Digital Forensics – Identifying the Who, What, When, and How of Cyberattacks

When a data breach or ransomware attack occurs, maintaining and preserving evidence are critical activities for law enforcement, insurance claims, court proceedings, and getting systems back online.  Computer forensic teams work to identify the type of hack, the approaches used, understand the source, layout the timeline, and determine how best to recover compromised data.

If your company’s data or systems have been breached or compromised, there a number of time sensitive and highly technical questions that must be addressed. Like other crimes, the first 48 hours are critical for gathering and preserving evidence and identifying suspects. Digital forensic experts help investigate and identify:

  • Motive – why did the criminal launch the attack? Many breaches are the result of cybercriminals attempting to steal data or banking information, but it could have been a former or current employee or supplier
  • Means – the tools and approaches used to compromise or breach the data, such as malware, email phishing, or malicious links. It is critical to identify the level of expertise of the cybercriminal and the tools used to gain access and close off systems.
  • Opportunity – How and when did the cybercriminal gain access, what systems were compromised, and when was the attack launched? Some attacks occur in a small window of time, while others occur over time where multiple systems and databases have been scanned and compromised. System vulnerabilities are examined such as system patches not applied, back door approaches through hardware, cloud provider vulnerabilities, and SaaS platform weaknesses.

Each industry has its own set of rules and compliance regulations relating to compromised data, particularly if banking and personal information are exposed. In addition to the digital forensic investigation, reporting a breach to governing bodies, customers, suppliers, and employees is required. Digital forensic teams and incident response teams are well versed in compliance regulations and often guide companies on their responsibilities, what information from the investigation can be shared, and how to work with their legal and communications teams.

So, What Is Digital Forensics?

The best defense against cyberattacks is preparing in advance and putting systems and incident response plans in place. When all else fails, and a breach or ransomware attack occurs, having digital forensic experts and an incident response team on retainer allows for quick action to be taken. In the first 48 hours, the focus is on preserving evidence. Preserving evidence follows a carefully prescribed legal and technical approach so what is gathered can be used should the case go to court. “Digital forensic investigation is a combination of technological tools, consulting guidance, evidence gathering, analysis, and the understanding of how to navigate all four,” says Shawn Waldman, CEO of Dayton-based Secure Cyber Defense. 

Digital forensic and incident response teams work hand in hand during the critical first 48 hours. The goal of both groups is to follow a systematic approach to preserving evidence and investigating the size and scope of the breach and how best to proceed forward in getting systems back online. In the case of Secure Cyber Defense, we have a three steps process:

  • Analyze – Identify the type of attack, define its scope, determine the data exposed or stolen, and the potential impact of the breach on IT systems, hardware, third-party vendors, and personal devices such as laptops, tablets, and mobile phones.
  • Contain – Limiting a company’s exposure and further expansion of the current cyberattack.
  • Preserve – Capturing and systematically preserving all the evidence necessary to understand the who/when/why and how motivations of the cyberattack and mapping out the best path forward to restoring business operations.

Having an outside company dig through all of your systems and data is intimidating. When a breach occurs, it is a chaotic time with many unanswered questions and feelings of vulnerability. Often there is the temptation to try and patch things on your own and move on. However, if critical issues like when the initial breach occurred are unknown, companies could be adding the malware back into their systems, opening up the opportunity for another breach. A forensic investigation is, therefore, a critical step to be sure no back doors into your IT system are left behind, allowing access for future attacks. Experienced investigators understand that this review may be unpleasant, and they are trained to do their work as objectively and as professionally as possible, often giving much-needed advice and support to executive and IT teams.

The evidence gathered by digital forensic teams is used by several critical players such as local and federal law enforcement, cyber insurance companies, and local and federal courts. Understanding the chain of evidence required by each is a crucial part of how forensic teams operate and preserve evidence. It is also important for executive teams to understand their role in the investigation process, including what is covered and required by their cyber insurance policy, what legal and compliance requirements must be addressed, and managing the crisis communications plan.  

Cyber Aware is Cyber Prepared

As with most essential functions of a company, planning is the key. “Too often, when our forensic or incident response teams are brought in, companies are making this call for the first time,” says Waldman. Working with and having an incident response team on retainer allows a company to evaluate its cybersecurity approach, develop an incident response plan, connect with law enforcement resources, review their cyber insurance coverage and exclusions and understand their industry’s compliance requirements.

With data breaches costing $150 per record (IBM and Ponemon) and rising, educating executive teams and board members more education on cybersecurity issues. Executive education includes ways to best prepare their organization to fend off increasingly sophisticated cyberattacks and the financial impact of cyberattacks are important steps to securing a company’s data. Educating executive teams has a trickle-down effect prompting evaluations of cybersecurity measures, implementation of incident response planning, and even more important educating employees on what suspicious activities to watch for and report. Executive-level cybersecurity training is beginning to emerge, including Secure Cyber Defense’s own GoCyber Executive Training Center. These programs aim to provide peer-level training on specific cybersecurity topics executives and board members should be focusing on as well as familiarizing themselves with common cyberthreats and building a list of resources to contact in the event of a breach.