chevron-down Created with Sketch Beta.
September 17, 2019 Articles

Understanding Cyberattacks and Best Practices in Triaging Breaches

What do you do when a cyber-related case lands on your desk or in your courtroom?

By Sean Renshaw

The frequency and scope of cyberattacks are growing rapidly, and breaches are a significant threat to any organization’s reputation and sustainability. Media reports provide information about a stream of large-scale breaches on a seemingly daily basis. Interestingly, it is the smaller organizations that are at a higher risk of being breached, but less media coverage is dedicated to such breaches due to their more limited societal impact.

Regardless of the size of the cyber event, a single breach can result in significant financial, reputational, and operational damage. In addition, a lesser-known, but very negative, outcome of a cyber incident is the potential for government investigation or litigation. So what do you do when a cyber-related case lands on your desk or in your courtroom? How do you make any sense of all the techno-jargon that is being bandied about? 

Role of Forensic Cybercrime Experts

While not all forensic cybercrime experts are created equal, those who consult with organizations and attorneys on a regular basis are typically adept at translating “geek speak” into normal language. Highly specialized “cyber fighters” can help legal resources teams, risk managers, senior executives, and other stakeholders navigate the often-murky waters of the digital high seas. A member of this “nerd herd” can be your new best friend.

Cyberattack Basics: SamSam Ransomware Attacks

Let’s take a step back and look at what a cyber-related case may look like when it washes up on your shore. Obviously, there have been a number of cyber incidents involving high-profile organizations (e.g., Anthem, Target, Equifax) that have led to litigation, but the potential for litigation is a risk for any organization. The following is a summary of a fairly complex but potentially lesser-known recent case that resulted from a cyber event.

An electronic health-care record provider (the cyber victim) was sued by medical institutions and health-care providers as a result of a SamSam ransomware attack that it suffered, which effectively shut it down for over a week. As a result, thousands of the cyber victim’s customers were unable to access patient and client information for the duration of the event. During this time period, the victim’s customers had to find alternative methods for their administration of patient health-care records, resulting in a considerable disruption to health-care delivery.

The key facts of the cyberattack are as follows:

  • SamSam is frequently involved in cyberattacks within the health-care industry and has characteristics that lead cyber investigators to believe that attacks using SamSam are often manual.
  • While the cyber target hasn’t publicly acknowledged the original point of compromise, a remote desktop protocol (RDP) attack is often the point of entry for a SamSam attack. RDP is a tool that is included by default in Microsoft Windows, allowing a user to remotely connect to a computer system. An attacker will find a computer in the environment that is RDP accessible and will attack the machine and take over. The attacker will then use the compromised machine to remotely connect to other systems in the environment. RDP is quite susceptible to brute-force attacks in its default configuration.
  • Once the attackers have access, they are likely to use hacking tools (e.g., Mimikatz and PowerShell Empire) to survey the environment and identify potential high-value systems and information technology (IT) infrastructure targets from which to launch a ransomware attack with the maximum potential business impact. Mimikatz is a free tool that allows an attacker to view and steal user names and passwords. Logging into your bank account? Sure thing, it will capture that information. Checking your email? You guessed it—your credentials are compromised. PowerShell Empire is a tool known to be used during cyber incidents to maintain persistence within a compromised environment and allow the unauthorized user(s) to easily use other tools to perpetuate an attack.

This example illustrates the challenging technical vernacular that attorneys encounter in cyber-related cases. As such, it is important for attorneys to identify a trusted adviser who can provide insight into the cyber event and be a translator and guide on this journey.

Breach-Related Litigation Stats

The 2019 Data Breach Litigation Report, published by Bryan Cave Leighton Paisner, includes several intriguing takeaways about the landscape of litigation related to data breaches:

  • The percentage of publicly reported breaches that led to class action litigation has risen annually:

o        2016: 3.3 percent

o        2017: 4.0 percent

o        2018: 5.7 percent

  • The complaints mainly involve two to four high-profile breaches.
  • The number of unique defendants per case is rising (26 unique defendants in 2017 and 36 unique defendants in 2018).

These facts indicate that although the number of cyber-related litigations isn’t extremely high, the number of lawsuits has been increasing along with the number of unique parties named in the lawsuits. These statistics reflect the increased likelihood of litigation and regulatory defense costs noted in NetDiligence’s 2018 Cyber Claims Study, which are summarized in figure 1.

Figure 1. Average legal and regulatory defense costs (2013 to 2017)

Likely Future Cases

While it is always difficult to predict new cyber-threat vectors, past trends are a good indicator of future cases. The following list contains a few examples of cyber issues that likely will increasingly lead to litigation and regulatory fines:

  • Business email compromises. Companies are falling victim when an attacker compromises one or more email accounts as a result of a phishing attack. The attackers can effectively take over the user’s account and download all mailbox data or use their access to imitate the legitimate user and redirect financial transactions.

    Figure 2 shows the true financial impact of email account compromises, along with the resulting financial fraud, which is leading to more civil litigation between parties as victims try to reclaim losses. As a result, regulators are increasing pressure to investigate these types of events. In addition, more litigation is being contemplated by the third parties who lost money or did not receive payments and are trying to recover some of the loss from another entity.

    Figure 2. Business email compromise losses
  • Industry-specific compromises. As noted in figure 3, there is a significant risk to entities in the professional services (e.g., law firms and accounting firms), financial services, and health-care industries, which together account for nearly 50 percent of data breaches. These industries are especially targeted due to the type of data that can be found and stolen. For example, personally identifiable information (PII) and protected health information can be sold on the deep and dark web—and can lead to significant fraud against the aggrieved party.

    As a result, there is an increased potential for investigations or litigation surrounding these cyber incidents. Based on the statics in the Bryan Cave report, this is a consistent theme in which cyber incidents relating to PII accounted for 78 percent and 82 percent of litigations in 2017 and 2018, respectively.


    Figure 3. Cyber incidents per industry (2013 to 2017)

Breach Triage: Key Points

With cyber threats evolving and becoming more prevalent, what should you do to prepare yourself to handle a cyber-related matter? Attorneys will best serve their clients if they not only understand a number of the more technical details, some of which are best rooted out by a forensic cybercrime expert, but also become versed in leading practices in triaging a cyber-related matter.

Specially trained cyber warriors—the nerd herd—can help attorneys decipher key data points, such as the following:

  1. Understanding the attack scenario

    What are the characteristics of the attack method (e.g., automated versus manual, credential harvesting versus data exfiltration)?
    How did the attacker gain access to the environment?
    What actions did the attacker take once inside?
  2. Evaluating the entity’s response to the cyber event

    How timely was the response?
    Did the entity actively identify potentially compromised systems? Did the entity interrogate them to determine which actions the attacker performed?
    Was the entity using adequate tools to identify potential attacks and malicious software?
  3. Evaluating the recovery and remediation approach

    Did the entity have secure backup copies of key systems to get affected systems back online in a timely fashion?
    Did the entity make sure that all compromised accounts were reset and ensure that all compromised systems were remediated or rebuilt to prevent future attacks?
    Were changes made to harden the environment and make it more difficult for another attack?

Many people with a technical IT background can answer most of these questions. However, to establish more than a timeline of the attacker’s actions, experienced forensic professionals can maximize effective cyber-event mitigation by quickly discerning and communicating the relevance, importance, and overall impact of an attacker’s actions on the victim’s systems.

Sean Renshaw leads the digital forensics and incident response (DFIR) practice and oversees global operations for cybercrime and data breach investigations, digital forensics, and incident response services at RSM US LLP in Chicago, Illinois.


Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).