Editor's note: This is the second in a series of Corelight blog posts focusing on evidence-based security strategy. Catch up on all of the posts here.
What do I say if my team discovers a breach of our digital assets? This is a question that requires understanding “defensible disclosure,” a term first employed in the statistical, medical, legal, and financial communities.* Understanding what this term means and how to live up to its expectations is key in an age where organizations regularly handle intrusions and, sometimes, suffer breaches.
In cybersecurity, defensible disclosure is the process of notifying constituents of an intrusion or breach in a manner that the disclosing party can competently and intelligently justify.** Here we see the primary issue governing defensible disclosure: is a security incident an intrusion, or a more serious breach?*** In other words, has the intruder gained unauthorized access to a system, or has it escalated to the point where it could easily steal or damage data, or has it already done so? In some unfortunate cases, like ransomware, the intruder often answers the question for the organization by encrypting data and extorting owners. In other cases, understanding the scope and nature of an incident is far more vexing.
Network evidence plays a crucial role in defensible disclosure. Assuming proper positioning and avoidance of packet drops, the network is a reliable record of the activity that it sees. Extensive stores (meaning several months, not several days) of high fidelity network data (with rich protocol details, not simply IP addresses and TCP or UDP ports) help chief information security officers and their computer incident response teams answer key defensible disclosure questions like the following:
When did the intrusion start? When did it end?
What was the scope of the intrusion?
Did the intruder access data stores that did hold, or may have held, sensitive information?
Are there indications or proofs that the intruder damaged or stole sensitive information?
Was the incident response process successful? Has the intruder maintained unauthorized access or tried to regain access?
Without access to the right data, custodians cannot make informed decisions about detection and response. They must rely on hunches, or worse, whatever the intruder tells them. For example, criminals have extorted victims, claiming that they have already deployed ransomware, when in reality, they had not, but the victims couldn’t determine the truth on their own. If a victim is unsure of the scope of an incident, they may be forced to widen the impact of the activity beyond what actually happened.
High quality network evidence works well with the three other sources of awareness in the digital world, namely human sources, infrastructure and application logs, and endpoint data. A robust defensible disclosure process backed by trustworthy data enables an organization to speak with confidence when revealing details of an incident to constituents. Such leaders are also at less risk for accusations that they are inadvertently or perhaps even intentionally trying to deceive constituents. Defensible disclosure is a goal that any custodian of sensitive data would do well to meet, should they find themselves in the unfortunate situation of handling an incident.
*An early example of the phrase outside of cybersecurity appears in the Proceedings of the Bureau of the Census First Annual Research Conference, March 20-23, 1985. Books on Prenatal Diagnosis and Screening (1992) and Legal Issues in Counseling and Psychotherapy (2002) also use it. Most recently, Leo E. Strine, Jr., Chief Justice of the Delaware Supreme Court, mentions defensible disclosure when discussing financial deals. Note that “defensible disclosure” is not “responsible disclosure,” which refers to the decision to publish information about publicly unknown vulnerabilities in software.
**While the idea of defensible disclosure has been popular in the computer incident response community for the past 20+ years, the specific phrase is new to cybersecurity. With respect to detecting and responding to intrusions, Corelight’s own CEO Brian Dye wrote about it in a February 2021 article titled Why Network Detection and Response is Critical to Cyberattack Forensics.
***This post uses the term “intrusion” defined as “policy violations or computer security incidents,” versus an incident as defined by Kevin Mandia and Chris Prosise is any “unlawful, unauthorized, or unacceptable action that involves a computer system or a computer network.” A breach, by contrast, means the intruder has escalated the intrusion to the point where it has ready access to, or has already accessed, information to which it should not have access.
By Richard Bejtlich, Corelight Strategist and Author in Residence