A company’s ability to quickly and efficiently conduct a forensic investigation is critical to limiting the impacts of a data security incident and determining the scope of the incident.
In BakerHostetler’s 2017 Data Security Incident Response Report, we analyzed data from the more than 450 incidents we worked on in 2016. A forensic investigation occurred in 34 percent of those incidents – a slight increase from 2015, when 31 percent of the incidents involved a forensic investigation. Healthcare entities used forensic investigations at a higher rate this year most likely because of the rise in ransomware incidents and the OCR guidance related to ransomware. A forensic investigation occurred in 27 percent of the incidents involving healthcare entities in 2016 versus only 13 percent in 2015. The average total cost of a forensic investigation in 2016 was $62,290, with the highest cost in excess of $750,000. The average cost of a network intrusion investigation was $93,322. It took forensic firms an average of 44 days after they were hired to complete their investigations of network intrusion incidents. Investigators found evidence of data exfiltration in 34 percent of the network intrusion incidents. A failure to find evidence of exfiltration does not always mean that data wasn’t stolen. Some attackers carefully remove evidence of their activities, and in other scenarios there is insufficient logging.
With respect to forensics, to quickly and efficiently contain and mitigate an incident, companies should consider taking the following steps:
- Identify a forensic firm before an incident arises and negotiate the service agreement. If a company becomes aware of a potential incident that requires help from a forensic firm, the notification clock likely started running some time ago. Companies that are unprepared for this scenario sometimes panic – they want a forensic firm on-site to start work immediately. However, they have not vetted a forensic firm, so they are left cold-calling firms for assistance. Once the firm is chosen, a service agreement needs to be negotiated. We have been involved in a number of incidents in which it took a day or two or even longer to get the service agreement in place. There is less negotiating leverage in an emergency situation like this. Many forensic firms will not deploy resources until they have a signed agreement. Ideally, to assert that privilege and work product apply to the work of the firm, the agreement should be a three-party agreement among the company, outside counsel and the forensic firm. The forensic firm should be conducting the investigation at the direction of counsel and for the purposes of allowing the counsel to provide legal advice to the company.|Companies that are considering engaging a forensic firm should consider, in addition to cost, the three “Cs”: Capability: What types of tools does the forensic firm have in place to conduct its investigation? Does it have tools that provide visibility to endpoints quickly and can capture network traffic, and a repository of current IOCs to quickly look for signs of a compromise? Or will it want to forensically image all devices and does it expect to forensically image everything and then conduct manual analysis? Will its tools work in your environment?
- Forensic firms use a variety of tools to determine the scope of information affected and the extent of the incident. But the tool that often leads to the quickest identification of a potential issue is an endpoint agent. For incidents in 2016 in which a forensic firm was used, the most common type of investigation was imaging devices and log review. We saw a substantial increase in the use of endpoint tools to look for indicators of compromise. When these tools are used depends on the type of investigation. Log review is typically carried out when a company is trying to determine whether exfiltration of data occurred, when and how data in a database was accessed, or how and when remote access credentials were used. Device imaging is most common when servers and desktops are being evaluated for malware and other forensic artifacts. And endpoint tools are used to review numerous devices (such as desktops, laptops and point-of-sale devices) for both historical and current activity. Before a forensic firm deploys an endpoint tool, it is important for the client to fully understand how it operates. In some cases, the tool can conflict with critical company applications. And not all endpoint tools are created equal – some provide only a snapshot of what is happening once deployed (e.g., what programs are currently running), and others look back in time and are able to provide insight about what happened prior to the tool being installed.Capacity: Will the forensic firm have a competent team available when you call?Credibility: Will stakeholders (i.e., regulators, customers) have confidence in the forensic firm’s findings? Does the firm have experience responding to the types of incidents you are likely to face?
- Onboard the forensic firm. A forensic investigation by a security firm should drive decision-making in response to an incident. Companies can be better prepared to respond quickly and effectively to potential incidents by onboarding a security firm before an incident begins. One potential avenue for onboarding is a meeting with the security firm and the incident response team to learn more about the company’s IT structure, including identifying logging practices. Another potential avenue to onboarding a forensic firm is to involve the firm in fine-tuning of the security department’s incident-specific “run books” and inviting the firm to participate in the company’s tabletop exercises.
- Maintain good log data that is accessible from a central source. Companies that have good available forensic data are often able to confirm, through a forensic investigation, that an incident occurred and to identify the specific data at risk. Companies that do not have good available forensic data often have to err on the side of caution and assume the worst-case scenario occurred because they cannot determine what actually occurred and what specific data was at risk. Having reliable findings can enable better communications about the incident and help reduce the consequences of disclosing incidents.