Speaker 1: Hi everyone, Kim here from Magnet Forensics. Today, we're talking data breaches. A data breach can have long-term painful consequences for an organization. Erosion of customer confidence, cost of remediation, legal problems. The effects can last years. Data breaches can occur in many ways. A company's network can be breached, malware can be installed that gives an attacker access to the system, unsecured web servers or websites can be scraped for data, and there's always the threat of an insider, like an employee or a contractor leaking information. There's also an emerging data breach trend, double extortion. This refers to when a ransomware attack and data breach happen in rapid succession and the ransomware attack effectively becomes a distraction to the real attack, a data breach. From here, two things can happen. Number one, you're able to restore backups and possibly recover from the ransomware attack without paying the hackers for a decryption key. In this case, the cyber criminal will contact you, even congratulate you, then demand extortion money not to publish the data that was exfiltrated. Number two, you're not able to restore backups and you pay the cyber criminal for the decryption key. Now they know you have money. After the ransomware transaction is completed, you will get hit with extortion for the data that was breached. No matter what, there's no guarantee that if you pay, the bad guy won't ask for more money or sell the data to another criminal group or publish it after you pay. So if you find yourself in this unfortunate situation, here's how to investigate the attack. Step one, the breach notification. Security operation centers get so many alerts every day, it can be easy to get complacent. Don't get tunnel vision. Cyber criminals might use a multi-pronged attack that covers up their actual mission. If a valid attack is spotted, be on the lookout for other IOCs or indicators of compromise. Some cyber attacks are designed to obfuscate another attack, some to cover up evidence of another crime. Ransomware is a good example of this. It's like throwing a grenade into a room to destroy evidence of a burglary. Remember, attackers want to persist in your system, so always look for multiple IOCs. The malware available today is more sophisticated than ever. Ransomware is a service, bioless malware that runs in memory, zero-day exploits. You will need to act fast with accurate forensic tools to investigate a data breach alert. Magnet Ignite is a great way to triage an endpoint before performing your full forensic analysis, particularly because Ignite can be deployed to multiple endpoints simultaneously and because it can be configured for various casework depending on the needs of the investigation. Step two, enact your incident response plan. It's time to act. Be aware that if the attacker has a foothold in your network, it may be monitoring your emails as well as actions you take to secure your network. Gather your team and give clear, deliverable steps to execute the incident response plan. Keep your messaging straightforward. Your plans will change throughout the event, so carefully document any changes to your incident response plan to later report why the deviation occurred and what steps were taken to address the situation. Step three, investigate. Time to determine the extent of the damage and preserve evidence. You may want to answer these questions. How long has our data been vulnerable? How much data has been exposed? Is data leakage still occurring? Are there regulatory implications regarding the breach of data? Was customer data or personal identifiable information, PII, taken? And if so, how much? Identifying what was taken in a breach is one of the first steps and it will guide your investigative approach. Having data scraped, being the victim of malware, or having an insider steal data all require different forensic responses. You're going to want to pull data from a variety of sources, such as firewall logs and rules. Was the firewall set up to monitor outbound traffic, outbound SSH traffic, system logs from web servers? Is there evidence of increased traffic that's out of the normal parameters of that system? Is there evidence of URL or credential stuffing? Individual endpoint systems, Windows logs, RAM, process capture, and full disk images may all be needed to show user attribution to files. Antivirus logs. Has malware been detected in the environment? What are the characteristics of this malware family? If you're dealing with an insider threat, think about what you'll do with that employee's work computer, especially if they're remote. Working with all this data is difficult, so you'll need to do it quickly. So make sure you have the right tools at the ready. We believe Magnet Axiom Cyber is the best tool for forensically investigating a data breach. Connections will visually show you how a file, like a malicious payload, originated and where it went. Relative time filters allow you to quickly narrow your window of artifacts that need to be examined. You can analyze Linux artifacts coming from servers and other devices that will help you understand how the attacker moved throughout your network and what other endpoints might be infected. It allows for remote acquisition of target endpoints, even when they aren't connected to your corporate network with a VPN. So capturing and analyzing RAM and disk images from a remote computer may indicate that an insider had a role in the breach. While taking these steps, it's also vitally important to maintain copies of original evidence, or the data that you collect before it is analyzed, for regulators and for possible prosecution. Step four, address vulnerabilities. Once the source of the breach is confirmed, lock down vulnerabilities. The IOCs you found in the previous steps will help you secure systems and networks in the environment. Losing customer data, particularly personal identifying information, can have dire consequences, but losing it a second time makes the problem exponentially worse. Forensically analyze your environment to make sure you've addressed every vulnerability, then move on to reporting. Step five, report internally and externally. You should expect to create internal reports, but depending on your industry and the amount of data exfiltrated, you may need to report externally as well. These external reports may need to address customers, regulators, or even stockholders, communicate the lessons learned, and share how the vulnerabilities that led to the data breach have been addressed. That's it for how to investigate a data breach. Make sure to subscribe for more from Magnet Forensics, and thanks for watching.