Network evidence for defensible disclosure

What do you do if (or when) your team discovers a breach of your digital assets?

To answer this question, we first need to familiarize ourselves with the term “defensible disclosure.” It’s not an expression often heard in cybersecurity, but understanding what it means and how to live up to its expectations is crucial in an age where organizations regularly handle intrusions and, sometimes, suffer breaches. 

Turning back the clock to 1985, an early example of the phrase outside of the cybersecurity landscape appears in the Proceedings of the Bureau of the Census First Annual Research Conference, with further appearances in statistical, medical, legal and financial communities. For the past 20 years, the idea of defensible disclosure has also been popular in the computer incident response community. However, the specific phrase is fairly new to cybersecurity.  

In the context of cybersecurity, defensible disclosure is the process of notifying constituents of an intrusion or breach in a manner that the disclosing party can competently and intelligently justify. Forensic investigators have to determine whether the security incident was an intrusion, or a more serious data breach. We define intrusions as policy violations or computer security incidents. A breach, by contrast, means the cybercriminal has escalated the intrusion to the point where he or she has ready access to, or has already accessed, information to which he or she should not have access.    

The role of network evidence in defensible disclosure 

Network evidence plays a crucial role in defensible disclosure. Assuming proper positioning and avoidance of packet drops, network evidence is a reliable record of the activity that it sees. Extensive stores, meaning several months, not several days, of high fidelity network data help chief information security officers (CISOs) and their computer incident response teams gather crucial details to enable defensible disclosure.   

Security teams must determine when the intrusion started and (possibly) ended, as well as its full scope. A thorough investigation should also look into whether the intruder accessed data stores that held, or may have held,…