Cyber incidents

As cyber incidents become more complex, your organization’s ability to perform sufficient investigations must adapt. We explore pitfalls that businesses commonly struggle with as they deal with cyber incidents.

Weekly news stories about major cyber incidents occurring at organizations of all sizes keep Brad Berry, head of cyber investigations at Synible Inc. (hypothetical person and company), up late at night. Barry knows Synible faces similar risks and threats. Coupled with state-of-the-art security tools, advanced training and years of experience, he believes his team is well-positioned to adequately detect and respond to cyber incidents. Why, then, is Barry concerned? Because he knows that even with the most sophisticated and advanced information security programs, no organization is safe from the next major cyberattack.

In a 2015 World Economic Forum speech, Former Cisco CEO John Chambers said, “There are two types of companies: those that have been hacked, and those who don’t yet know they have been hacked.” Odds are your organization has suffered some kind of cyber incident in the recent past. Whether it was trivial or significant, how you responded and investigated it made all the difference.

In this common case study, what could go wrong?

In our hypothetical story, Synible recently suffered a cybersecurity incident that affected  many machines, including the company’s domain controller — the server that responds to security authentication requests such as logging in, checking permissions, etc. Initially, a Synible IT technician thought the server was just running slow, so he shut it down, wiped it — thus erasing data — and rebuilt the server to the default settings. Unfortunately, the erased data included the server’s volatile memory, which is the computer storage that only maintains its data when the device is powered on. (An increasing amount of malware or malicious code is designed to hide in volatile memory.) As a result, Synible investigators now had a limited ability to identify what happened prior to the shutdown because root cause and access information was gone from the domain server.

Also, investigators couldn’t review the logs from the domain controller because the server wasn’t configured to properly log in and connect to the company’s security information and event management software system — an important security feature that records key activities on the server.

When the Synible IT technician rebuilt the domain server it had performance issues. And an IT help-desk ticket from a company user reported similar problems. The technician alerted Barry because they thought the issues could be something more nefarious. After Barry declared the event a cyber incident, he immediately alerted Synible’s general counsel who sought help from outside counsel who could conduct the investigation under attorney-client privilege.

Barry and his investigative team did have some good news. Through their collaboration with an experienced cybersecurity professional services firm, they identified several indicators of compromise — artifacts observed on a network or in an operating system — that indicated a computer intrusion had occurred. They analyzed these forensic artifacts in detail, which helped identify the source of the cyberattack, vulnerabilities exploited and how to remediate systems to reduce exposure.

So, what could Barry and his team have done differently? What investigative pitfalls can CFEs and cyber professionals avoid if they face cyberbreaches?

Failure to escalate incidents

Failing to properly escalate an incident typically occurs for two reasons. First, the definition of an incident might be unknown or ambiguous. Lack of a clear categorization for an incident makes it harder to prioritize efforts and impedes escalation. Sometimes, organizations don’t have clear definitions for categorizing an incident by severity, impact and type, such as malware, phishing attack, etc. Second, procedures for escalation of cyber incident investigations are unclear. Lack of escalation procedures impedes timely and robust responses to critical events.

Delayed response to a large incident can exacerbate a cyberattack and increase recovery difficulty. A prolonged incident response might be subject to regulatory fines. For example, you’ve likely been inundated with information about the European Union’s General Data Protection Regulation (GDPR). Many GDPR provisions have implications on cyber incidents and investigations. Article 33 describes strict timing requirements for notification of an organizational data breach: “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

If organizations establish clear definitions of what constitutes incidents and equip teams with procedures for investigative escalation, they can better mitigate risks and potential penalties associated with failing to comply with GDPR, or other legal and regulatory guidance.

Failure to identify root cause

Investigative teams often will mitigate symptoms of the problem rather than understand actual root causes. These organizations remain vulnerable to future exploitation. An inability to leverage artifacts to determine what occurred, how the attacker breached the system(s) and what (if anything) was taken will make it difficult to fully scope the intrusion and prevent similar incidents. Multiple gaps can contribute to this, including:

• Insufficient/incomplete logging of events, such as who’s logging in or logging out of the company network, from where, etc.
• Lack of network traffic visibility, such as who’s moving in and around your corporate network.
• Inexperienced analysts/responders who don’t know what adverse events look like.
• Lack of threat intelligence, such as evidence-based knowledge — including context, mechanisms, indicators, implications and actionable advice — about an existing or emerging cyberthreat.

