A large portion of the data breaches that occur each year involve human resource related information. Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach.

This part discusses when an organization should retain a third party investigator and what specific information an investigator might be tasking with determining.

Many competent IT departments lack the expertise, hardware, software, or personnel to preserve evidence in a forensically sound manner or to thoroughly investigate a security incident. In such a situation you need to be able to recognize the deficiency quickly—and before any evidence is lost or inadvertently destroyed—and recommend that the organization utilize external resources to help collect and preserve electronic evidence and investigate the incident.

When a forensic investigator is retained, they are often tasked with determining whether a data breach has occurred and, if so, answering the following questions:

  • Infiltration. Infiltration refers to deciphering how a bad actor was first able to compromise your organization’s systems. Infiltration is important for a couple of reasons. First, if you don’t know how an attacker originally got into your systems it may be difficult to ensure that they won’t be able to come in again. Second, if an investigator can determine the point of initial infiltration, they should be able to piece together a timeline which may be useful in determining when information could have become exposed and what information may not have been at risk.
  • Persistence. One of the first things that most bad actors do once they are in your organization’s network is take steps to ensure that they will be able to remain in the network and cannot easily be shut out. For example, they may install malware that acts as a “backdoor” that allows them to enter the network at will, or they may steal the username and password of employees so that these can be used to log-in in the future. These types of activities are collectively referred to as “persistence.”
  • Aggregation. If a bad actor is able to make it into your organization’s network and is looking for personal information about your employees or your customers, they may attempt to take small pieces of data from various sources (e.g., each of your employees’ workstations) and combine those pieces into a meaningful collection of valuable data before trying to remove the data from your environment. The process of staging data for later removal is sometimes referred to as “aggregation.”
  • Exfiltration. An attacker’s main goal is typically to remove, or “exfiltrate,” data from your environment. Establishing how an attacker exfiltrated data is important as it can confirm whether your organization has experienced data loss (i.e., had a real “data breach”). It also gives valuable insight into the indicators that you should be looking for in the future (and in the past) in order to identify other attempts to remove data from your systems.
  • Containment. Containment describes the process of stopping a bad actor from continuing an attack. If a bad actor is a current employee, containment may be as simple as terminating the employee or removing their ability to access information within your organization. If the bad actor is outside of your organization (e.g., a hacker), containment typically involves using the information that an investigator has developed concerning how the attacker works (e.g., infiltration, persistence, aggregation, and exfiltration) and finding ways to disrupt the attacker’s activities. Containment often refers to short-term fixes for stopping an attack. In many instances, bad actors identify weaknesses in an organization’s security that require significant investments of time, energy, and resources to completely address. Containment steps are often designed to buy an organization time while longer term solutions are identified. Investigators are often able to provide containment recommendations based upon their understanding of how an attack occurred.
  • Remediation. Remediation refers to the long-term effort of fixing any systemic problems that may have contributed to a bad actor’s ability to breach an organization’s security. Remediation steps may be technical (e.g., installing new devices, monitoring solutions, servers, etc.) or procedural (e.g., training employees about new attack vectors, modifying the process by which employees choose passwords, etc.). Investigators are often able to provide remediation recommendations based upon their understanding of how an attack occurred.

TIP: When selecting a forensic investigator consider a number of factors including their price, reputation, availability to dedicate resources to an investigation, ability to work well with your IT department, and ability to work well with your attorneys.