Ey luxembourg 

Forensic response to a data breach

Thomas Koch, Associate Partner, Cybersecurity Leader,EY Luxembourg Credit :  EY Luxembourg 

Thomas Koch, Associate Partner, Cybersecurity Leader,EY Luxembourg Credit :  EY Luxembourg 

While companies do their utmost to sport an ethical behavior, carefully maintain their hard-earned reputation and vigorously protect their assets, internal controls and technical safeguards only go so far. Once they fail, a single instance of fraud or a poorly managed cyber attack can seriously jeopardize client relationships, putting the entire business at risk.

Be it in the context of an alleged fraud case, a data breach or an attack on corporate infrastructure, the analysis of digital evidence is crucial when seeking insights into instances of wrong doing, willful misconduct, cybercriminal activity and even acts of cyber warfare – regardless whether they originate from the inside or the outside of the corporate structure.

Adapting to a changing technology and threat landscape

The greatest danger in times of turbulence is not the turbulence; it is to act with yesterday’s logic.

Peter Drucker

Not so long ago, the focus for an investigator was generally on workstations and servers, yet meanwhile enterprises of all sizes move on to using cloud technology, IoT devices and are increasingly dependent on mobile communication. Powerful smartphones and tablet computers have merely become the anchor point of day-to-day business, and on top of that, some companies even allow their workforce to bring devices of their choice and liking.

The number of potential attack vectors and vulnerable pieces of infrastructure drastically increases along with the growing complexity and diversification of IT and OT devices. The process of the forensic collection hence warrants to meticulously aggregate and correlate information from a variety of sources to paint a clear picture of what happened, paving the way to a meaningful investigation and, finally, a successful remediation of either type of data breach.

The journey from Cybersecurity to Cyber Resilience and beyond

To put digital forensics in perspective: it is not meant to replace a robust cybersecurity program, controls framework or remediation plan, but rather constitutes the last phase of the incident response. While the concrete circumstances of an investigation do obviously greatly vary from case to case, the quest for cold, hard evidence about the Who, When, What and How of the incident in question needs to form an essential part of any entity’s Cyber resilience strategy and remediation efforts.

Jesse Kornblum’s statement “Malware can hide, but it must run.”, commonly referred to as the malware paradox, is also true for any individual wrongdoing: just like a rogue tool being put to sleep by an external attacker, internal perpetrators and rogue employees can lay low for extended periods of time, but at a certain point, they will obviously need to move and exfiltrate the information they seek to wrongfully obtain.

A thorough forensic analysis will finally determine if the adversaries are still operative on the infrastructure and application landscape, and it is what is what will eventually give the right hints to break the attack and uncover the attackers’ persistence.

Upon detection, tracing their activities and producing solid proof is what makes the forensic response important. It will eventually uncover the figurative smoking gun and enable the recovery process to regain clients’ trust.