Breach Forensics: Preparing for an Investigation

Posted by Mark Greisiger

A Q&A with Steve Visser, Managing Director at Navigant Consulting
Many types of data security incidents can require a forensic investigation to uncover the depth of the breach and how it occurred, and this process is more efficient when an organization has anticipated what’s involved. I talked to Steve Visser—national leader of Navigant Consulting’s information security incident investigation and response practice—about what risk managers can do to prepare for a successful forensic investigation.

What proactive steps can a risk manager and IT personnel take to make a future forensics investigation go more smoothly and effectively?
There are four things I recommend:

  • Prepare a data map for the company.This is a high-level summary or list of all the data systems that exist within the organization and includes platforms, data format, system architecture, where data is stored (whether it’s insourced or outsourced), and a list of the relevant subject matter experts so you know who to go to when an incident occurs. We recommend clients look at this map on a quarterly basis and revise it accordingly.
  • Assess log retention and accessibility.These are records of access or data traffic for an organization or specific system. There are many different types of logs, and an investigator will need specific ones in the case of a security incident. Your organization is encouraged to be aware of what logs exists, where they are, how long they are retained for, and how to go about extracting them as evidence for an investigation.
  • Determine in advance any outside service providers or partners needed.These might include legal, forensics and notification services. Review contracts and negotiate terms in advance if possible, so that when an incident happens, you don’t lose time processing or vetting an agreement. In an ideal world we’d be contacted immediately so we can hit the ground running and give the organization a better chance of meeting any regulatory or legal deadlines imposed, such as notification. We welcome the chance to speak with organizations in advance to let them get to know us before an incident occurs and we have a contract we can send for review before our services are needed.
  • Engage in response planning.Become familiar with the types of security incidents occurring these days and determine what you need to do internally as well as with service providers to effectively respond to such incidents. Many incidents fall into the categories of lost or stolen device; malware; or insider theft. There should be a plan for each of these key categories.

What are the typical steps involved in a data breach forensic investigation?
For all investigations, there’s information gathering and collection, forensic analysis and then data analysis in some situations to determine the impacted individuals and how to proceed with reporting and notification. Depending on the category of incident the specific steps will change to a certain degree.

In the case of malware, it’s a matter of finding the malware involved, often through a complex artifact analysis of the computer where it’s hiding. We’d then research the malware and determine its potential capabilities, and reverse-engineer and deposit it in a secure, self-contained “malware environment” so we can watch what it does next. Often, we also analyze logs to see if there are any indications of data ex-filtrations and if needed, perform data mining to figure out what PHI or PII might have been involved.

With lost and stolen devices, which could be anything from a laptop to a phone to a backup drive, we first need to know if that device has been recovered. That’s the minority of cases, but if it was recovered, there is a need to determine if the device was accessed or utilized during the unaccounted-for time period. To accomplish that, we perform a data egress analysis on the device to evaluate whether anything was accessed or potentially removed. If it’s not recovered, then steps need to be taken to determine what data was on the device, often through evaluation of a backup or proxy. Then we proceed to data mining and analysis to find out what PHI or PII is involved.

When it comes to employees engaging in unauthorized activity, we can determine who has access to what information and analyze logs to see which records were accessed by specific employees and perform a rules-based analysis to evaluate whether each access instance was appropriate. We might also conduct a peer group comparative analysis among employees with similar responsibilities to find out if access patterns are consistent. Less commonly, there are cases when we get the list of individuals whose data was compromised first and we use that to trace back to the employees who viewed and/or extracted the information through log data analysis.

There’s no one-size-fits-all approach but in all cases the work has to be done as quickly as possible.

Once a breach has occurred, how might a client or their Breach Coach engage your firm? What obstacles most often impact the outcome of an investigation?
Navigant is on what’s called a panel with most cyber risk insurers so if an organization has cyber risk insurance, one of the first things they should do is notify the insurer and they will be connected with Navigant. We also know most of the data breach coach attorneys that handle incidents in the US, so they might also retain us on behalf of their client.

One of the biggest obstacles to an investigation is to wait too long to bring in appropriate service providers. The second obstacle would be not providing access to the right information, either by not connecting us with the right people internally or not having the right retention protocols to ensure sufficient data for the forensic analyses. It’s definitely an advantage to retain counsel first granting your organization attorney-client privilege and then have the counsel retain us. An attorney will be able to help determine whether it’s necessary to report the incident as a breach—in some situations we have been able to perform a forensic analysis and conclude low probability of risk of harm. We come to this from a technical perspective where the attorneys come from a regulatory and legal perspective, and together we can help determine the implications of an incident.

Mr. Visser’s contact information is as follows:

Steve Visser
Managing Director | Disputes & Investigations
Navigant Consulting, Inc.
1331 17th St. Suite 808
Denver, CO 80202
Office: (303) 383-7305 | Mobile: (303) 888-5822

In summary…
Mr. Visser did a nice job of outlining some of the key issues pertaining to a data breach incident that may also involve cyber liability insurance coverage. Network security event logs are especially critical to any claims investigation so the insurer can understand “who, what, when, where and how” for proper claims adjustment. For example, the insurance carrier might want to confirm that the breach event occurred and/or was discovered during the insurance policy term. It can get complicated if the insured business has not retained this evidence. Or, maybe the forensic investigator discovers that a third- party vendor caused the loss. In that event, the insurer has a possible subrogation target to recoup their payout (see Junto on Cyber Liability and Subrogation with Kenneth Levin, Esq, partner at Nelson, Levine, de Luca & Hamilton, LLC.)