On May 7, 2021, Colonial Pipeline, the largest U.S. pipeline system for refined oil products, was hit by a ransomware attack that forced the company to shut down its entire fuel distribution pipeline.
This most recent ransomware breach of Colonial Pipeline demonstrates that it isnít a question of if you will be impacted by a cyber event, but rather when it will happen. Even the largest and presumably best-protected organizations can become victims of advanced, persistent threats. Over the years, many organizations have become more familiar with the requirements of security and incident response to bring their company back into an operating state, but what about after that? How do you defend the company against further action by customers or regulatory agencies?
A key component to the continued efforts of bringing the organization back to a true pre-loss condition is managing the investigation in a way that any exposed data can be used as evidence in a court of law. Cyber forensics experts, experienced in the preservation and analysis of data, are required to work alongside cyber security professionals during the remediation of a cyber breach event to ensure all evidence is preserved and analyzed, and to inform corporate officers and counsel of any data exposure that may have happened as a result of the breach.
The Importance of Cyber Forensics
The need for a forensic review is especially important as it is becoming more common for threat actors to take data out of an organization during a ransomware event. Not only does this data exfiltration increase the likelihood of an organization paying ransom to keep the data from being sold or published on the dark web, but it also greatly increases the likelihood that sensitive data has been exposed, which can trigger litigation or compliance requirements even after the event itself has been remediated.
Following an attack, cyber forensics experts work with the organization, counsel, IT, and security professionals to establish streamlined preservation efforts while the event is being remediated. These cyber experts seek to understand the types and sensitivity of the data that may have been exposed, which then allows for access to the level of compromise within the organization through forensic analysis and identify the specific events and data that was exposed to the threat actor.
In many cases, this can assist in reducing the number of systems that are of concern to counsel because no evidence can be found on that system of data accessed by the threat actors. Where data has been accessed, an analysis can also help to reduce notification lists or compliance violations by confirmation of the exact data that was exposed.
Cyber forensics can help bring certainty to a challenging situation through expert preservation and analysis of computing systems and environment. By helping organizations and counsel understand the extent of compromise and any data exposure in such a way that it can stand up to scrutiny in a court of law, they can feel confident that they are making the best decisions possible after a security breach event.