Like everything else, digital forensics has evolved over the years. Once a manual process that took hundreds, if not thousands, of hours to provide concrete results, new advancements such as Endpoint Detection and Response (“EDR”) tools have greatly reduced the time for forensic providers to provide answers to the burning questions of Who, What, When and How. While tools and analysis methodologies may have evolved, not all forensic providers are armed with the expertise to set the right expectations or guide victims through the most expedient response process. Time and again MOXFIVE has seen instances where clients made decisions based on forensic providers’ advice that led to extended business disruption, excessive costs in the recovery of business operations, and even to insurance carriers denying large portions of claims.
Ransomware Investigation and Recovery is a Complicated Process
When the business is down and leadership is demanding answers and the immediate resumption of business operations, IT leadership must often make decisions based on limited information. Because of this, it is critical that the right expectations are established as quickly as possible to not only limit any further damage, but to ensure that once the business is put back into operation, it stays that way.
For many organizations, one of their first calls will be to their broker or insurance carrier, who will make recommendations for retaining breach counsel. On the initial call, breach counsel will provide detailed guidance on steps that should be taken in the first 48 hours and beyond of an incident, which often includes the need to engage a forensic provider and potentially an IT recovery provider. While breach counsel is an essential asset within the incident response process and can assist with managing legal liability, regulatory compliance, and messaging to executive leadership, their specialization in law versus technology supports the need for a technical partner to oversee and drive technical workstreams.
As the incident response team is assembled, organizations that are in the midst of an impactful security incident can find it difficult to coordinate the activities that breach counsel and the forensic provider will recommend. It can also be difficult to tie those tasks and results into the complexities of assessing and implementing recovery options and prioritizing that process effectively. To complicate things further, the forensic workstreams are often firewalled off from other response teams due to the sensitivity of their findings. This often creates confusion in messaging and in coordinating activities from the various workstreams which can lead to delays at best, and costly mistakes. Choosing the right providers who will work with you to understand your situation and have the capacity to bring in what is needed at the right time is essential.
Key Forensic Provider Considerations
Given the importance of forensic analysis to the incident response process and the weight forensic providers have on decision making, it is essential to understand service providers’ capabilities and methodologies. To ensure that they are going to be setting your organization on the right path to recovery, some items to consider when evaluating a forensic provider include:
What is their overall methodology?
Ask the provider what their methodology is. Not all forensic providers are created equal, and you want to make sure you are covered through the lifecycle of the incident. Whatever the response is, it should at a minimum cover the following five (5) processes:
How do they communicate?
From the first call, evaluate the comfort level of the experts that will be conducting the investigation. What can they tell you about the threat actor? Can they communicate technical items in a clear and simple manner? Have they given you confidence on what the next steps should be and how you are going to get there?
What toolsets can they use?
To run an effective investigation a forensic provider needs to understand everything about your IT infrastructure. The more questions they ask in the initial scoping call about how your IT environment is organized and what controls you have in place, the better. The goal being that they want to understand how much visibility they can obtain with established security tools and quickly determine if anything else should be implemented to fill any identified gaps. If not already in place, most forensic providers will also request the deployment of an EDR tool to reduce the time required to conduct an investigation. If one is in place, they should be comfortable with utilizing it to do the investigation or should provide compelling evidence if they are recommending that another tool be brought in.
What is their containment methodology?
Along with understanding how a forensic provider will conduct an investigation, it is also essential to understand if they can also assist with network containment and continuous monitoring. As most investigations are conducted in tandem with restoration of prioritized systems, they should be able to guide you through what that process looks like without having to take a scorched earth approach that could disrupt the business more than necessary.
Do they understand the differences between recovery vs. improvement?
As investigations progress and items such as lateral access and root cause are determined, some forensic providers will start making recommendations to implement new technologies or changes to existing infrastructure. Examples might be Multifactor Authentication (MFA), updating Operating Systems or third-party applications, or to begin moving systems from bare metal to the cloud. While the activities may be advisable to implement, insurance carriers are likely to consider these items “improvements” to the environment, rather than activities essential for “recovery.” Unlike “recovery” activities, which are generally covered, “improvements” are unlikely to be covered by the cyber insurance policy. As these improvement-related questions come up, the discussions should be handled separately from the recovery effort.
Lessons Learned Should Fuel the Resilience Strategy
Once you have navigated the investigation and IT recovery efforts to get the business back up and running, take what you’ve learned from the incident and use that to build resiliency into the organization to better weather future attacks. Insurance carriers are also going to take a hard look at what you are doing moving forward to reduce the risk as well. The list of security standards and models with which organizations could align can appear daunting. The most important thing to remember is... do not make impulsive decisions. Implementing a great resilience posture is a journey, and there are many approaches and tools that can reduce risk effectively. A great place to start the assessment is to look at what allowed the threat actor to do what they did, then work on a plan to mitigate those items.
MOXFIVE Can Help
The Technical Advisors and Incident Managers at MOXFIVE have decades of experience in all aspects of Incident Response, IT recovery and engineering practices. Our mission is to take the complexity out of the incident and strategically integrate whatever is needed to get you up and running and ensure it stays that way. By bridging all the associated workstreams, MOXFIVE can readily guide you towards the best measures that will tangibly improve your IT infrastructure’s resilience against ransomware and other attacks, in addition to presenting a more favorable risk profile to your insurer.
If the above situation sounds like something that you would not want to have to deal with while you are dealing with an incident, MOXFIVE can assist with setting up the relationships proactively. Proactive projects such as a ransomware readiness assessment or conducting a tabletop exercise are easy ways to get comfortable with the forensics team before going into battle.
Grant is a cyber security leader with decades of success helping clients navigate complex security investigations and building proactive security programs to mitigate risk. As a technical advisor at MOXFIVE, Grant assists clients in managing forensic investigations, recovering their networks from cyber security attacks and providing valuable insight on proactive controls that can make their networks more resilient.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.