Your business has been hacked: it’s time to call in forensics
The first you know about the hack could be an email from a hacker threatening to release your customers' personal records if you don't pay a ransom, or your website going down, or customers reporting suspicious activity.
Who do you call for help?
Vijay Rathour, Vice President at computer forensics and investigations experts Stroz Friedberg (external link), takes us through the roles and responsibilities of a forensic examiner/consultant – often the first people on the 'scene'.
What's your role?
My specific role requires me to take overall control of the response to the information security incident. After we're called in by a business following a data breach, for example, I have a team of experts collecting data logs, accessing laptops, servers and PCs to get an understanding of what's going on. We want to quickly get the client into a position that they can understand what they've lost and gauge how serious the event is.
What are the distinct stages of an incident response?
We see the lifecycle of an incident response as four distinct though overlapping phases: preparation; detection and analysis; containment, eradication and recovery and finally post-incident recovery.
How important is preparation for a potential information security event?
Preparedness is essential. It involves getting staff through cyber training, cyber awareness, understanding that they should be using strong passwords, being careful with USB sticks. The majority of data breaches are still caused by or worsened by insiders and the human factor, whether it's weak passwords, accidental human error or opening attachments from spam email addresses, for example. Having an incident response plan in place beforehand is also critical.
What does detection involve?
In the detection phase, an organisation like ours might come in and do a sweep of the client's IT systems, or the organisation's own IT infrastructure should be looking out for people trying to 'knock on doors'. One breach we've seen involved a web administrator for a business who was alerted that someone was trying to hack into his business's website – thousands of times daily. Unfortunately, he ignored them all because he was getting too many email notifications to read. These were all warning signs that someone was actually trying to break-in and, because they were ignored, the database was stolen.
How soon do you like to get involved?
Time is a massive factor in the circumstances of a data breach and minimising the cost and harm that flows from it. You want to catch these things in the act, and the sooner you can do that the better. Think about IP addresses, for example – it can be possible to geo-locate and identify approximately where someone came from when they broke into an organisation's systems. Typically they will be masked, but the logging information will be recording the activities of the intruder, and sound analysis will allow us to follow their tracks within the organisation. That has to be timely information.
Surprisingly, because today's hackers are more interested in staying hidden for longer, the typical average time that passes from the intrusion to the point at which it is detected is 206 days.
What happens once you've been notified?
This is the containment, eradication and recovery phase. We will respond by asking clients not to switch things off and not to change anything, where possible. Once in place at the business, we will start to go through data logs – the richest narrative available – and collect information in every way we can.
Bigger organisations will have a SEIM (Security Event Incident Management) infrastructure that collects data logs from sources like firewalls, websites, and their network and brings it all together, highlighting alerts or problems. We get on the ground and access their SEIM, or, if they don't have one, go to each location where useful logs are generated. We will also start to do forensic imaging of IT devices such as point of sale devices, as well as hard drives from servers, laptops and desktops. Live memory analysis, data loss prevention systems and behavioural anomaly analytics are all becoming part of an effective incident responder's playbook.
What help do you need?
As soon as we arrive, we need to know who is responsible for the organisation's systems. For a small business, it might be someone external if they outsource their IT. Does the company know who the web host is? Where is the email server held? What are the reporting lines for IT? Who will chaperone us through the organisation? Can we get access to all the data logs? What passwords do we need?
The ability to have someone like us who can quickly get on the ground and understand the severity of the situation, allows the business to know the size of the breach. It also helps show them how to respond to customers, regulators and the media if necessary, which is critical in helping to minimise the pain, cost and disruption to the business.
What additional tips would you suggest?
Prepare, test, and prepare again! Adversity can be a great teacher, but the commercial realities push us to minimise the time to get you back on your feet again. The better prepared the organisation is, and the better we know the systems before an event, the sooner the organisation can get back to business as usual.
Also, you should not call any kind of breach a data breach in any communications – to your staff or externally – until it's been adjudicated as such by a lawyer. If you end up in court and/or if the regulator looks at your communications and sees you referring to a data breach, they may say that you already knew it was a severe incident, so why did you delay in notification? Better to refer to the breach as an 'event' or an 'incident'.
Further information for small businesses looking to protect themselves from a cyber attack can be found at the UK Government's Cyber Essential initiative (external link).
For more in our cyber series, visit our cyber hub or read more:
Find out how you can protect your business over on our Cyber and Data Insurance page.