Introduction
How much do cyber incident investigations cost?
Cyber attacks occur constantly and harm businesses greatly. They cause reputation loss, downtime, ransomware fees, and lawsuits. One recent case is the Optus data breach. In this event, cyber criminals stole data from about 10 million Optus customers. After an attack, cyber security experts start an investigation with the aim to find out what happened, who was involved, and how.
The Process and Timeline of Incident Investigations
The time and cost of these investigations can vary greatly. As a rough guide it usually takes at least a day to get logs, a day to analyse them to identify the specific compromised user / system, a day to analyse logs for other users/systems, a day to investigate related emails / users / systems, and a day to generate a report for records and compliance reasons. This is only for a simple investigation. Complicated investigations or larger logs can take a lot longer. This means a complete end-to-end investigation is likely to take at least 5 days, which is going to cost thousands of dollars. This is an absolute minimum, in some cases that figure can balloon to well over 50k or even 100k. We recommend spending on cyber security before the incident which greatly reduces your cyber investigation costs.
The Challenges of Incident Investigation
The challenge with an incident investigation is that it requires going through logs and other artefacts to identify what happened. The size of logs vary from system to system, but in general are very large, so they take time to go through and find the cyber attacker activities (‘needles in the haystack’). This is the main reason why cyber incident investigation costs are typically expensive. Some of these ‘needles’ may provide an indication of other activities such as the attacker using the compromised system to send phishing emails, or another compromised system, which then requires further investigation on that system or a review of emails received. Once we identify all the cyber attacker’s activities (‘needles’) for a specific system or user, we can use this information to check other systems or users for any additional cyber attacker activity.
When we find these ‘needles’, they may reveal an immediate weakness or vulnerability. We must then promptly discuss this with the organisation to identify an appropriate response and solution.
Reporting and Recommendations
We identify cyber attacker activities in the logs when possible. Some logs may lack detail or not be enabled correctly before the incident. We then create a report. This report summarizes the identified items. It can include risks, activities, motives, and breached data, where possible. The report will also include a recommendation in regards to reporting the data breach, if appropriate.
Vertex Cyber Security leverages our extensive cross-industry experience to provide expert Incident Investigations and Response. We have provided incident investigations for every type of company and industry. Some of the common incident investigations we have performed include:
- Compromise of a cloud account such as email (Office365/ Gmail) and social media (Facebook, LinkedIn) which can be the beginning of a larger cyber attack.
- Compromise of a server such as RDP, web server, database, website and NAS.
- Compromise of a desktop/laptop leading to ransomware and/or further attacks.
- Compromise of a cloud platform such as AWS, GCP and Azure.
If you have any enquiries or would like to discuss, feel free to contact us on 1300 2 CYBER (29237) or .
For further reading check this out!
