A data breach responder is like a high-tech plumber. Just like a plumber does when a house’s basement floods, data breach responders identify the cause of a breach; combine forces to contain its damage; and collaborate on remediation.

But while a plumber can provide reasonable assurances that the basement will not flood again, a data breach responder cannot promise the same about a future data breach. In fact, another breach is not only possible; it’s likely.

That is why data breaches don’t define victim companies. How they respond to data breaches does.

Yet while today’s news outlets provide an endless stream of data breach reports, rarely is an actual incident response ever discussed. Understanding data breach response workflow not only helps a company prepare for a breach. It also helps a company manage cybersecurity risk overall. Below are some of the more typical workflows that companies must undertake amid the incident response of a data breach.

Preservation. Every response to a cyber-attack begins with preservation—that is, collecting and preserving, in a forensically sound and evidentiary unassailable manner, any electronically stored information (ESI) that could become relevant to the investigation of the cyber-attack as well as to the response to any subsequent claims or regulatory demands. Incident responders scrutinize every byte of data, including fragments, artifacts or remnants left by the attacker in remote sectors of devices or systems.

Digital forensics analysis. The most effective cyber-attack investigative methodology is an iterative process of digital forensics, malware reverse engineering, monitoring, and scanning. As analysis identifies any possible indicator of compromise (IOC), investigators examine network traffic and logs, in addition to scanning system hosts for these IOCs. When this effort reveals additional systems that may have been infiltrated, investigators will then forensically image and analyze those systems, and the process repeats itself. Armed with the information gathered during this “lather, rinse, repeat,” phase, investigators can detect additional attempts by an attacker to regain access and begin to contain the attack.

Logging analysis. In addition to logs of user systems (like laptop and desktop computers, servers, and so forth), logs of firewalls, intrusion detection systems, and other programs also require preservation and investigation. System logs can record events that occur in an operating system or other software runs, or messages between different users of communication software.

Malware reverse engineering. “Malware” is oft defined as software designed to interfere with a computer’s normal functioning, such as viruses (which can wreak havoc on a system by deleting files or directory information); spyware (which can secretly gather data from a user’s system); worms (which can replicate themselves and spread to other computers); or Trojan horses (which upon execution, can cause loss or theft of data and system harm).

The most effective cyber-attack investigative methodology is an iterative process of digital forensics, malware reverse engineering, monitoring, and scanning. Armed with the information gathered during this “lather, rinse, repeat,” phase, investigators can detect additional attempts by an attacker to regain access and begin to contain the attack.

The definition of malware, however, is actually broader and a bit of a misnomer, and actually means any program or file used by attackers to infiltrate a computer system. Like the screwdriver that becomes harmful when a burglar uses it to gain unlawful entry into a company’s headquarters, legitimate software can actually be malware. Thus, malware reverse engineering is not only an important part of incident response, it’s also often the most challenging.

Surveillance. Once a company experiences a cyber-attack, it must “stop the bleeding,” and that begins with the installation of surveillance tools. Surveillance means not only performing “full packet capture” (to analyze all traffic passing through a relevant network); but also establishing “alert warnings” to sound alarms when detecting malicious or unauthorized activity.

Remediation. As an investigation progresses, a victim company can use the digital forensics and malware evidence to remediate the malware, rebuild compromised systems, reset compromised account credentials, block IP addresses, and take other steps to improve security. A company will also typically beef up centralized log management; expand its vulnerable management systems; and review its password management. In the long term, a victim company may need to install new hardware and software both for fortification and detection—sometimes even constructing an entirely new network security suite.


John Reed Stark is President of John Reed Stark Consulting (www.johnreedstark.com), a firm that advises companies and corporate boards on data breach response, cyber-security and digital compliance. 
Stark’s experience with data breaches touches upon all aspects of cyber-incident response, especially during early phases of crisis management, forensic analysis, malware reverse engineering, and law enforcement/regulatory liaison and containment, as well as the later phases of data-review, remediation, and disclosure and reporting.  Stark also handles expert engagements pertaining to technological aspects of investigations, prosecutions, and enforcement matters conducted by the SEC, U.S. Department of Justice, and FINRA, and he also provides expert testimony on securities regulation on behalf of individuals, entities, and government agencies, including in opposition to, and on behalf of, the SEC and other government agencies. 
Stark’s lengthy career includes: almost 20 years with the SEC’s Division of Enforcement, the last 11 of which as founder and chief of the SEC’s Office of Internet Enforcement; over five years as managing director (three of which heading the Washington, D.C. office) of an international cyber-security and data breach response firm; and an early stint as special assistant U.S. attorney in Washington, D.C., where he prosecuted federal cases relating to guns, drugs, and domestic violence. 
In addition to authoring several dozen articles about law and technology, Stark served as adjunct professor at Georgetown University Law School where he taught a course on cyber-crime for 15 years and has given numerous lectures on cyber-crime at the FBI Academy in Quantico, Virginia.

