Forensics are a key component of many data incident investigations.  The importance of forensics cannot be overstated.  In fact, in 2018, 65% of the incidents we handled involved some type of forensic investigation.

Forensics firms can not only help determine what happened in a data incident but can also provide recommendations for containment and mitigation.  Many of the key decisions in an investigation will be driven by forensics.  Does the organization have notification obligations?  Was there access to and/or acquisition or exfiltration of personal information or other sensitive data?  Specifically, what data was accessed or exfiltrated?  When did the compromise start and when did it end?  Are the attackers still in the environment?  Or in a business interruption event such as ransomware, how does the organization get back up and running and get back to work?

Download the 2019 BakerHostetler Data Security Incident Response Report >>

Speed is a critical component in these investigations.  Not only is it important to determine the scope of the incident and stop the attack, but the legal landscape is demanding faster notice times (72 hours in some cases) and therefore speedier investigations.  The good news is, the average number of days to complete a forensic investigation dropped to 28 days in 2018 (from 40 and 36 days in 2016 and 2017, respectively).  Likewise, the average cost of these investigations dropped from $84,417 in 2017 to $63,001 in 2018.

But depending on the type of incident, these investigations can still be very expensive, with an average of $350,576 for the 20 largest network intrusion events in 2018, which demonstrates that not every investigation is the same.  Some investigations (about 50%) require a log review.  Others require imaging of infected systems, while still others require malware analysis or deploying endpoint agents (and sometimes a combination of many of these variables).

Just like not every incident is the same, not all forensics firms are the same.  You may want a specific firm for a ransomware incident – where the firm has experience negotiating with overseas attackers and has a bitcoin wallet if you need to pay a ransom quickly to avoid forever losing access to your data.  Other incidents require special or customized tools that only certain firms have or they developed in-house.  In a phishing incident, it helps to have a firm that has the right tools for analyzing which emails may have been accessed or viewed in a mailbox (which can significantly reduce potential notice obligations).  In a nation-state sponsored attack, you want a sophisticated forensics firm that can match technical wits with the attackers.

So, what are the keys to deciding when to engage a forensics firm and choosing the right firm for the job?

  • Assess the organization’s and forensics firm’s capacity to investigate the incident. Conducting a forensic investigation internally pulls IT resources from other projects and the duties of most IT personnel, and with the average time of 28 days to complete a forensic investigation, this often creates a strain on IT personnel and delays completion of other projects.  A third-party forensics firm can bring additional capacity to an organization responding to an incident.
  • Forensics firm availability. When selecting a forensics firm, evaluate whether the firm has experienced team members available and the bandwidth to provide the needed attention to your matter.  Many forensics firms now offer retainers that guarantee availability of their incident response team within 24 or 48 hours.  Once the forensics firm is engaged, the organization’s internal IT team often still faces a strain on resources because of the need to deploy tools in the environment, preserve and collect forensic evidence, and implement containment and remediation steps while still doing their day jobs.  Some organizations hire temporary, third-party IT consultants to assist in this process.
  • Evaluate the forensics firm’s capabilities and tools. Forensics firms use a variety of tools to determine how an incident occurred, develop a containment plan, and ascertain the scope of systems and data affected. For incidents in 2018 in which a forensics firm was used, the most common types of investigations were log review (50%) and imaging (20%). Log review is conducted to understand when and how the intrusion occurred and what systems and data were accessed, and to create a time line of the attackers’ activities while in the environment – answers to these questions are critical to developing effective communications about the incident.  Device imaging is most common in investigations that are smaller in scope or when deeper analysis of key systems is necessary.  For network intrusions potentially involving many systems, forensics firms can use endpoint tools to remotely collect and analyze forensic evidence from thousands of systems quickly and more efficiently. These tools are also used to monitor the systems in real time to identify ongoing attacker activity and help confirm the effectiveness of containment steps.  If your company has deployed an endpoint tool as a proactive security measure, ask whether the forensics firm can take advantage of deployment of the existing tool to conduct its investigation (rather than deploying an additional tool).
  • Establish a relationship with a forensics firm. One of the most important steps organizations can take to improve their incident response preparedness is to proactively identify a primary forensics firm that the organization would likely use in a potentially significant incident.  Negotiate the terms of a master service agreement with the firm ahead of time to ensure rapid engagement.  Organizations should then conduct onboarding meetings with the forensics firm to help ensure that the organization is maintaining appropriate logs, collecting and preserving evidence in a forensically sound manner, and able to deploy the forensic tools throughout the company’s environment.  Conducting a tabletop exercise with outside counsel and the forensics firm is one of the most effective ways to improve the organization’s ability to quickly and effectively respond to a data security incident.
  • Experience handling similar incidents. Even if you have preselected a forensics firm, when an incident arises, organizations should consider whether that firm is best-suited for the investigation.  Some investigations require specialized tools that your preselected forensics firm may not currently have.  Some investigations require specialized knowledge of a particular system or application, and finding the forensics firm with the right expertise can prove invaluable.  Consult with experienced counsel and your cyberinsurance carrier to leverage their experience; oftentimes, they have worked on similar incidents and can provide insight into which forensics firms have handled similar incidents.
  • Will engaging the forensics firm add credibility to the investigation findings? Depending on the nature and scope of the incident, the organization’s customers, board members, and/or shareholders may expect that the organization retain outside security experts to provide additional credibility to the findings from the investigation.  Retaining a forensics firm can also add credibility with regulators.  It’s important, however, to work with outside counsel when working with forensics firms to best position the organization to assert privilege over communications with, and work product from, the forensics firm.
  • Consider whether the investigation may involve data of international residents. An investigation involving systems located outside the U.S. or even systems in the U.S. that contain data on international residents may present legal issues for some forensics firms.  For example, if the investigation involves data of EU residents, you may need to engage a firm that is Privacy Shield-certified and/or is willing to enter into a “data processing agreement” due to the forensics firm’s receipt and handling of EU residents’ data.

Like having the right tool for the job, the right forensics firm is key to managing an incident and determining notice obligations.  Starting off the investigation right can be the difference between effectively managing an incident or causing delays and false starts, thereby negatively impacting analysis and timing and potentially drawing the unwanted attention of regulators.