Seven Steps to Improve eDiscovery and Incident Management

By Colby Clark ·

It’s common knowledge to security experts that most hackers work from outside the United States. In fact, they often carry out their intellectual property (IP) or personally identifiable information (PII) theft activities from countries not friendly to America. From these “safe havens,” they realize it’s less likely they’ll be traced or that authorities will knock on their doors with a search warrant or the foreign equivalent thereof.

Conversely, with enough time and resources, a lot of perpetrators in countries friendly with the United States can be eventually pinpointed and arrested. However, understandably, most corporate victims do not want to spend the money or go through the required process to bring their attackers to justice. So the response becomes primarily about determining whether data was taken, how it was taken, how to stop it from continuing to be taken – in the case of an active theft – and what solutions can be deployed to prevent it from happening again.

The eDiscovery actions taken by an organization immediately following a breach is noticed are often critical to a successful investigation and outcome. Because of this urgency, there are seven steps that companies should follow before, during, and after they notice a breach.

1. Retain as much internal system information as possible after a breach. A security breach is a crime. As such, a “crime scene” is created. As any good police detective will tell you, maintaining the crime scene is of the upmost importance to securing evidence about the crime. With this evidence, we are able to gather information that helps us paint a picture of what transpired.

Because the records of log-ins and log-outs (and other domain activity) can turn over in a very short timeframe (sometimes as short as 45 minutes), we recommend that these records be maintained until the forensic investigation is over. Whether it’s a SIEM, some sort of network device, firewall logs or host logs (such as Windows or web server logs), you need to capture and retain this important information after a breach. If you do not, it can be lost forever and hinder the investigation into the theft.

2. If the stolen information is encrypted, use reverse engineering. In an active breach, we can usually see where a company is losing data, but not immediately what data it’s losing. In cases where the stolen data is encrypted – as it is sometimes with the crimeware that attackers utilize, it is possible to perform reverse engineering and find the key used to encrypt the data, decrypt it, and then reveal what data was taken.

3. Remember, your reaction to a breach is relevant in a legal proceeding. When you’re talking about the legal side of things, there are always these questions: “Who said what?” and “Who did what when?” So retain all email communications about the attack and details about the response to it. These details are often of interest not only in a court case – if it goes that far –  but also to the appropriate regulatory bodies, since they want to see that you responded responsibly to the breach.

4. Review your security posture before a breach occurs. Prevention is always the best way to decrease the damage, negative publicity and loss of goodwill resulting from a breach. Organizations need to constantly review their security postures and vulnerabilities to an attack. Across all industries, organizations often don’t have enough security tools at their disposal nor enough people trained in the right tools to effectively understand and use them. This is why so many companies find it difficult to keep up with the demands required to defend their networks well.

After a breach, it’s common to see organizations throw people and technology at the issue in a somewhat haphazard way, but they often overlook developing good processes for handling breaches in the future. Moreover, most organizations have difficulty justifying or even finding qualified personnel and have to settle for something less than desired.

Preventative tools are often plugged in, but not configured properly – a recipe for disappointment and helplessness in identifying and defending against threats. In these instances, an outside managed services solution provider can help companies set up and understand their security tools, monitor their data logs, identify any inappropriate activity related to their data, and quickly stop any breach activity.

A key differentiator between companies that handle incidents well is the “If vs. When” mentality. Organizations that think about being breached in “if” terms generally assume they will not be breached and do not adequately implement people, processes and technologies to handle it. In contrast, companies that understand it is only a matter of “when” there will be a breach are almost always more prepared to handle the breach when it occurs, making it easier to work with them as a service provider during the process. Additionally, a company with the “when” mentality is likely to have formal processes in place for dealing with a breach at all phases, including people, processes and technologies to identify the breach, preserve evidence, perform initial triage and do a handoff to third-party providers to perform the response.

It’s worth noting that the implementation of proper procedures for handling incidents is often the driver for obtaining the technologies and people required to successfully execute these procedures. Through the creation and implementation of processes, gaps are identified, which are filled by people and technologies. If an organization is struggling to get the resources its needs for handling incidents, the best impetus (besides a hack) that it can get is to list the need through policies and processes.  

5. Consider outside assistance with incident response. Because of the prevalence of breaches, consider getting a retainer for outside assistance before an event happens. When minutes are precious, this proactive approach helps significantly decrease the reaction time to a breach. Information security and digital forensics experts can be on the phone within four hours and onsite within 24 hours without having to wait for a company’s legal department to review and approve a contract. I’ve seen companies with a security breach spend a week to get paperwork done before an outside security expert can arrive. By that time, more damage from data loss is suffered and more evidence related to the breach is lost.

Additionally, company insiders often have ulterior motives when performing or facilitating a response. It is unwise to have internal resources perform an investigation that they may be directly or indirectly responsible for.  It is not uncommon for insiders to try to steer an investigation away from architecture, configuration or implementation shortfalls they have done and in a direction that does not implicate them, instead of uncovering all evidence and letting it speak for itself.

6. After an attack with possible legal ramifications, consider outside experts with a dependable forensic evidence container. With budgetary constraints, many companies don’t have the expertise in-house to do a thorough investigation of a security breach. Plus, when there is a breach, they often need trusted experts outside the company that can serve as independent investigators. If the data loss results in legal proceedings, the hiring of an outside firm helps nullify any accusations of impropriety caused by a company’s own employees.

The experts hired should use forensically sound processes and always assume that the investigation may go to court. This includes utilizing tamper-proof evidence containers such as .e01, created by EnCase Enterprise to verify that no data has been changed during the investigative process. From a legal perspective, the .e01 evidence storage files are considered in court to be as good as original evidence from the hard drive. If one of the files is altered by someone, the file will show where, so you know it has been corrupted or tampered with.

7. Get a good DLP system in place. Even with proper logging and traffic captures, it can be difficult to determine what was taken. Data can be exfiltrated in methods that do not leave any forensic artifacts. That’s why a good DLP (data loss prevention) system and inherent protection of sensitive information and intellectual property are critical. Sometimes we get lucky and it’s an SQL injection attack, which leaves a detailed audit trail that you can follow and then find out what actions were performed, what data was taken and where it went. Oftentimes, however, that is not the case. Files can be silently copied to USB devices by insiders and whisked away, leaving only a record that the USB device was inserted.

It’s vital that security pros do all they can to be proactive in preventing security breaches. However, when experts must be reactive after a breach, it’s important for them to react in measured but swift ways to stop the compromise and secure a company’s data. By knowing and taking these seven steps, companies can minimize the impact of any IP loss.