What do you do if (or when) your team discovers a breach of your digital assets?
To answer this question, we first need to familiarize ourselves with the term “defensible disclosure.” It’s not an expression often heard in cybersecurity, but understanding what it means and how to live up to its expectations is crucial in an age where organizations regularly handle intrusions and, sometimes, suffer breaches.
Turning back the clock to 1985, an early example of the phrase outside of the cybersecurity landscape appears in the Proceedings of the Bureau of the Census First Annual Research Conference, with further appearances in statistical, medical, legal and financial communities. For the past 20 years, the idea of defensible disclosure has also been popular in the computer incident response community. However, the specific phrase is fairly new to cybersecurity.
In the context of cybersecurity, defensible disclosure is the process of notifying constituents of an intrusion or breach in a manner that the disclosing party can competently and intelligently justify. Forensic investigators have to determine whether the security incident was an intrusion, or a more serious data breach. We define intrusions as policy violations or computer security incidents. A breach, by contrast, means the cybercriminal has escalated the intrusion to the point where he or she has ready access to, or has already accessed, information to which he or she should not have access.
The role of network evidence in defensible disclosure
Network evidence plays a crucial role in defensible disclosure. Assuming proper positioning and avoidance of packet drops, network evidence is a reliable record of the activity that it sees. Extensive stores, meaning several months, not several days, of high fidelity network data help chief information security officers (CISOs) and their computer incident response teams gather crucial details to enable defensible disclosure.
Security teams must determine when the intrusion started and (possibly) ended, as well as its full scope. A thorough investigation should also look into whether the intruder accessed data stores that held, or may have held, sensitive information, and whether there are any indicators to suggest damaged or stolen personal details. Finally, the teams must disclose if the incident response process was successful and if the intruder maintained unauthorized access or tried to regain it.
Having access to the right data means custodians can make informed decisions about detection and response. They cannot rely on hunches, or worse, whatever the intruder tells them. For example, criminals have extorted victims, claiming that they have already deployed ransomware, when in reality, they had not. The victims couldn’t determine the truth on their own. If a victim is unsure of the scope of an incident, they may be forced to conceptually and falsely widen the impact of the activity.
High quality network evidence works well with the three other sources of awareness in the digital world: human sources, infrastructure and application logs, and endpoint data. A robust defensible disclosure process backed by trustworthy data enables organizations to speak with confidence when revealing details of an incident to constituents. Such leaders are also at less risk for accusations that they are inadvertently or perhaps even intentionally trying to deceive constituents.
Defensible disclosure is a goal that any custodian of sensitive data would do well to meet, should they find themselves in the unfortunate situation of handling an incident.
About the Author
Richard Bejtlich is Strategist and Author in Residence at Corelight. Corelight transforms network and cloud activity into evidence so that data-first defenders can stay ahead of ever-changing attacks. Delivered by our open NDR platform, Corelight’s comprehensive, correlated evidence gives you unparalleled visibility into your network. This evidence allows you to unlock new analytics, investigate faster, hunt like an expert, and even disrupt future attacks.
Featured image: ©Tural