Learn what a forensic investigation accomplishes and how much it might cost.

David Ellis, CISSP
By: David Ellis
So you’ve been hacked. Now what? Well, most banks require breached companies have a cyber-forensic investigation completed. But what does that investigation entail, and how much will it cost your business?  Here are answers to some questions you may have.

SEE ALSO: How to Manage a Data Breach: 5 Steps to Keep Your Business Safe

Why is a forensic investigation helpful?

First of all, PCI forensic investigators (PFIs) provide an independent set of investigative eyes. PFIs are specially trained to look for and find evidence of a data breach and the security vulnerabilities that enabled it.  Even when companies believe that they’ve discovered the source of the compromise, PFIs routinely find evidence that was missed and the security weaknesses that will (when corrected) prevent the hackers from succeeding the next time. The PFI helps them to see what went wrong , which vulnerabilities were exploited in the breach, and what they need to do to harden their systems so that it won’t happen again.

One important facet of a forensics investigation is to provide some incident response assistance.  They  help close the window of opportunity of the breach, which may even take place before the real forensic investigation begins.  In this step(s) the investigator tries to find where you’re vulnerable, or how the attacker got into your system, and how to prevent future (successful) hacks. As mentioned, this may be obvious to the investigator at the outset or the investigation, or the vulnerabilities may be revealed a little later while examining the forensic evidence.  If an investigation only focuses on reporting what happened in the past, your company could fail to recognize important system security remediation items and be left open to more data breaches.
Here are some benefits to having a forensic investigation.
  • Find the hack quickly and prevent further damage
  • Itemize security issues your company needs to resolve (and how to resolve them)
  • Reduce the window of vulnerability
  • Help preempt damage to your brand

How does a forensic investigation work?

While an investigation is happening, there’s usually a lot of communication between the investigator and your IT manager so that you don’t need to wait for the final report to get the information you need to eradicate the problem(s) and harden your systems. Here are the typical actions a PFI would take.

Preliminary research
Forensic investigations begin with some research on the company. The PFI needs to “scope” out the merchant’s environment. This means finding out where their critical data resides, the systems that connect to it, and how the data flows in and out of the network.

Onsite data gathering
The forensics team then goes onsite and gathers data from identified devices (or in select cases may be able to acquire the data remotely). They may get the data from every single device, or, in the case of larger, disparate environments, from a representative sample of in-scope devices.

The investigation team brings the data back to their headquarters and analyzes it thoroughly to confirm whether a data breach actually occurred, to determine what data the attacker was able to steal, and to discover which vulnerabilities were exploited in the breach. This is the longest part of the investigation and could take from several days to several weeks to pinpoint the attack.

About a week after the initial data acquisition, the investigator will issue a short preliminary report that shows whether or not they’ve discovered any indicators of compromise or other overt evidence of a data compromise.  After the forensic data has been fully analyzed, the investigator will submit a complete final report that includes how the attack happened, which vulnerabilities were exploited, and what data was at risk.

SEE ALSO: Top 5 Security Vulnerabilities Every Business Should Know

The report will also note steps the merchant has taken to prevent such an event from reoccurring—this is where it’s important to select an investigator that will take the time to assist the merchant in understanding how to remedy the problems.

How much does a forensic investigation cost?

Forensic investigations can be costly.  However, remember that the investigation involves one or more PFI’s examining a mountain of data. The cost will depend on the size of your organization; the larger your organization, the more data you likely have that will need to be examined.

Costs can range between $10K to more than $100K.  Here’s a listing of merchant size and typical pricing:
  • Level 4 merchant: $10-30K
  • Level 2-3 merchant: $30-50K
  • Level 1 merchant: over $100K
(Keep in mind these estimates are based on simple averages.  Depending on a variety of elements, such as system size, complexity, number of locations, etc., many merchants could see estimates exceeding those stated above.)

But a forensic investigation is only a portion of the costs you will probably incure in a data breach. Other costs may include:
  • Merchant processor compromise fines: $5,000 – $50,000
  • Card brand compromise fees: $5,000 – $5,000,000+
  • Onsite QSA assessments following the breach: $20,000 – $100,000
  • Free credit monitoring for affected individuals: $10 – 30/card
  • Card re-issuance penalties: $3 – $10 per card (this could be included in card brand compromise fees)
  • Security updates: $15,000+
  • Lawyer fees: $5,000+
  • Breach notification costs: $1,000+
  • Technology repairs: $5,000+
  • Loss of consumer confidence: often businesses lose 40% of customers after a breach
SEE ALSO: How Much Does a Data Breach Cost Your Organization?

Remember, PFIs are there to help you. They can determine vulnerable points in your business and the point of attack much faster than if your company were to try to do it alone.  Getting breached is an unpleasant experience, but the forensic investigation will help you get back on your feet as quickly as possible.

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.

SecurityMetrics Guide to PCI DSS Compliance