Determining the “who, what, where, when, and how” of data breach investigations

Determining the “who, what, where, when, and how” of data breach investigations

By Stuart Clarke, CTO, Cyber Solutions at Nuix

The high value and easy marketability of private data on the black market has made all organisations that hold valuable intellectual property vulnerable to cyberespionage and insider threats. Once a company has been breached, it will have to investigate how the data breach occurred and who the people responsible are – a task which can be daunting without the right approach or the right tools.

Where do you begin?

Understanding the “who, what, where, when, and how” of a security incident – the foundations of a solid investigation – involves connecting the dots across many seemingly unassociated facts. This requires having thorough visibility and access into all data and file types. It also entails humanising the data aggregated during an investigation – connecting digital evidence with human facts – in order to achieve deeper level of visibility and understanding of threat scenarios.

Until recently, this was easier said than done.

The challenges behind ‘old school’ investigations

Traditional data breach investigations just focused on the information stored in the computers and other devices belonging to people of interest, in order to find clues that would aid in the investigation process. They would only look at what happened and when. Investigators would need to build a mental picture of the investigation in order to piece it together, relying heavily on their expertise to arrive at the right conclusion.
This approach is useful when investigating simple or linear cases, such as those in which a person has accessed confidential files which were later published on a public platform like WikiLeaks. However, this methodology isn’t as effective when applied to more complex cases such as one involving a group of people located around the globe, where the evidence may comprise anything from emails, to cash receipts, to video surveillance footage.
That’s when combining digital activity with real-world activity becomes critical in order to investigate the entire scope of a breach, find hidden intelligence and threats, and ultimately, solve the mystery.

New ways of thinking bring new ways of investigating
New approaches to data breach investigations focus on achieving superior breadth and depth of visibility into human and enterprise data. Advanced investigative tools enable cybersecurity investigators to analyse all evidence at once, so that they can correlate and contextualise intelligence to deliver insights that can help them conduct informed incidenft response.
The latest technologies allow investigators to map all evidence at once in a variety of visualisations. They can categorise items of interest including internet histories, device access records, communication activities, notable operating system events and new files.

This means, for example, that rather than looking at a large list of communication records extracted from mobile phones and desktop computers, investigators can display this information as a visual network. At a glance, they can see who the primary communicators are, whom they spoke to and how often. Investigators can also use IP addresses or embedded metadata to locate geographical coordinates and plot maps which enable them to understand the movements of a suspect and their contacts.
Data visualisation techniques enable investigators to discard irrelevant or redundant information and quickly highlight and focus in on anomalies they have discovered. They can also expose information the organisation didn’t previously know about and find links between data sources they may otherwise have missed, identifying previously unseen patterns and trends in the data.
Once investigators have exposed an item of interest, they can drill down and see where it leads – what other data it is linked to, what new findings it will help uncover and what new intelligence it will reveal. They can use these visualisations to establish key players, their locations and their involvement in a matter of interest.

By bringing these elements together, investigators are able to connect the four dimensions of data: people, objects, locations, and events. This four-dimensional analysis helps humanise the data so that investigators can make connections between the electronic information and human facts. This provides a much deeper level of visibility and understanding of threat scenarios that you can achieve by simply looking at system data.
Humanising electronic data provides complete insight into the who, what, when, where and how of security breaches. Want to hear more on this topic? Visit us at stand C300 or catch my presentation ‘The 4 Dimensions of Breach Investigations’ on the Infingate theatre (Stand D260) at 11.00am Wednesday 8th June.

Leave a Comment

Your email address will not be published. Required fields are marked *