Responsive image
decorative line

Celestial Defense of Atlanta Georgia has over 30 years experience helping contractors nationwide with computer forensic and data security issues.

To discuss a particular computer forensic or computer security matter, like the DFARS requirements for safeguarding CUI, contact us to speak with one of our experts or call 770-777-2090

Four Reasons Why You Need Celestial Defense to Investigate Your Intrusion and Data Breach
decorative line
by: Gregory L. Fordham

In a survey of over 1,000 corporate IT security professionals in the United States (US) and in Europe, Middle East and Africa (EMEA) only six to seven percent said that they would ask for help from an outside consultant when responding and diagnosing an intrusion or other data compromise. Thus, more than 90 percent said they would do it all themselves. The survey, titled Threat Intelligence and Incident Response: A Study of US and EMEA Organizations, was conducted by the Ponemon Institute in 2013 and published in February 2014.

The six to seven percent figure is remarkable particularly after reading the rest of their survey responses. Essentially, while more then 90 percent will prefer doing it all themselves, huge numbers of them also acknowledge that they lack adequate tools, skills or training to do the analysis.

Consequently, if you are in senior management of a government contractor whose data was just compromised, there are four reasons why you should get help from an outside consultant in general and Celestial Defense in particular.

1. 55 percent of survey respondents say that their security team lacks adequate forensic technologies or tools to quickly determine the root cause of a cyber attack.

When a computer system or network has been compromised time is of the essence. The rush is not only to figure out what happened and put an end to it but for many types of personal, payment and health related data, as well as Controlled Unclassified Information (CUI) under the new DoD rule, there are time periods within which the assessment must be made and reported. Having the right tools and technologies can make a big difference in how fast the analysis can be done.

Our consultants have made the investment in the latest leading edge technology and tools to quickly determine the root cause of an attack. Also, they are experienced in performing the analysis and making the assessement. In fact, all of our engagements are very time sensitive and the results must be reported to client and counsel in time for any necessary action. Furthermore, those results are often challenged by opposing entities with their own well equipped experts. Thus, they have to be both timely and they have to be correct.

2. 43 percent say that the security team lacks adequate training, skills or expertise to conduct a thorough root cause analysis.

When a compromise has occurred it is essential to know what has happened. That answer is not just about how it happened but what has happened is also important. In other words, in addition to determining if there was a breach it is also important and perhaps even more important to know was there an actual data compromise or exfiltration and what data was compromised or exfiltrated?

Answering this latter question has significant consequences for personal, payment and health information where there could be penalties or other cost consequences to an actual compromise. Even when the compromise does not involve regulated data sets like personal, payment and health information, an organization’s continued existence could be threatened if management is not able to adequately assess the consequence of the compromise and pilot their ship to safe waters.

Our consultants have adequate training, skills and expertise to conduct a thorough analysis. They possess significant experience as well as respected professional certifications that evidence their skills. Furthermore, these certifications impose continuing education requirements in order to maintain those credentials. Thus, our consultants are always up to date and have the highest level of skills and expertise.

3. 38 percent say it will take at least a year to know the root cause of an incident and 41 percent say they will never know with certainty the root cause.

By their own admission, 79 percent of corporate IT security managers think it will take them a year or more to determine the root cause of a security compromise. When a compromise occurs an organization simply does not have a year or more to determine the cause and take action. Rather the timeframe in which the cause must be determined is a matter of days if not hours depending on the applicable statute and regulation.

In the case of the new requirements for safeguarding CUI, the period in which contractors have to report a potential cyber incident is only 72 hours. Within that time period contractors are required to have imaged the infected devices, performed their own analyses and self assessment, including malware analysis, and then report both their findings and provide the preserved data to the DoD. Clearly, under the new CUI requirements, contractors do not have a year or more in which to act.

By contrast, CDI consultants and experts are well versed in the procedures for forensic preservation required by the new CUI rules. In fact, CDI consultants have been forensically preserving and collecting the data on electronic devices for years in a legally defensible manner and have always withstood whatever challenges were attempted.

