You have a cyber incident, now what? Key considerations from a forensics perspective
It’s 12:00 AM on a Friday night (or technically, Saturday morning). One of your important clients is calling you in a panic. “Something bad has happened. Several of our key systems have gone offline, and we found a note demanding payment. I think we’ve been hacked!”.
The adrenaline starts seeping in. You know that time is of the essence. You’re the client’s external legal counsel for all things privacy, data and cyber related issues, and now you’re on the hook to guide them through a potentially difficult time. You need to know how to help steer the ship.
Cyber incidents can be complex and involve several internal and external stakeholders. As technical cyber incident responders in this industry, we are often engaged by legal counsel to provide forensic assistance. What that means is helping you get to the facts of the matter quickly, advising on containment strategies, and identifying the best steps forward through the incident as safely as possible.
We’re not the lawyers here; we’re the ones who help advise you from a technical response perspective. As such, here are our key forensic considerations we recommend you build into your trusted legal advisor response to a cyber incident when a client calls:
#1: Evidence Preservation and Incident Logging: Start this ASAP
When a cyber incident occurs, in reality it sometimes takes days, weeks or even months (hopefully not!) before forensics is engaged and performed. During the immediate period, if an experienced forensics team is not immediately engaged, then direct your client’s IT (and Cyber teams if they have one) to promptly collect and preserve evidence, ensuring they log all actions related to the potential incident.
Why does this matter? Digital evidence can be extremely ephemeral. The lifetime of evidence will often differ depending on the data source and how an organisation has chosen to take care of it. As an example, a mature organisation may have an established evidence and log retention policy and technical controls to enforce this, meaning a forensic team can investigate months and years back. A less mature organisation may have not enabled log retention on critical endpoint and network infrastructure at all, resulting in logs being overridden within a manner of minutes (or in some cases, not retained at all!)
Additionally, your forensic team when they are engaged, may need to examine the incident actions log to review what actions the IT and cyber team took, in case there are any gaps in triage and containment activities, or if any actions resulted in a potential loss of forensic evidence. When conducting an investigation, it’s useful to be able to instantly rule out whether an action was performed by an IT admin versus the threat actor!
So, here’s how you can ask your client’s IT and Cyber teams to assist with this:
1. “Start preserving evidence for any suspected compromised systems and environments”. Common evidence types include relevant logging within the client environment, volatile memory/process dumps, full disk images and snapshots, and Endpoint Detection and Response telemetry.
2. “Start recording all your key IT actions performed and decisions made”. Such actions and decisions your forensics team would be interested in include password resets (and how widely), infrastructure containment actions (such as any servers that were rebuilt or systems that were taken offline), and the removal of any accounts.
Important: A common reaction from many IT teams in an incident is to “wipe everything clean and start rebuilding on existing infrastructure”. Generally, you should caution against this until proper forensic support is engaged. Why? The act of wiping and rebuilding may inadvertently remove the only evidence available, leading to unanswered questions such as “What did the Threat Actor do?” and “Did they leave any backdoors in place?”. A more prudent course of action for IT teams would be to disconnect infected hosts from the network, and rebuild in a completely separate ‘clean’ environment.
#2: Think about the bigger picture, understand the entire environment
At times incident response teams miss the forest for the trees, and fail to recognise how widely (and quickly!) a threat actor could have compromised more than one area of your client’s IT environment. This often results in investigation and containment shortcomings within a cyber incident, and potentially reinfection and compromise from the same (or different) Threat Actors.
Imagine your client’s network has 3 interconnected zones: Zone A, Zone B, Zone C, with an IT administrator account compromised in Zone C. If the incident response teams are only focused on Zone C, and fail to realise the account also had access to Zones A and B, this leaves the potential for gaps in the containment and investigation in responding to the incident.
So what should you do here?
Early in an incident, you should encourage a transparent discussion between your forensics team and your client’s IT team to understand the IT landscape (IT teams can get defensive in these moments, so reassurance may be key).
Additionally, providing the forensic team access to as much relevant documentation (e.g. network architecture diagrams, asset registers) and access as practicably possible relevant to their investigation is also critical. This collaboration between IT and Forensics should continue throughout the incidents as further facts are uncovered, to minimise surprises later on. There’s nothing worse to hear from the IT team than “oh by the way, we have a bunch of legacy servers open to the internet over here that we haven’t patched, not sure if that’s relevant?”!
#3: Ensuring legal professional privilege cover whilst moving at a high tempo
Admittedly, we may be preaching to the choir with this one. We’re also not lawyers.
However, we regularly operate under instructions where we are required to operate under the cover of legal professional privilege. This means we know what general protocols are required of us by our instructing solicitors.
One key consideration is to reflect on your protocols and response frameworks and how it operates logistically in an incident, such as facilitating appropriate communication mediums (e.g email chains, Teams channels, meeting invitations) to ensure your forensic teams can request and receive information in a timely manner whilst respecting your legal professional privilege protocols.
Another consideration is to ensure your forensic teams are appropriately educated on the protocols you require of them, preferably before you bring them on an incident. This is especially important when considering legal professional privilege protocols may differ between law firm to law firm.
Finally, it may be prudent to reflect on how you can maintain legal professional privilege in the midst of an incident, all whilst being able to maintain a high tempo on the incident. This especially applies when there are time-sensitive containment actions being recommended, or new developments that need to be communicated straight away. As a forensic team that regularly responds on cyber incidents, we comply with legal professional privilege boundaries, but we also recognise that time is of the essence.
Final words
Cyber incidents can be stressful, messy and complicated if you let them be. These are just a few key considerations you should keep in mind, as well as an incident checklist we’ve provided here.
With all the technical cyber jargon and alphabet soups being thrown around in Cyber these days, making sure you arm yourself with a trusted and experienced forensics team that can support you and your clients through these trying situations can make all the difference.
NSB Cyber works with legal teams across Australia to deliver expert cyber advice so you can provide holistic, technical and legal guidance to your clients.
Ready to be supported by an experienced cybersecurity team? Let’s start the conversation - Book a meeting with us today.