Cyber attacks are happening all the time and are incredibly damaging to businesses, resulting in loss of reputation, business downtime, ransomware fees, and litigation. A recent example is the Optus data breach, where cyber criminals stole the data of around 10 million Optus customers/ex-customers. Following an attack, an investigation will take place, where cyber security professionals will attempt to answer questions like what happened, who was involved, and how it happened.
The time and cost of these investigations can vary greatly. As a rough guide it usually takes at least a day to get logs, a day to analyse them to identify the specific compromised user / system, a day to analyse logs for other users/systems, a day to investigate related emails / users / systems, and a day to generate a report for records and compliance reasons. This is only for a simple investigation. Complicated investigations or larger logs can take a lot longer. This means a complete end-to-end investigation is likely to take at least 5 days, which is going to cost thousands of dollars. This is an absolute minimum, in some cases that figure can balloon to well over 50 or even 100k. We recommend spending before the incident and greatly reducing the costs.
The challenge with an incident investigation is that it requires going through logs and other artefacts to identify what happened. The size of logs vary from system to system, but in general are very large, so they take time to go through and find the cyber attacker activities (‘needles in the haystack’). This is the main reason why incident investigations are typically expensive. Some of these ‘needles’ may provide an indication of other activities such as the attacker using the compromised system to send phishing emails, or another compromised system, which then requires further investigation on that system or a review of emails received. Once all the cyber attacker’s activities (‘needles’) are identified for the particular system/user, this can then be applied to check other systems/users for any other cyber attacker activity.
As these ‘needles’ are found they might identify an immediate weakness or vulnerability which will need to be immediately discussed with the organisation to help identify an appropriate response and resolution.
Once the Cyber attacker activities are identified within the logs (where possible, as some logs don’t provide enough details or aren’t correctly enabled prior to the incident), a report is provided to summarise the items identified which can include (where possible) the risks and the cyber attackers activity, motives, and data breached. The report will also include a recommendation in regards to reporting the data breach, if appropriate.
Vertex Cyber Security leverages our extensive cross-industry experience to provide expert incident investigations and response. We have provided incident investigations for every type of company and industry. Some of the common incident investigations we have performed include:
- Compromise of a cloud account such as email (Office365/ Gmail) and social media (Facebook, LinkedIn) which can be the beginning of a larger cyber attack.
- Compromise of a server such as RDP, web server, database, website and NAS.
- Compromise of a desktop/laptop leading to ransomware and/or further attacks.
- Compromise of a cloud platform such as AWS, GCP and Azure.
For a brief overview of the steps businesses should take in the event of a cyber attack, see our blog post. If you have any enquiries or would like to discuss, feel free to contact us on 1300 2 CYBER (29237) or .
