Network evidence for defensible disclosure

What do you do if (or when) your team discovers a breach of your digital assets?

To answer this question, we must first familiarize ourselves with the term “arguable disclosure”. It’s not a term often heard in cybersecurity, but understanding what it means and how to meet its expectations is crucial in a time when organizations routinely deal with intrusions and, at times, suffer breaches.

Going back in time to 1985, an early example of the phrase outside of the cybersecurity landscape appears in the Proceedings of the Bureau of the First Annual Census Research Conference, along with other appearances in the statistical, medical, and medical communities. , legal and financial. For 20 years, the idea Defensible disclosure has also been popular in the computer incident response community. However, the specific expression is relatively new in the field of cybersecurity.

In the context of cybersecurity, defensible disclosure is the process of notifying stakeholders of an intrusion or breach in a way that the disclosing party can competently and intelligently justify. Forensic investigators must determine whether the security incident was an intrusion or a more serious data breach. We define intrusions as policy violations or computer security incidents. A breach, on the other hand, means that the cybercriminal has escalated the intrusion to the point where he has easy access, or has already accessed, information that he should not have access to.

The Role of Network Evidence in Defensible Disclosure

Network evidence plays a crucial role in defensible disclosure. Assuming correct positioning and avoiding packet loss, the network’s evidence is a reliable record of the activity it sees. Extensive stores—meaning months, not days—of high-fidelity network data help information security officers (CISOs) and their IT incident response teams gather crucial details to allow an arguable disclosure.

Security teams need to determine when the intrusion began and (eventually) ended, as well as its full extent. A thorough investigation should also determine if the intruder accessed any data stores that contain or may contain sensitive information, and if there are any clues that suggest personal data has been damaged or stolen. Finally, teams should disclose whether the incident response process was successful and whether the intruder maintained unauthorized access or attempted to recover it.

Having access to the right data means custodians can make informed decisions about detection and response. They can’t trust hunches, or worse, anything the intruder tells them. For example, criminals have extorted victims, claiming they’ve already deployed ransomware, when in fact, they haven’t. The victims could not determine the truth on their own. If a victim is uncertain of the magnitude of an incident, they may be forced to conceptually and falsely expand the impact of the activity.

High-quality network evidence works well with the other three sources of awareness in the digital world: human sources, infrastructure and application logs, and endpoint data. A robust and defensible disclosure process backed by reliable data allows organizations to speak with confidence when revealing details of an incident to voters. These leaders are also less likely to be accused of inadvertently or perhaps even intentionally trying to mislead their constituents.

Defensible disclosure is a goal any custodian of sensitive data would do well to achieve, should they find themselves in the unfortunate position of handling an incident.


About the Author

Richard Bejtlich is strategist and author-in-residence at Corelight. Corelight turns network and cloud activity into evidence so data defenders can stay ahead of evolving attacks. Powered by our open NDR platform, Corelight’s comprehensive and correlated evidence gives you unparalleled visibility into your network. This evidence allows you to unlock new analytics, investigate faster, hunt like an expert, and even disrupt future attacks.

Featured Image: ©Tural



Source link