business: response, Part 7: Evolution
Incident Response to Data Breach, Part 6: Investigation
by Brent Kirkpatrick
(Date Published: 11/28/2017. Revised: 5/1/2018.)
Investigation complements recovery efforts.
Responding to a breach requires blocking the intrusion routes. While this is a technical step, it is done with haste, with little documentation, and often imprecisely. It may sometimes seem as if this technical response is an investigation, but it is not.
A proper investigation uses secured computers. The chain of custody must be well documented and the evidence unhacked during the investigation. If the evidence is hacked, the hackers could plant false evidence. Therefore chain of custody must be established during breach response. Before an investigation.
Your organization has several options for conducting an investigation. If crime was committed, the FBI may conduct an investigation. If credit card data was involved, compliance may require a PCS-DSS investigator. Private investigations can also be conducted.
Many times an investigation is not done, because it is cost-prohibitive to find the trace evidence that may or may not reveal the identities of the hackers. Investigation can involve the use of digital forensics to rigorously obtain evidence of the facts. Log files are examined, after they are secured. Computers are scanned for traces of known exploits. Rarely, first-principles are used to isolate and examine foreign machine code. This last is rare due to the expense and technical skill involved.
Clean-Up (TM). Incident response driven by data.
Incident Response, Part 1: Planning