Building a 'Defensible' Breach Response
Former Prosecutor Warns That Actions Will Be Scrutinized
Organizations must guard against making three common mistakes when conducting an investigation of a data breach or fraud incident, says attorney Kim Peretti, a former Department of Justice cybercrime prosecutor.
Those mistakes, Peretti says, include hiring vendor partners to help with the investigation that lack forensics skills; failing to preserve all the evidence, including communications, documents and logs; and taking too narrow an approach to the investigation.
"You need someone who is challenging the forensics investigators as to where they are looking and what they are looking for to ensure that they ... scope it broader rather than narrower," Peretti says. "The regulators who may start asking questions are going to ask to explore all the environments that were potentially compromised."
In an interview with Information Security Media Group (transcript below), Peretti, an attorney with the firm Alston & Bird, also recommends hiring investigators who can apply big data to forensics "so a five-month investigation can turn into a five-week investigation."
In the interview, Peretti also describes:
- What she means by the concept of a "defensible response" to data breaches and fraud incidents;
- Why organizations must have detailed incident response, breach response and breach notification plans that spell out all the steps to take.
Peretti recently made a presentation on incident response at ISMG's Fraud Summit. A video of her presentation is available on ISMG's Fraud Summit page.
The attorney is co-chair of Alston & Bird's security incident and response team. She is also a former director of Pricewaterhouse Cooper's cyberforensic service practice. Earlier, she was a senior litigator at the Department of Justice's computer crime and intellectual property section, where she led several benchmark cybercrime investigations and prosecutions, including the prosecution of Heartland Payments hacker Albert Gonzalez.
HOWARD ANDERSON: Why don't you start by defining the term "defensible response." What do you mean by that, and why is that such an important concept?
KIM PERETTI: It's an important concept because you can anticipate in a lot of the cyber-attacks and security incidents we're seeing nowadays that the criminals will have left a large footprint in your environment and may have accessed sensitive data - personal data, customer data, confidential data - and for any number of reasons you can expect that there could be a regulatory inquiry. [There could also be] a class action or any type of litigation with respect to the security incident. So the response that you take to the incident is going to be questioned. It is going to be under scrutiny, so you need to have a defensible response.
ANDERSON: What are the components of having a defensible response - emphasis on that term "defensible"?
PERETTI: Well, I think one of the most important things is to have a plan in place - not only an incident response plan but a data breach response plan and a data breach notification plan that is followed, [so] ... the company [knows] exactly what to do in the aftermath of a breach. [They know] who to hire - what types of vendors are necessary - and they undertake a vetting process with respect to the vendors, making sure they hire the right skills that they need to have in place to conduct the investigation, as well as counsel. Because if you can anticipate litigation you're going to need to do some of this work or all of this work under privilege. So [it's important] to have that data breach response plan in place, data breach checklist, breach response checklist and knowing what steps to take in the initial stages so that you can ensure the proper decisions are being made and how to approach the investigation.
ANDERSON: Can you share other insights of what makes a cost-effective or efficient investigation of a fraud incident or a data breach?
PERETTI: ... [It requires] the right level of involvement of the right senior leaders in the organization. You need a quick identification of what internal people need to be involved. It often is not just folks from the information security team, but information business leaders who understand the systems and understand the data on the systems. ... [It also involves] being able to get a network diagram and understanding what information is on systems and how information flows in environments. That can help the external parties who are conducting the investigations know where to look for what and how to apply their investigatory techniques to get to the right answer quicker.
Pitfalls to Avoid
ANDERSON: So what are some of the pitfalls to avoid, some of the common mistakes you see organizations making in their breach response efforts?
PERETTI: One of them is to go with parties that they have a relationship with that may not have the right skill set to conduct the investigation. It might be a ... security firm that provides security assessments but doesn't necessarily have the forensic skills to conduct the investigation. The other key issue is to preserve the evidence. ... That covers not only the communications and the documents, but the digital evidence. The forensic firm should know to preserve all logs related to the evidence and image as many systems as necessary. That will go a long way, as well, if law enforcement is asking for that information. Often they don't want all the information up front; they just want to know that it is preserved. So that is a very important component.
And then the final thing I want to mention is right-sizing the data breach investigation. You need someone who is challenging the forensic investigators as to where they are looking, what they are looking for to ensure that they ... scope it broader rather than narrower. You don't want to find out two months later, when they are ending their investigation, that there was actually a whole platform or a business operation or some systems that may have been accessed but they really felt the criminals were more focused on payment card data or focused on PII data so they didn't explore that other environment. The regulators who may start asking questions are going to ask to explore all the environments that were potentially compromised. You want to know what your risk exposure is, and it might trigger contractual obligations to notify individuals ... or [notifications to comply with] data [breach] notification laws.
ANDERSON: So is doing too narrow of a breach response investigation something that is a pretty common problem then?
PERETTI: You certainly do see that, because often the forensic investigators will be pointed in one direction and the company will point them in that direction as well and want to finish the investigation as quickly as possible without really ensuring that the risk to the enterprise is fully ... understood. ...
The criminal activity we're seeing ... is not so much a smash-and-grab environment as much as it is that criminals are having deep and prolonged access to systems, and when they are compromising hundreds of systems and leaving their back doors and their footprints behind, if you have a narrowly scoped investigation you often run the risk that they could come back and that you haven't properly fully contained or remediated the security incident.
Big Data Forensics
ANDERSON: Any other advice or insights you care to offer in terms of what makes a good breach response plan?
PERETTI: There is a lot of improvement that I've seen happen over time as companies have thought more about this in advance, and understand how the process is going to unfold so they are able to get the right skill sets and right people involved. That speeds up the process, getting the right vendors involved quickly, asking the vendors if they have big data forensics, for instance, where they have an ability to look at a large number of systems quickly and what techniques they use to do that. So if they can inquire about those new methods and techniques with the vendors they hire, hopefully they'll get the right vendor and a five-month investigation can turn into a five-week investigation.
ANDERSON: So big data applied to this arena is becoming more important?
PERETTI: Absolutely. If you manually have to image hundreds of systems and then look at each system one by one, it's a very different investigation than if you can image those systems and have a process set up to pull out the important forensic artifacts and let big data happen and have that all put together into a picture rather than have to do everything manually.