When an organization is in the heat of the moment responding to a cyberattack, the organization and its legal counsel are looking for immediate answers.
All of these questions are important; however, the question of access versus exfiltration may be the most important of all, as it relates to potential legal liabilities of an organization.
Have you experience a potential data breach?
Data Access vs. Data Exfiltration
Data access is exactly what it sounds like. When a cyber attack occurs, an organization’s data is accessed without authorization.
Data exfiltration occurs when the company or individual data is copied, transferred or taken during the cyber attack from a computer or server without authorization.
The mere fact an organization’s data was accessed without authorization may not trigger notifications related to a privacy breach depending upon applicable statutes. However, unauthorized data exfiltration is almost guaranteeing notifications will required by an organization if unencrypted sensitive data such as Personally Identifiable Information (PII) or Protected Health Information (PHI) was potentially subject to the attack.
How to Know if Data Access or Data Exfiltration Occurred
When a data breach occurs, incident response professionals will begin to investigate not only how the breach occurred, but what happened to the data. This requires access to certain types of data:
|Type of Data||Why We Need It|
|Logs (e.g., email audit logs, firewall logs and System event logs)||Allows for an investigation of anomalous login/traffic activity for a period of time.|
|NetFlows and DNS logs||Provides a picture of the inbound and outbound traffic flow and volume.|
|Backups||For data integrity purposes by scanning for potential malicious files.|
|Copy of the native email inbox for a phishing attack||Allows review of email header information to understand the origins of attack.|
|Copy of the malicious file(s)||For purposes of identifying the behavior of the file(s) such data exfiltration capabilities, deletions of volume shadow copies, access to multiple systems and encryption.|
|Copy of the ransomware note and sample of an encrypted file||May allow a quick understanding of the variant of ransomware.|
|Copy of anomalous PowerShell scripts||Provides insight as to the behavior of the script such as whether or not it attempts to make network contact with other hosts and if it runs with escalated privileges.|
By having immediate access to this type of data, an incident response team can gain an understanding as to:
In addition, this information can determine the dwell time of the bad actor being in the organization’s system before detection.
Incident response teams will also collect forensic artifacts and full disk images for further analysis. The forensic artifacts and full disk images give a deeper forensic dive and the ability to look for other hacker tools such as credential harvesting software like Mimikatz. Credential harvesting tools are used by hackers to scrape systems for authorized credentials so they can be used to gain “authorized” access to an organization’s systems. This can then be used toescalate privileges, move laterally within the network, and execute malware with administrator privileges. By obtaining administrative privileges, the bad actor essentially has all the keys to the organization’s kingdom inclusive of its sensitive and proprietary data.
Major Roadblocks to Identifying Data Exfiltration
What are the major roadblocks to determining if data was exfiltrated? Typically, it boils down to these common themes:
How to Prepare for a Potential Cyberattack
There are common steps that can be put in place at your organization so you are better prepared for a cyberattack. These include:
Certainly, having multiple layers of cybersecurity controls, solutions and ongoing employee awareness training is your organization’s best bet in mitigating the risk of a cyberattack. However, bad actors are constantly finding new ways to exploit vulnerabilities, so its imperative organizations plan for the worst-case scenario: an incident involving data exfiltration.
If your organization has experienced a cybersecurity incident, know that you are not alone.
See what more we can bring to organizations just like yours.Construction & Real Estate Dealerships Healthcare Critical Access Hospitals Health Systems Medical Practices Senior Living Manufacturing