What Steps Are Involved in a Post-Breach Investigation? For the layperson

Post-breach investigations are utilised to understand how a cyberattack occurred, what data was compromised, whether any data was exfiltrated, and the extent of the damage caused by the attack. This could be at the request of the executives of a firm or by the cyber policy adjustors mandated by the insurer to determine the best course of action and avoid betterment to get the victims to a pre-loss condition.

If you have yet to consider what your organisation would do in the aftermath of a breach, you should, and the probability is that it will happen to your organisation eventually.

The three main types of breaches typically are:

Ransom Attacks: An attacker enters a system, or a piece of malware is run, which turns off Anti-Virus measures, escalates access rights and locks files leaving a note, a contact and a payment wallet for a cryptocurrency with a promise to unlock the files, after payment.

Data Exfiltration: An attacker enters a system and downloads information with a threat to publish the data unless they pay or the data is stolen for other attacks.

Email Compromise: An attacker enters a usually cloud-based (365, gmail) email system and pretends to be the director or a debtor and that the recipient should send a large amount of owed money to the new account number.

In summary, the following steps are involved in a post-breach investigation following an incident:

Identification: This stage will involve triaging logs, communication, and specimens for scanning and times to ascertain the mode of action for the vector of attack based on testing and online intelligence from IBM and VirusTotal. At this stage, we would look at the network map or topology, identifying the crown jewels, connected points and the area to scan. For smaller firms, we may image and grab data from a few servers; in larger firms, a rollout of a remote remediation tool may be required with a command console and staffed control room, similar to what is seen on a ‘Hunt for Red October’. Though the room looks like something pulled from a Hollywood movie studio, it is necessary to encourage team working and the efficient extinguishing and identification of threats rather than a game of Whack-a-Mole. Too often, improper actions in this stage can cause lightning to strike twice because now your organisation is known to be an easy target.

Containment: It is essential to contain the threat. This could be completed by modifying interconnectivity rules, physically unplugging network cables and, in some cases, not letting the attacker know that re-mitigation is taking place. This can give us the edge and stop further sabotage and theft attempts. This mustn’t be too hasty, as business interruption about a downed server is just as damaging as a locked machine.

Investigation: Using tools such as log2timeline, Anti-Virus, Csviewer, and X-Ways Forensics; Firewall, Event, Active Directory, and entire endpoints are scanned for artefacts, activity, ransom notes and other events to build a court-worthy chronology of circumstances that may credit or discredit the breach in regards if it occurred, its cause and extent. Often triage is done in tandem with creating images of locked or infiltrated machines; it is of prime importance that volatile data is collected as this is lost when a device is switched off – Logs and other data may be non-retrievable following ransom or wiping after being sabotaged. The copies of the devices are used to restore, recover and initiate the restoration. The originals are never used without backing up, as sometimes things go wrong, and with clones, you can always revert to step one.

Interviewing the worker's victim and often the cause of the incident can also garner clues on the entry of the threat actor.

Remediation: Patching vulnerabilities, strengthening access controls, or upgrading security software may be completed based on the investigation finding by an IR firm or, more usually, the firm's IT or security department. Following compliance checks on crypto addresses, sometimes firms pay ransoms to unlock files and have bad actors destroy exfiltrated information.

Notification: At this stage, authorities may have to be aware of a breach. Sometimes PR firms are instructed to speak to the press and let customers/clients be made aware their details are out to the public.

Monitoring: This is necessary to avoid further attacks and measures such as staff training, security assessments and penetration tests.

Reporting: The report should be prepared concisely so C-level staff can understand the incident clearly, but with admissibility in court and repeatability so that if another expert reads the item, they can repeat the outcome. It should neither be a paragraph nor a PhD-level thesis; both products would be considered a failure, and it wouldn’t pass CCL’s rigorous peer review process.

A post-breach investigation following a cyber incident involves technical analysis, organisational response, and regulatory compliance. CCL can deal with all aspects of a breach; please get in touch with us for more information.??