An online forensic case study was published about a multibillion-dollar publicly traded company. The company is a leader in the IT infrastructure market. The company was not named in the article.

The problem: The company’s servers had been compromised to be the jumping-off point to attack a host of other companies.

The company was notified by another company of what was being attacked. The company’s administrator activated an IRT to assess the threat. The administrators were unable to find that a breach had occurred. They called in a consulting firm named Riptech, which specialized in intrusions and forensic analysis. Riptech discovered that a server had been compromised. The firm wanted to monitor the intruder’s activities. However, Riptech was advised by in-house counsel that the company was not comfortable allowing the breach to continue. Riptech managed to trace the attack to a North Dakota high school.

This case study illustrated weaknesses in the company’s incident response policies and plans. It did point to the skills and tools available to the company. In addition, information response policies were clear on the role and skill requirements to form an IRT. The team did appear to be cross-functional, because the legal department was clearly engaged. Also, the IRT was activated quickly. However, the administrators were unable to find the breach.

The incident is a good example of working with legal specialists to determine the appropriate response. Although Riptech preferred to track down the attacker, the company’s legal counsel was concerned over the potential liability of permitting a breach. The decision was to protect the organization and stop the intrusion.

The case study illustrates how forensic tools are used to gather evidence. A bitmap copy of the infected systems was made prior to the systems being restored. This preserved the affected server. The image could then be used as evidence or for further analysis of the incident.

The case study also illustrates the public relations approach that was taken. Because there was no breach of data, the company decided not to publicly acknowledge the attack. The article indicated the concern was public perception. The organization did not want it known that a teenager was able to breach its system.

The final incident report issued by Riptech outlined a series of control weaknesses that allowed the breach. The consulting firm helped the company restore its system and mitigate the threat in the future.

In August 2019, various government facilities in Texas were hit with ransomware. Twenty-three towns and cities in Texas were hit with a coordinated cyberattack. City government services were unavailable due to ransomware. The response team included state officials and the FBI. The FBI identified the malware as the Odinokibi virus, which had first been seen in April 2019.

The incident response process identified that the most likely attack vector used by the ransomware was a communication channel managed by a third party. The initial entry appears to have been a phishing email. This is the first takeaway from this incident: Only by identifying how the incident occurred can steps be taken to reduce the chances of a repeat.

It also happens that the state of Texas had been working for some time to have a centralized incident response system. This included coordination of the incident response across affected cities and involving the FBI and the Secret Service early on. Due to the improved incident response, most of the cities were fully operational again within a matter of days, and none paid the ransomware. Furthermore, there was an immediate statewide push for more cybertraining and improving both defenses and incident response. This is an example of an effective incident response policy.

A case study was published by the Carnegie Mellon CERT program. It described how one of the largest banks in the country started an IRT. The case study concealed the bank’s name, referring to it as AFI. The case study described the process that AFI went through to create the team and related policies.

The need for an IRT was clear to the security manager. He had observed security incidents being handled inconsistently. This was a problem because the bank was governed by certain regulations. The approach was to involve several of the risk groups and key stakeholders. The effort was jump-started by using best practices. It took several years to deploy globally. This was because of the size and complexity of the organization. The effort was initially understaffed. The effort that would be required was underestimated. Requirements were not clearly understood.

This case study is a good example of how regulated industries are required to have effective information response policies. This is also an example of an IRT that is filled with appropriately skilled individuals. There was no indication in the case study that an external firm was engaged to assist the company. It would be a best practice to engage an outside firm to help plan such an effort when internal skills are not available.