As an ever-increasing number of organizations of any size and in any industry can attest, cybersecurity incidents and breaches can leave significant organizational damage and business disruption in their wake. It is critical, therefore, to have experts in the relevant areas identified and standing by: forensic cyber expertise and relevant legal expertise -- as these are at the forefront of those needs.
Effective incident response requires participation by a broad set of stakeholders, and well-versed and experienced investigation attorneys are often uniquely capable of ensuring that clients recover business operations as quickly as possible while sustaining the least amount of legal, reputational, financial, and operational damage.
Regardless of the circumstances of a particular breach, situational analysis into the scope of the compromise is critical for the team to accurately assess the risk to the business. What is now routine is the need for speed, accuracy, and a team of investigators and decision makers who have been there: faster detection, comprehensive visibility and understanding of what happened, the motivations, what may come, and effective remediation are critical for restoring operations, containing the harm, and preparing for the end game scenarios.
Attorneys can partner with their clients and external incident response organizations to effectively prepare, and to implement necessary governance changes and controls, in light of technical investments, across the lifecycle of responding to a cybersecurity incident. This will ensure rapid, effective response when the proverbial (or literal) Friday afternoon call comes from the client’s security team
Prevention and Immediate and Effective Response
Effective incident response begins with robust preparation and prevention against potential incidents. Much of the responsibility for implementing preventative technologies and processes falls to clients and their technical teams. However, a key component of effective prevention involves strategic planning on how to address incidents when they occur and who is the team to direct that response. Limiting the scope of a compromise often can be accomplished through effective preparation, prevention and detection technologies and processes, and immediate response capabilities. The following provides a brief summary of how this work can be contemplated.
Legal Counsel. Clients should ensure that experienced legal counsel is available when a potential incident first is detected. Counsel, in turn, plays an important proactive role by helping clients to define incident response processes in advance of an incident and to establish and cultivate relationships necessary for responding to an incident. And, counsel should advise as to processes to determine whether an incident involves compromise of company systems or data and the implication of any law, regulation, or regulatory guidance. The client, importantly, should proactively establish processes for availing themselves of applicable legal privileges for the investigation of any security incidents.
Scope of Investigation. Counsel, in close collaboration with the forensic and security team, should assist in determining the scope of any investigation of a security incident to ensure compliance with the myriad of potential legal risks and the constantly evolving regulations and laws.
Testing. The client should consider including representatives from outside counsel in periodic exercises to test the client’s response capabilities and governance practices. Often times, a company’s response creates as much risk to the organization as the incident itself.
Evidence Collection. While prevention activities are essential, security incidents still are inevitable. Clients and counsel must coordinate in advance to understand processes for evidence collection during active incidents.
While few general rules apply from one investigation to another, significant risks emerge from attempts to collect forensic evidence related to security incidents if these actions are taken independent of incident containment activities. Utilizing experts in both forensic collection and the relevant best practices and legal obligations is critical.
Existing prevention tools can be leveraged during response activities to ensure the reliability of facts and evidence obtained in the investigation and to increase the response team’s confidence that the attacker is unlikely to return to the environment and cause further disruption, or even destroy evidence.
Incident Response and Situational Visibility
Clients and counsel must work seamlessly to ensure comprehensive visibility into the client’s electronic environment, along with broad visibility into the disparate cyber threats that it may confront.
This comprehensive visibility has a clear technical component, which should extend beyond evaluations that provide only a point-in-time reference of circumstances in the affected environment.
More advanced tooling, including advanced antivirus platforms and architecture that employs machine learning, can provide broader, continuous coverage of the environment and can enable responders to develop a timely, comprehensive, and complete narrative about the incident. Having to defend against advanced adversaries whose tactics allow for stealth movement in an environment faster than traditional tooling or prevention capabilities can detect and stop is a losing and costly proposition.
Advanced tools should be matched with robust threat intelligence about specific threat actors, their known malicious activities, and those most likely to target the organization. Threat intelligence provides key information that enables strategic, proactive incident response. It also frequently helps analysts better interpret the indicators and trends highlighted by advanced tools.
While discussions about comprehensive visibility often focus on technical solutions, experienced counsel can complement efforts to improve situational visibility across the organization.
Counsel should coordinate with clients to proactively establish information flow and decision-making processes, and support information flow from the technical team into the client’s decision-making structures.
Decisions on engagement of law-enforcement, applicability of insurance policies, regulatory disclosure requirements and/or the need for crisis communications efforts all require near-real time responses and rely heavily on visibility into an incident. These decisions rely on input from outside counsel, which can play a unique role in on communicating information within an organization.
Regulatory Considerations and Reporting
While many clients focus their need for counsel and investigation on potential state law privacy reporting obligations, that is only the tip of the iceberg with respect to the legal and forensic needs when confronting cyber risk. Included on that long list of legal considerations and obligations, where each line item has to be considered simultaneously and constantly, are a vast set of reporting obligations that are not so easily applied to any given investigation and the circumstances presented (e.g., internal, external, contractual obligations, consumers).
During an incident, clients want investigations to move quickly and offer insights about what mitigation strategies will be most effective. These needs can be summarized by the 1-10-60 rule, where organizations should strive to detect malicious intrusions in a minute (or less), understand the context and scope of the intrusion in 10 minutes, and initiate remediation activities in less than an hour.
Why is this critical?
CrowdStrike’s extensive investigative experience indicates that the modern attacker’s average “Breakout Time” (the measure of time between an attacker’s initial point of access to a networked host and the time the attacker moves towards a high value asset) is only 1 hour, 58 minutes. Remediating incidents before attackers can progress is essential for effective response, and both technical investigators and legal representatives should understand their roles as supporting incident response at these timescales.
Thorough investigations enable faster, more complete remediations. This can be achieved through a combination of skilled analysts and advanced detection technologies. Security technologies that leverage Artificial Intelligence (AI) can provide essential capabilities for incident response at these timescales. AI models can determine a file’s maliciousness with no previous knowledge of the file, relying instead on analysis of the file’s innate properties.
AI technologies—particularly those that leverage the processing and scaling power of the cloud—enable near real-time identification of potentially harmful system activities and help organizations stay ahead of threats they may not have previously encountered.
Pre- and Post-Breach Strategy
Both technical experts and counsel have roles to play in helping clients identify what did and did not work well during incident response.
Technical discoveries during a response can inform both better preventative tooling and proactive hunting for potential adversary activity within the client’s environment. All parties involved in response can advise development of after-action reports that help shape future behavior, with counsel providing essential insights to help a client prevent potential legal and reputational damage.
Thomas Etheridge is Vice President of Services for CrowdStrike Inc., a cybersecurity technology company that provides endpoint security, threat intelligence, and incident response services. Etheridge oversees all service delivery associated with Crowdstrike’s Falcon suite of cybersecurity products.
Scott Lashway is a disputes and investigations partner and co-chair of Holland & Knight’s Cybersecurity, Data Breach and Privacy Team. Lashway is a member of the firm’s Litigation and Dispute Resolution Practice and is based in the Boston office.