Incident Response 101 – Preserving Evidence
A robust incident response program and a well trained incident response team know exactly what to do and what not to do.
One critical task in incident response is to preserve evidence. Evidence may need to be preserved based on specific legal requirements, such as for defense contractors. In other cases, evidence must be preserved based on the presumption of being sued.
In all cases, if you have been notified that someone intends to sue you or has actually filed a lawsuit against you, you are required to preserve all relevant evidence.
This post is the story of what happens when you don’t do that.
In this case, the situation is a lawsuit resulting from the breach of one of the Blue Cross affiliates, Premera.
The breach was well covered in the press; approximately 11 million customers data was impacted.
In this case, based on forensics, 35 computers were infected by the bad guys. In the grand scheme of things, this is a very small number of computers to be impacted by a breach. Sometimes, it might infect thousands of computers in a big organization. The fact that we are not talking about thousands of computers may not make any difference to the court, but it will be more embarrassing to Premera.
The plaintiffs in this case asked to examine these 35 computers for signs that the bad guys exfiltrated data. Exfiltrated is a big word for stole (technically uploaded to the Internet in this case). Premera was able to produce 34 of the computers but curiously, not the 35th. The also asked for the logs from the data protection software that Premera used called Bluecoat.
This 35th computer is believed to be ground zero for the hackers and may well have been the computer where the data was exfiltrated from. The Bluecoat logs would have provided important information regarding any data that was exported.
Why are these two crucial pieces of evidence missing? No one is saying, but if there was incriminating evidence on it or evidence that might have cast doubt on the story that Premera is putting forth, making that evidence disappear might seem like a wise idea.
Only one problem. The plaintiffs are asking the court to sanction Premera and prohibit them from producing any evidence or experts to claim that no data was stolen during the hack.
The plaintiffs claim that Premera destroyed the evidence after the lawsuit was filed.
In fact, the plaintiffs are asking the judge to instruct the jury to assume that data was stolen.
Even if the judge agrees to all of this, it doesn’t mean that the plaintiffs are going to win, but it certainly doesn’t help their case.
So what does this mean to you?
First you need to have a robust incident response program and a trained incident response team.
Second, the incident response plan needs to address evidence preservation and that includes a long term plan to catalog and preserve evidence.
Evidence preservation is just one part of a full incident response program. That program could be the difference between winning and losing a lawsuit.
Information for this post came from ZDNet.