the attacker is long gone, or the attacker has established additional footholds in the environment. As a result, the only two priorities for an organization is to minimize further business impact or liability (e.g. stop the financial bleeding) and, if possible, determine the WHO, WHAT, WHEN, WHERE, WHY, and HOW to prevent a re-occurrence.
Since stopping the financial bleeding in most instances is the first and highest priority for many organizations, the cyber incident clock does not start ticking the moment the incident response team is contacted, nor does the clock start ticking when the incident is discovered by the client. In fact, most organizations want to know when the incident initially occurred or how far back it started! So when does the clock start ticking? To use a Star Trek term and movie, First Contact, with aliens as depicted in Figure 2, the first nefarious interaction by the attacker in accordance with the stages of the Cyber Kill Chain is the time in which the cyber intrusion expert is most likely to collect the best evidence and possibly prevent further damage. First contact represents the start of the proverbial cyber incident clock (the first 48 hours).
Figure 2. Star Trek First Contact
In conclusion, the best advice I typically provide organizations during the lesson learned stage is “What you should have done with the previous 48 hours” before the cyber incident or breach occurred and not “What to do in the next 48 hours”. I advise them that the clock does not start ticking. It was ticking before they discovered the cyber incident and that they should have a tested and well vetted cyber incident response plan. The plan, which is comprised of multiple elements, would function as a guide and provide reference to other resources necessary to quickly and completely investigate and document an incident when responding to a cyber incident. Figure 3 provides a sample listing of the plan’s critical elements.