Incident Response Meets Governance Risk and Compliance (GRC)in Digital Forensics

By Devon Ackerman, Global Head of Incident Response in the Cyber Risk business, Kroll

On falling victim to a cyberattack, there is typically a three-part support system that comes into play. Insurers often get the initial call, followed by legal counsel and digital forensics experts. With these three stakeholders in place, a company can begin its remediation and recovery, in a way that is legally sound and—hopefully—covered by their cyber insurance policy. For the digital forensics and incident response portion, there are many routes of investigation the responders may take, one of which can be gleaning insight through governance risk and compliance (GRC) processes.

Following are four key areas where cyber incident responders can make use of digital forensic evidence in collaboration with internal GRC professionals, enabling a faster response, an enhanced understanding of the incident and an accelerated recovery.

Data Security Controls

The point at which a company becomes aware it has suffered a cyber incident, or identifies that an event has become an incident, can vary. It may be that an antivirus or a managed detection and response(MDR) sensor has picked up an anomaly which indicates suspicious endpoint- or network traffic-related activity, or it could be an operational issue, such as a spike in help desk reports of identity theft or fraudulent payments from corporate debit cards.

An incident responder’s job is to understand what happened and, while simultaneously working to contain the threat, conduct post-incident response. In attempting to understand what happened, GRC teams can often provide insight into where confidential data is held and what access rights have been given.

In the situation where fraudulent transactions are happening, they could provide guidance into where records of accounts are kept, for example. Once investigated, this could expose poorly managed databases or poor practices followed by some employees, for example, data inappropriately saved on personal computers and inadequate access management. If this is combined with failures in cybersecurity best practices, for example, employees falling victim to phishing attacks, there may also be malware on the computer, and personally identifiable information (PII) could have been exposed. This information could have been used to complete fraudulent transactions.

Avoiding Blind Reliance on Cloud Service Providers

When cyber incident investigations cross over into the cloud environment, the lines of responsibility often become hazier still. Without appropriate GRC processes in place, understanding what happened in a cyber incident, remediation and recovery can be hindered significantly.

Most often in the cloud it comes down to log retention. Much of an incident responder’s digital forensic processes rely on access to log data over a significant period of time that can show cybercriminal activity and provide detail on impacted systems and the required remediation. If cloud providers are only retaining logs for 30 days, or worse, log retention isn’t enabled by default, this can significantly impact the incident responder’s visibility. It also potentially puts the organization at risk of violating data privacy laws, given the shared security model imposes security obligations on both parties.

Clear and robust policies around cloud environments and an understanding of where responsibility lies, will help safeguard that when digital forensic investigations take place, the required data and logs are available for both the investigation and broader compliance requirements.

Investing in Your Team

Collaboration between the GRC and digital forensics team doesn’t only improve the data access involved in an investigation. It can also build the organization’s cyber resiliency and reduce the risk of non-compliance. This is seen most clearly when technologies or processes exist to address a data governance issue, for example, but the team built around it is insufficient.

Whether it is due to a company’s security mindset not evolving as a company grows, or a series of acquisitions and team turnover that have complicated processes and reduced retained knowledge, often the GRC processes which exist in theory, are less apparent in practice.

Often exposed in an incident response case, when digital forensic examiners are tracing data throughout the company, policies and procedures can be exposed as a “paper exercise”. In the worst-case scenario, it is not just a lack of tick boxes, but actual infrastructure that is connected with insecure configurations, leaving web servers and database servers vulnerable to cyberattacks and interconnected with internal resources and networks. Without proper network segmentation inside the company, this situation is worsened as cybercriminals can move laterally to cause maximum damage.

It is important that as part of the post-investigation recovery, investment is made in getting these systems and processes in order. Doing so will benefit the company from both a cybersecurity and GRC perspective.

Collaboration with Legal Teams

Finally, knowing when to escalate a digital forensics investigation to a legal audience can be fundamental to handling an incident effectively and not exposing a company to further potential damage. While an investigation may have begun with a narrow scope, teamwork between GRC teams and digital forensic examiners can highlight when the data compromised represents a significant risk, which may require the investigation to continue under privilege.

Digital Forensics and GRC Teams in Harmony

It may seem obvious that GRC teams and digital forensic examiners would have plenty of mutual interest, given their focus on understanding data flow and the processes and procedures that surround data, but often they are very much siloed within an organization.

Often it is only when an investigation begins, such as in reaction to a cyber incident, that the synergies between teams become evident. While it goes without saying that good collaboration across the two fields will aid any investigation—providing greater understanding of data controls and cloud environments, for example—there are also longer-term gains that can prove advantageous for both disciplines. From a cyber perspective, with sufficient resources and teams to implement the GRC policies, resiliency against cyberattacks will be improved. From a GRC perspective, among other advantages, data visibility and clear processes for handling logs will bring compliance issues to the surface and allow steps to be taken for improvement before legal action ensues.

Hot Topics

Related Articles