[BreachExchange] How Employers Can Become Experts at Data Breaches: Preserving the evidence of a breach

Audrey McNeil audrey at riskbasedsecurity.com
Mon Dec 11 19:25:08 EST 2017


https://www.lexology.com/library/detail.aspx?g=cfb766ff-ca1f-4e48-9a75-
5da412df0300

The immediate reaction of many organizations when they discover that a
system may be infected with a virus or malware is to remove, erase, and
rebuild the potentially infected system as quickly as possible in an effort
to clean the environment. Doing so without taking proper steps to preserve
evidence, however, may make it difficult to reconstruct whether and what
information was lost . Without answers to those questions, the organization
may not be able to comply with legal obligations or to accurately identify
the level of risk that the breach posed to the organization or to its
employees. It also may make it difficult to accurately determine the scope
of the breach and ensure notification of the breach to affected employees.
In addition, without knowing what happened and how it happened, it may be
difficult to have a high level of confidence that the same incident will
not happen again.

As a result, when dealing with an electronic breach, organizations must
often balance the desire to contain the breach and prevent additional
information from being lost with the need to preserve evidence and
investigate what happened in the first place.

Your organization should consider utilizing the following five steps to
preserve the type of evidence that might be needed to fully investigate an
incident.

Keep or forensically image computers: If a computer (including a laptop,
tablet, or mobile device) is potentially infected with malware, your IT
department may be considering re-imaging the computer. However, that would
be a mistake because re-imaging effectively deletes all of the information
and programs on the device. While re-imaging a computer may render it clean
and provide a level of confidence that it can be returned to use, it may
also destroy evidence that might help determine whether information has
been lost, and, if so, how much and what type of information. Instead,
consider creating a forensically sound image of the device before it is
re-imaged. A forensically sound image uses software to create an exact
“copy” of the device that can be analyzed in the future as part of an
investigation. Alternatively, consider issuing the employee a new computer
and keeping the potentially infected device segregated in case it needs to
be examined in the future.

Don’t turn your computer off: One of the most common mistakes that
companies make when they suspect that a computer may be infected with
malware is to turn off the computer or disconnect it from its power source.
Some types of malware exist only in the computer’s active memory – i.e.,
the memory that exists only when the computer is powered on. When the
computer is powered off, the information that is in active memory
(including the malware) may be deleted. If that occurs, it may be more
difficult for an investigator to determine what initially infected the
computer and what the malware did while the computer was infected.

Disconnect computers from the network: Instead of turning a computer off,
consider disconnecting the computer from your network and/or disconnecting
it from the internet. If malware is present on the computer, and the
computer has been sending information out of your organization,
disconnecting it should (1) prevent the computer from infecting other
computers on your network, (2) prevent a bad actor from contacting the
computer, and (3) prevent the computer from sending additional information
to a bad actor.

Suspend logs and backup tapes from being overwritten. Most organizations
have systems in place that record events that happen within the
organization’s network in “logs.” Unfortunately, some logs can be
voluminous and most organizations retain their logs for only a limited
amount of time, after which the logs are overwritten by more current
information. If you identify a security incident, consider taking steps to
stop your logs from being overwritten or lost. This may be as simple as
having your IT department change the settings on certain devices, such as
firewalls, so that the systems no longer overwrite logs. In other cases, it
may require finding space for the additional logs by either (1) increasing
your organization’s storage space, (2) purchasing additional storage space
with third parties that host, or store, your logs, or (3) exporting logs
that may exist on your network to external media for storage.

Consider enhanced monitoring. While most organizations have systems in
place that monitor some of the activities that occur on their network,
often the level of monitoring is limited. For example, many organizations
monitor the points at which their network communicates with the interest
(their “perimeter”) with a firewall which should provide them with an
indication of which IP addresses are communicating with the computers
within their organization. A firewall typically does not tell the
organization the substance of what is being communicated. Firewalls also
can’t track actions that are occurring within an organization’s network. If
a security incident occurs, consider deploying additional technology that
is designed to increase your organization’s visibility as to what is
happening on your computers. For example, network packet capture systems
physically inspect the data leaving a network so that an organization knows
what has left in addition to where it has gone. End-point monitoring
applications are designed to monitor the activities of devices within your
network and to detect suspicious patterns of communication between and
among your own machines.

TIP: If you believe that one of your computers is infected with a virus or
malware, do not turn it off. Instead, disconnect the ethernet cable that
connects the computer to your network (or turn off WiFi). By isolating a
computer, instead of turning it off, you can preserve evidence while
ensuring that the computer cannot leak data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171211/86e0b240/attachment.html>


More information about the BreachExchange mailing list