EDR Implementation. A common complaint about traditional data breach protection toolsets is that they lack the speed and agility needed to counter sophisticated or clandestine data breaches. So-called endpoint detection and response or “EDR” tools have emerged as the next generation of incident response tools to pick up this slack. Typically installed across an entire IT system or attack vector, the real-time “intelligence feeding” of EDR tools improves a company’s ability to detect and respond to outsider and insider threats; enhances a company’s speed and flexibility to contain any future attack or anomaly; and helps a company manage data threats more effectively overall.

Exfiltration analysis. Once investigators have determined that an attacker has exfiltrated any personal identifying information (PII) or any other relevant ESI, such as trade secrets, intellectual property, or sensitive e-mail content, a company must begin exfiltration analysis. That becomes an e-Discovery exercise (including hosting relevant ESI). Relevant exfiltrated data can reside almost anywhere, even within programming language or system directories, so searches must be exhaustive, consistent, and scientific. With respect to the more complex datasets, traditional search algorithms and methodologies may not suffice and may require data analytics to carve, parse, and search intricate (and large) company databases.

Physical security evaluation. Physical security and data security are inexorably linked, so data breach response can also entail the review of entry checkpoints; ID scanner and other access records; video or still footage; physical logs; and even elevator and garage records.

Regulatory compliance. Responding to state and federal inquiries is a large part of incident response. Privacy laws vary by state jurisdiction, are interpreted unpredictably, and are in a constant state of flux. Some are based broadly, others based on industry sector. Forty-seven states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving PII. Federal regulation is a similar mess. Financial and healthcare-related institutions in particular can trigger federal inquiries. Public companies may also need to disclose to shareholders cyber-risks and cyber-attacks.

Consumer notification and monitoring services. Once a company determines, for example, that PII was exfiltrated, a range of consumer notification responsibilities will arise quickly. This can include the sending of written notices, the provision of credit monitoring services, identity theft protection, and other related services such as setting up a call center, website, hotline, and e-mail address.

Once a cyber-attack occurs, in addition to consumer notifications, a broad range of other important notifications arise, such as briefings to customers, partners, employees, vendors, affiliates, insurance carriers, and a range of other interested/impacted parties.

Legal. The work relating to a cyber-attack can involve a team of lawyers with varying expertise (regulatory; e-Discovery; privacy; white-collar defense; litigation; law enforcement liaison; and the list goes on). Potential civil liabilities in the aftermath a cyber-attack can range from shareholder lawsuits for cyber-security failures or stock price declines to consumer- or customer-driven class-action lawsuits alleging failures to adhere to cyber-security “best practices.”

If the digital forensics investigators are retained by counsel, attorney-client privilege will arguably apply to the investigatory work product. This is not done to hide information; rather it helps protect against inaccurate information getting released in an uncontrolled fashion and allows for careful deliberation and preparation for possible litigation or government investigation/prosecution.

Law enforcement liaison. Federal law enforcement agencies will often seek briefings, reports, IOCs, forensic images, malware signatures, and other information about a cyber-attack. They may even ask to attach a recording appliance to a victim company’s network in hope of capturing traces of future attacker activity. These requests raise a host of legal issues, including whether providing information to law enforcement could violate the privacy of customers or result in a waiver of the attorney work-product or privilege.

Experiencing a cyber-attack is now inevitable. Cyber-security has become less about prevention and security science, and more about incident response and managing the data breach workflow discussed above. This means that companies should learn from data breach workflow to prepare their incident response now—but how? Here are some recommendations:

Purchase cyber-insurance (to curtail workflow costs);

Hire specially trained incident response personnel (to help with tasks such as log analysis, digital forensics, and malware reverse engineering);

Beef up infrastructure with EDR tools (to assure the most quick and efficient response);

Data map potentially vulnerable systems, (to make preservation easier);

Install log analytical programs (to make logging analysis easier); and

Take other more company-specific preemptive measures to anticipate data breach response workflow, to make it as efficient and inexpensive as possible.