Fixing versus investigating mindset

In some organizations, the primary, frontline people responding to security incidents are system administrators or IT help-desk staff who are wearing security only as a second hat. They typically approach the issue as a performance problem rather than a security threat. For example, they might have a fix-it mindset to simply reformat computer hard drives that are exhibiting strange or slow performance rather than think to preserve the evidence and create forensic images of the hard drives that could be useful in investigations and in determining if a greater risk exists.

Segregation of duties and institutional conflict of interest

Particular organizational alignments tend to create conflicts. For example, the person who purchased a multimillion-dollar security appliance might be less inclined to investigate the failure of that device. In some cases, employees might “stove pipe” — or unnecessarily limit incident responses — to try to contain bad news. Or they might withhold critical information from senior leadership or external service providers if they believe it might worsen the incident’s severity or question their ability to mitigate threats.

Failure to deploy and properly use purchased security tools

Some security departments acquire state-of-the-art tools that can be too complex to configure, operate and maintain. Or they configure the tools incorrectly or use them improperly. They can easily obscure root causes and incidents’ scope if they incorrectly use security appliances.

Many organizations ask investigation teams to devise innovative solutions or use automated approaches to replace key manual tasks. “Over-automating” might pose a risk of misconfigured tools that can create a significant number of false alerts that require review — or worse, ignoring alerts and missing an actual incident as a result.

Incident tracking

Organizations should thoroughly track their incident logs electronically to ensure escalation of investigations and full remediation. Manual methods of tracking incident response activities impedes your determination of a threat and its true status plus obstructs management’s ability to decide their next steps.

At a minimum, investigators should maintain:

• Timelines of investigative findings, artifacts, alerts and mitigation steps.
• User accounts and computer systems impacted.
• List of indicators, or digital fingerprints, associated with adverse events.
• Lessons learned that they can use to enhance future investigations.

Also, have counsel carefully consider all documentation created during an investigation to avoid inadvertent disclosure of incident reports, vulnerabilities or information that could negatively affect your organization if discovered.

Insufficient log duration and endpoint visibility

System logs that roll over after a short span (hours or days) make it difficult, if not impossible, to recreate what occurred and to properly determine the scope of intrusions. Also, not having endpoint protection on all assets (such as anti-virus software that protects individual computers or devices connected to the network) limits real-time visibility and artifact collection during incidents or breaches.

Lack of attorney-client privilege

Of course, large-scale incidents can precipitate legal or regulatory action against an organization from consumers, businesses or government authorities. Organizations are especially at risk of legal actions if cybercriminals have accessed or stolen sensitive data, such as personally identifiable information or protected health information. Parties that are suing you can use evidence in legal proceedings if you conduct security work without attorney-client privilege. Be sure to coordinate with your legal counsel through all phases of an incident response to avoid improper disclosures.

Insufficient mitigation

Security departments often won’t fully mitigate intrusions and only take selective countermeasures. For example, an organization might decide to block suspicious or malicious internet protocol (IP) addresses during an incident, which might only motivate the adversary to merely switch to another IP. The organization could become blind to the adversary activities, and the intrusion continues.

Failure to exploit forensic findings throughout enterprise

The investigative process requires forensic findings from both the host computers that were used in the attack and the organization’s network. But if organizations haven’t been continuously and repeatedly tracking all systems, they run the risk of failing to identify other compromised systems. Or they fail to aid in remediation steps, such as patching computers with the latest operating system, application or anti-virus software, replacing end-of-life or obsolete systems, closing network ports, etc. These errors can lead to adversaries regaining or maintaining access to networks via different hosts.

Questions to ask

During a cyber incident, CFEs can ask these questions to help understand key issues:

• How did the adversary compromise the environment? In other words, how did they get in?
• What occurred during the intrusion?
• What system(s) did the adversary access within the organization?
• What user account credentials did the adversary steal?
• What data, if any, did the adversary access or steal?
• Is the adversary still inside the environment?
• Has the organization preserved the affected computers, servers and network logs?
• Should we inform legal counsel (internal and/or external)?
• What remediation steps has the organization already implemented?

The views expressed are those of the contributors and not necessarily those of Ernst & Young LLP or other members of the global EY organization.

Vincent M. Walden, CFE, CPA, is a partner in Ernst & Young LLP’s Forensic & Integrity Services practice. Contact him at vincent.walden@ey.com.

Shawn Fohs, CISM, is a senior manager in Ernst & Youngs LLP’s Forensic & Integrity Services Practice. Contact him at shawn.fohs@ey.com.

Chip Guy, CFE, is a senior manager in Ernst & Youngs LLP’s Forensic & Integrity Services Practice. Contact him at chip.guy@ey.com.