IT forensics – an essential tool before, during, and after an IT security incident

Estimates of the number of cyberattacks taking place daily across the world vary significantly. The nature of data breaches makes accurate reporting difficult and some may never come to light at all. One thing is clear, however: the volume of cyberattacks and the damage they cause is only increasing. We frequently hear of data breaches compromising the records of thousands or even millions of individuals. For anyone tasked with keeping their organisation's data safe, the challenge can feel insurmountable.

When an organisation becomes aware that a cyberattack has taken place or is in progress, a rapid response is crucial – but so is the correct response. Different types of forensic IT support are available in IT security breach scenarios; ensuring the correct support is lined up and ready to deploy in the event of an incident can save many hours of work, much stress and significant financial resources.

The threats

There are many types of cyberattack, some sophisticated and some opportunistic. Perpetrators (generally known as 'threat actors') are constantly evolving new ways to exploit and cause harm to their targets. Some of the most common attacks we see are:

• Cyber fraud: the nautical-sounding activities of phishing, spear phishing, vishing and whaling are in fact all techniques designed to trick the recipient of a message or call into handing over confidential information which can then be exploited. This could be financial or commercially sensitive information, but it is often password details or login credentials that can be used to access more information over a longer period.
• Malware: the use of software designed to cause damage or gain access to a computer, server, client, or network including viruses, worms, trojans, spyware, rootkits. Ransomware is an increasingly common form of malware which infiltrates systems, locking down files and networks through encryption, and locking out authorised users until a ransom is paid, usually in Bitcoin or another crypto currency.
• Distributed Denial of Service (DDoS) attacks: often (though not always) using malware, these attacks target a server, service or network and overwhelm the target or its surrounding infrastructure with a flood of internet traffic meaning that legitimate users are denied access. These sorts of attacks can resemble ordinary spikes in traffic and so can be difficult to spot and address early on.

In many other cases a third party gets lucky by exploiting a vulnerability created by the organisation itself. Failure to encrypt data-rich systems and files, failure to patch and maintain security software and infrastructure, and poor password or security profiles make organisations easy targets for opportunistic hackers.

Fail to plan = plan to fail

When unusual activity is identified, whether by IT security systems or human engagement, it is crucial to respond swiftly and in line with a pre-agreed breach preparation plan. The nature of the initial response can make a huge difference to an organisation's ability to restore services, stem the flow of data being exfiltrated and maintain customer and employee confidence. Swift action is also expected by data regulators and delays will have to be explained.

A good breach preparation plan won't just outline the steps to be taken once an incident comes to light, it will include the details of external advisors – legal and technical – who ,ideally, will know the business and be ready to hit the ground running to recover systems and identify the cause of the breach. Another benefit of having pre-approved forensic IT support is that, like external legal counsel, they can also be pre-approved by cyber insurance providers, meaning that there is no need to delay appointment or to switch to an approved supplier half way through the incident response process. Every hour lost in responding to a cyber incident can add thousands of pounds or more to the cost of lost business, regulatory fines, group litigation claims and legal and IT supplier fees.

It may also be advisable to have IT forensic support instructed by and reporting to outside legal counsel. This will maximise the chances of preserving legal privilege in reports created in response to an incident. Privilege is not easy to preserve in a context where the advice offered is more practical than legal, so efforts to adopt this approach will be more likely to succeed if carefully planned as part of breach preparedness rather than breach response activities.

The first 24 hours

As soon as a cyberattack or breach incident is identified, external forensics support should be called in. The initial investigation may last a few hours and will focus on what data and systems may have been compromised. Nothing should be done without caution and preferably without external support:

• don't turn off affected computers or systems
• don't reconnect affected systems, and
• don't run antivirus or utilities, image or copy data without appropriate forensic IT support.

Preservation of evidence from the start is crucial; it will be needed to answer questions from Supervisory Authorities if personal data is compromised. It may also be needed in legal action against threat actors and third party platforms they may try to use.

External forensic support will be able to preserve all evidence collected and document every step taken, including who does what and when. It might seem as though internal IT experts could perform these activities, and in many cases they can. But by seeking external support, an organisation can ensure a calm and dispassionate approach is taken. It is also sensible to have an investigation conducted by someone independent, who was not responsible for maintaining the organisation's IT security, to ensure a completely honest and, where necessary, critical assessment of findings.

Managing Day 2

Once systems are secure and the source of the breach or attack is identified, thoughts will turn to working in conjunction with legal advisors and potentially PR specialists. An expert IT forensics team will provide the information needed to prevent follow-on attacks, to identify the damage that has been done and to report the breach to regulators or affected individuals where necessary.

As ransomware attacks continue to increase, many IT consultancies are also developing expertise in engaging with threat actors to negotiate and sometimes even avoid ransom payments. The decision to pay a ransom is controversial and may not be legal (if the threat actor is associated with certain groups or regimes) but understanding the source of the threat may be crucial to avoiding an escalation or repeat attack.

The message

Putting together a breach preparation plan may feel a bit like planning your own funeral. As activities go it is not the most relaxing experience, but by getting ahead of the risk and regularly updating and refreshing the plan it is possible to significantly decrease the stress of going through a data breach scenario.

Alongside legal support, IT forensics help is essential for any organisation trying to address and resolve a cyber incident. The more work that can be done in advance to prepare those in the internal chain of command and those in the external support team, the better equipped the organisation will be to resolve the incident, implement changes needed as a result and minimise the financial and reputational cost sustained.

Find out more

To discuss the issues raised in this article in more detail, please reach out to a member of our Data Protection & Cyber team.