Dear Ramey: Missteps During an Incident Response Investigation Can Further Complicate Recovery
Answering burning questions from victims of cyber events
What can go wrong during an incident investigation?
– Murphy L
DEAR MURPHY L.:
That’s certainly a loaded question! The short answer: everything and anything.
Cybersecurity investigations aren’t straightforward, and what can go wrong will go wrong. The many moving parts within the incident response (IR) life cycle require continuous direction as any small misstep can have severe consequences that affect the success of recovery and the investigation. Hence, it’s important to work with a seasoned IR team who not only understands the ins and outs of that life cycle, but also how to manage other challenges that may arise.
Let’s look at a few possible scenarios that could cause issues.
The IR team is contacted after IT recovers the systems.
Some businesses have service level agreements (SLAs) with their managed service provider (MSP) or IT teams to ensure system availability is as near to 100% as possible. In either case, IT teams can recover their systems quickly without guidance to retain copies of the “dirty” systems (aka systems that experienced unauthorized access and contain attacker activity).
Most IT teams know the legal requirements to perform an investigation. While it’s not often, if IT teams are unaware of those requirements, issues can arise. For example, if they overwrite or restore dirty systems, they can hamper an IR team’s ability to identify the root cause and point of entry, understand the attacker’s activity within the network, and provide forensic evidence of an attacker accessing or stealing any information from the network.
There’s a thin line between performing an investigation and recovering IT systems to resume business operations. It’s a delicate balance between keeping the business down to preserve as much IT evidence as possible and restoring systems as quickly as possible, but without potentially preserving enough evidence — which could jeopardize the investigation along with any downstream legal requirements to notify government agencies, affected individuals, and contractual agreements.
IR teams can help navigate that line. They have methods to work in parallel with IT teams that allow them to restore systems while also retaining the necessary information to perform a thorough investigation.
Insider leaks information of cybersecurity incident to the press.
Cybersecurity incidents should be kept confidential. Not only for legal reasons, but also to control the narrative, inside and outside an organization. Once the proverbial cat is out of the bag, businesses can get bombarded with questions from clients, customers, employees, partners, and any type of government agency. Moreover, if there’s any obligation to report the incident to authorities — for example, when personally identifiable information (PII) may have been compromised or stolen — any sort of premature disclosure could move up the timeline to notify affected individuals.
So, again, details surrounding cyber incidents must be kept within a trusted circle and on a need-to-know basis as any public disclosure could have unintended consequences. As they say, loose lips sink ships.
Keeping an incident under wraps for as long as possible gives an IR team the opportunity to uncover valuable evidence while legal counsel can simultaneously develop a strategy to best address any legal ramifications. Disclosing the incident before both teams are ready can complicate the public position of the business. In some instances, ill-prepared businesses can’t provide comment and thus, appear uncooperative — and unenviable situation that could significantly alter the outcome of preserving brand and reputation, not to mention the possibility of legal consequences if sensitive data is involved.
What’s better is allowing the IR team and legal counsel to collaborate to build a strategy for public announcements and notifications.
Reinfection of malware or ransomware to recovered systems.
One of the worst feelings after partially recovering a network of ransomware-infected systems is learning that the ransomware was not properly contained. When that happens, ransomware can spread from dirty systems to newly recovered systems.
Many IR teams respond to incidents with security products that are specifically designed to detect and remove persistence of malware and ransomware. As these products may not be available in some client networks, it’s an opportunity for IR teams to demonstrate their expertise and provide recommendations based on experience. They should be able to identify how the ransomware was deployed and recommend ways to prevent the ransomware from spreading to newly rebuilt systems.
Unfortunately, not all IT teams fully heed the recommendations and advice of IR teams to install their security tools while recovering systems. In some cases, they may not be able to find certain systems and so, report that “all systems have the security tools installed” just to be able to move forward with recovery and rebuilding their network.
Recovery from ransomware attacks is tough enough, and containment of ransomware is critical to restoring an environment quickly. Cutting corners during this phase will only result in more work for everyone.
Cybersecurity incidents require unison — and clear direction
Seasoned IR teams are great at managing chaos. They act as the trusted advisors, counselors, subject matter experts (SMEs), technologists, and if you will, quarterbacks of an investigation, whether it’s a malicious insider, ransomware, or other security event.
They’ve often been there, done that, and have experience with the many challenges that can occur with recovering systems, including when systems fail to respond, when lone wolf employees want to fix a problem without communicating, or when someone may have trouble following directions. They will direct the plays for containment, eradication, preservation, and recovery while also managing expectations and providing clarity to victims and counsel about the event.
Arete IR Director Stephen Ramey is here to answer burning questions from victims of cyber events. If you have a question, please don’t hesitate to reach out at DearRamey@areteir.com. Arete wants to help by sharing our insight and experience.