Forensics: Plan for Success

Posted by Mark Greisiger

A Q&A with:

  • Navid Jam, director of security consulting services at Mandiant.
  • Daimon Geopfert, national leader of security and privacy consulting at RSM.
  • Darin Bielby, managing director of disputes and investigations at Navigant
  • Bill Hardin, vice president of forensics services at Charles River Associates
  • Jason Smolanoff, managing director, global practice leader of cyber security and investigations at Kroll
  • Austin Murphy, director of incident response for Crowdstrike

Forensics firms play a vital role in any data loss incident, helping the breached organization determine exactly what went wrong, assess the scope of the damage, and, in conjunction with a Breach Coach®’s efforts, take steps to remediate the problem. We spoke with leading forensics experts about dos and don’ts for an optimal forensics process.

Keep detailed log files and ideally store them for a year. Oftentimes companies leave their logging on the default settings which means they may be getting overwritten more frequently than you think. Detailed logs can cut down investigation time significantly.

What can be done to prevent a breach?
Bielby: We tell clients to always pick up the phone and call if they get a request for a wire transfer over email. People need to change passwords every three months and do a better job of managing IT credentials in general.

Hardin: IT people often set up a system and keep the default settings. Organizations continue to store data they don’t need anymore.

Smolanoff:  People over-rely on intrusion detection systems and think this type of monitoring will protect them but what they need to truly be more secure are strong governance structures, policies, auditing and operations.

Murphy: Adding second-factor authentication is critical to reducing phishing campaigns and brute force attacks.

What client-side mistakes can impede an investigation?
Jam: It can sometimes take three days to a week to negotiate a contract and that’s too long. This is one of the reasons we recommend having a retainer in place.

Hardin: Know who the point of contact internally is, and who “owns” the investigation. Recognize that if you have a Breach Coach® you have attorney client privilege: Have them engage us.

Geopfert: Be careful not to destroy evidence. Don’t image systems or take them offline until we can talk to you.

Bielby: Many more people are using third parties for their cloud data but they may not have a contract that tells the vendor that they need to provide the data during a breach in a specific timeframe with a penalty for not complying.

Murphy: Without a good inventory, it can be very difficult to holistically assess the triage. Our greatest personnel challenge is when there is internal conflict about going offline or rebooting the system given the potential impact on operations. These are issues that need to be weighed and decided in advance of an actual event.

What drives up the cost of an investigation?
Murphy: Simple math can drive up the cost. The more systems there are, the more time it’s going to take. Better detection systems can help alert organizations to a problem in the first place and eliminate the number of systems affected.

Jam: If a client tries to limit us and only allows us to work through 10,000 hosts of 100,000 but we ultimately end up having to go through those other hosts it adds much more time to the investigation. What many clients don’t realize is that forensics is actually the tip of the iceberg for incident response costs, so their cooperation and willingness to let us do our job can help save elsewhere.

Do your clients come to a breach event with an effective incident response plan? What can clients do to improve their IRPs?
Geopfert: We see plans that have five pages total, including a title page, a table of contents and a call tree and maybe one remaining page that instructs them to get on a conference call and yell at each other.

Hardin: A plan should not be 50 pages and very granular. It should be something you can quickly read and use.

Jam: Test often to make sure it’s still relevant and the players involved understand their roles.

Smolanoff: Expect that a state AG or regulator is going to do a lookback to see if you complied with your own plan and its procedures.

How can clients better partner with forensics on the investigation?
Jam: Make sure you understand your environment, your tools and your processes so you can answer questions and assist the investigator.

Geopfert: Practice, practice, practice. We run clients through an incident response exercise. Practice for an active hacker, ransomware, social engineering—and get a broad understanding of what needs to be done across the board.

Bielby: Keep detailed log files and ideally store them for a year. Oftentimes companies leave their logging on the default settings which means they may be getting overwritten more frequently than you think. Detailed logs can cut down investigation time significantly.

Hardin: If you can think clearly, accept the bad news and the facts of the case and look for ways to improve processes going forward, you’re in a much better place to handle the event response.

In summary…
We want to thank these industry experts for their insights into incident response and the forensic investigation process. Getting the planning/preparation right and properly enabling the post-breach computer forensic investigation can ensure a more positive outcome for these increasingly costly data breach claims.

For the expanded version of this article login to the eRiskHub and check the Learning Center – Forensics: Planning for a Successful Investigation.