What contractors and their IT staffs may not adequately appreciate is that the requirements for forensic imaging and preserevation are far more rigorous than what most in-house IT staff are equipped to handle or even trained to perform. These forensic imaging and preservation requirements are exactly what is required under the new CUI requirements. There are two key distinguishing feature of forensic imaging and preservation verses what in-house IT staffs typically perform.

The first is that forensic imaging and preservation procedures are designed to capture the data without altering it in any fashion. This includes the data files, system files, system metadata, and even freespace.

The second is that forensic imaging and preservation procedures capture the complete data area. In other words, if the entire devices, like a desktop hard drive, is to be captured then the entire device data area is captured and not just the data area allocated to the user. As a result, this can include not only freespace on the storage device but all kinds of reserved and unallocated areas like the boot record, freespace, and unpartitioned space as well.

Of course, withe large storage devices like data servers and networked attached storage there can be practical constraints that need to be considered. That again is another reason for selecting an experienced expert in performing the forensic imaging and preservation in order to decide the parameters and best methods.

4. Forensic practices should be employed

Although the particular issue of forensic practices was not addressed in the Ponemon survey, if management intends to pursue a legal remedy against the culprit it will be essential that the data used to determine the cause and consequence was collected and preserved so that it can be used as evidence at trial. In house personal are not typically familiar with those processes or experienced in presenting and defending that data at deposition or trial. Consequently, the best person to use for this process is an outside consultant with forensic expertise and experience.

While many might think that a legal remedy is unlikely, one never knows about the source and the consequence until the analysis is performed. Remarkably the source could be a competitor, a vendor, a former employee or even a current employee. In fact, it could be any number of possible entities where legal action could offer a desirable remedy after the results were known.

Forensic practices must be employed from the start of the analysis. Proceding without that discipline often ruins the evidential quality and acceptibility of the data. Furthermore, if it is later determined that a remedy would be possible but the data was not initially collected or analyzed in a forensically sound manner, the window will be forever closed. The data is very transient and if done at a later time the original date likely will not be available. Even if the device was taken off-line and physically preserved, any kind of non-forensic collection or examination can alter the data and make it unusable for forensic purposes.

While the DFARS rules governing the safeguarding of CUI do not specifcy in detail the manner in which a contractor should preserve the data or do its analysis, the terms that are used are those conveying forensically sound methods. In addtion, if anyone like DoD is going to subsequently do the analysis of whatever data is forwarded to them, the data must be of forensic caliber for them to conduct a meaningful analysis.

Having worked on hundreds of forensic matters, our consultants are well versed in forensic practices. We have also successfully presented and defended our opinions over 30 times on matters in various Federal and State courts.


Certainly, no one likes being second guessed. From that perspective, it is not surprising that more than 90 percent of the survey respondents would choose not to seek help from an outside expert to investigate their intrusion and data breach.

When one considers the two choices of using in-house resources or using an outside consultant to investigate an intrusion, data breach, or potential cyber incident under the new DoD rule, two factors loom large. First, by their own admission in the recent Ponemon Institute survey, over half of the in-house security professionals are not adequately equipped to handle the unique challenges of a network intrusion and data compromise. Equally shocking is that these results are not an isolated aberration. Indeed, the firm of Ernst & Young had similar results in their 2013 Global Information Security Survey. Specifically, they found that, “Information Security Departments continue to struggle with a lack of skilled resources and support.” In fact, 50 percent of respondents in the Ernst & Young survey “cited a lack of skilled resources as a barrier to value creation.”

Second, over 70 percent of the respondents in recent Ponemon Institute survey think it will take them a year or more to fully understand the scope and consequence of the intrusion. Of course, management does not have that kind of time to determine the cause and assess the impact.

Consequently, whenever your network or its sensitive data has been compromised the data clearly is in favor of using an outside expert for the investigation and analysis. Thus, when your network or sensitive data has been compromised, we can help When It Really Matters.