Dionach have been providing Cyber Security Incident Response (CSIR) services for a number of years. This includes forensic analysis, root cause determination, and post-intrusion investigation. Based on this experience, we have identified some key areas in which organisations commonly encounter difficulties when responding to a data breach. The act of responding to a data breach can be a daunting and potentially expensive process for an organisation that has never previously experienced it, however, much of this can be avoided with proper preparation.
Enforce Time Synchronisation
Much of the effort involved in CSIR is determining a chronology or timeline of events. By ensuring that all devices are synchronised to a single trusted time source, this process is far easier than if assumptions or allowances for inconsistent timestamps need to be made. The strength of any evidence collected can also be dramatically reduced if the validity of recorded times for events cannot be guaranteed.
Implement Centralised Logging
Typically, when an externally originating data breach occurs, the attacker does not move in a linear manner towards their eventual objective. There are exceptions to this, in which an attacker already has a large amount of technical knowledge about their target, but typically they will be a substantial amount of lateral movement through the network as they seek clues to help escalate their own privileges or to locate data or systems of interest. As this pathway is impossible to predict, it is often difficult to obtain all relevant logging data at the outset of an investigation if such data is logged in multiple places. By consolidating all the log data from different sources, patterns can be more quickly identified, and the overall investigative process can be accelerated.
Collect, Store, Review and Protect Appropriate Log Data
Modern operating systems support incredibly granular data on system events, and can store extremely large quantities of it. Unfortunately, it is not always obvious what data should be recorded until analysis is required. As such, it is very important to define log collection, retention and regular review processes early on. By identifying key data and system assets, and determining the most significant events, a clear picture of unusual activity can be derived relatively easily.
Map Networks, Systems and Data
All but the smallest organisations should have a clear, up to date, network diagram. This should indicate not just internal network connections, but key systems and their functionality, perimeter network devices, and points of ingress and egress. This will help not only in assessing defensive capabilities and reducing the likelihood of a data breach, but will also help to determine the likely paths taken by an attacker following a breach. Data mapping exercises are also very important. This process is about identifying what data is stored, where and how it is stored, who has access, when and how they normally access the data, and how sensitive the data is. This process can feed into the review of log data, and help to refine the logged event selection.
Establish Baselines
As part of this process, establishing system and network baselines will help to identify unusual activity, services, or user accounts. Often this can identify a data breach while it is occurring, or reduce the load on network support staff as they can take a more proactive approach to system management. Baselines should include expected network activity, known services and applications, and any local user accounts configured on internal systems.
While none of the recommendations above will prevent a data breach, and while no environment can ever be perfectly secure, having these basic processes defined and in place will help to reduce the impact of any breach, should it occur, and help to ensure that analysis and investigation can take place quickly and effectively. This will both reduce potential operational downtime, and the financial consequences of such, as well as providing assurance to clients that mature cyber-security processes are in place and followed.