Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Identifying Compromised Data Can Be a Logistical Nightmare

Being able to trace an incident backward from breach to data source is vital in restoring and improving cybersecurity.

3D illustration of compromised computer connected to a network
Source: Panther Media GmbH via Alamy Stock Photo

You've just learned your corporate network or cloud environment was breached. Do you know how to identify which data was compromised and where it was stored?

Launching a breach investigation generally requires that you have some sort of starting point, but knowing that starting point is not always possible. Sometimes you won't know which data or physical asset was compromised — only that the FBI just called to tell you your corporate data was found on the Dark Web for sale, says Tyler Young, CISO at BigID, a security firm that specializes in privacy, compliance, and governance.

The source database, application, server, or storage repository needs to be determined to ensure the forensics team can ferret out any potential threat still looming in your network.

John Benkert, co-founder and CEO of data security company Cigent, recommends that if you do not know exactly what data was breached, you start evaluating systems and resources that are most critical to the organization's operations or contain the most sensitive information. Focus on systems that are most likely to have been targeted in a breach, such as those with known vulnerabilities or weak security controls.

"When security teams are looking for compromised data, they often focus on the wrong things, such as looking for known signatures or indicators of compromise," says Ani Chaudhuri, CEO of Dasera. "This approach can be effective for detecting known threats, but it's less useful for finding new or advanced threats that don't match known patterns. Instead, security teams should focus on understanding the organization's data and how it is accessed, used, and stored."

Keep Knowledge Current to Maintain Traceability

Young says a fundamental understanding of your assets, including data systems, identities, and people, will help you work backward if there is a breach. Through automated data discovery and classification, organizations can better understand where their sensitive data resides and who has access to it. This information can then be used to identify and prioritize security controls, such as access controls and encryption, to protect the data, he notes.

Connecting the dots between systems, people, security controls, and other identifiable assets provides the proverbial breadcrumbs back through the data breach, from data on the Dark Web to where the data originally resided on the corporate servers or in the cloud.

Having an up-to-date asset management profile, including where data is stored, which data is located in which repository, and a complete inventory of the network topology and devices, is essential.

"CISOs need to have complete visibility into their organization's IT infrastructure, including all virtual machines, storage systems, and endpoints," Young says.

Cigent's Benkert identifies some common errors organizations make when investigating a breach:

  • Failing to act quickly. Time is of the essence in a breach investigation, and delays in collecting forensic data allow attackers to cover their tracks, destroy evidence, or escalate their attack.

  • Overwriting or modifying data. Companies might inadvertently overwrite or modify forensic data by continuing to use affected systems or conducting uncontrolled investigations.

  • Lacking expertise. Collecting and analyzing forensic data requires specialized skills and tools, and companies might not have the appropriate in-house expertise to perform these tasks effectively.

  • Not considering all potential sources of evidence. Companies might overlook or not fully investigate all potential sources of forensic data, such as cloud services, mobile devices, or physical media.

  • Not preserving data in a forensically sound manner. To maintain the integrity of the evidence, it is important to use forensically sound methods for data acquisition and preservation. To be forensically sound, the collection process must be defensible by being consistent, repeatable, well documented, and authenticated.

  • Not having a clear incident response plan. A well-defined plan can help ensure that all relevant data is collected and that the investigation is conducted in a methodical and effective manner.

"Continuous monitoring and risk detection capabilities help organizations identify anomalous or suspicious behavior that could indicate a data breach," Dasera's Chaudhuri notes. By monitoring data access patterns and changes to data and infrastructure, organizations can quickly detect potential threats and alert security teams to take action.

OT Breaches Present Special Concerns

Breaches of operational technology (OT) environments often throw additional challenges at forensics teams. With a traditional IT network, servers and other endpoint devices can be physically removed and taken to a law enforcement lab to be analyzed. But that is not necessarily the case in OT environments, notes Marty Edwards, deputy CTO for OT/IoT at Tenable, member of the International Society of Automation (ISA) Global Cybersecurity Alliance (GCA), and former ISA director.

In OT environments, compromised data could exist in device controllers embedded in critical infrastructure systems, such as a water treatment plant or the electric grid, that cannot be disconnected or turned off without affecting thousands of people.

Even turning over a compromised, mission-critical laptop to the FBI might require the IT team to negotiate the process of replacing the laptop to preserve its mission-critical function rather than just putting it into an evidence bag. Where OT and IT networks converge, common cyberattacks, such as ransomware, can lead to much more complex forensic investigations due to the different levels of security in network devices.

One of the difficulties is that OT systems use very customized and sometimes proprietary hardware, and the protocols are not openly published or available, Edwards notes.

"In some cases, we had to build our own tools, or we had to partner with the manufacturer or the vendor to bring in their factory tools that they don't sell to anybody, but they use while they're manufacturing the product," he says.

Occasionally, customized software tools might need to be custom-built on site as the traditional forensic tools often would not work, Edwards says.

About the Author

Stephen Lawton, Contributing Writer

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights