Cyber Claims: The Real Role of Forensic Analysis | BeyondTrust

What is a Cyber Claim?

A cyber claim is how a cyber insurance policy – insuring against ransomware, malware, cyber breaches, etc. – is distributed to the policyholder after a qualifying event occurs. Generally, cyber insurance policies are distributed on a claims-made basis, leaving the policyholder to provide the evidence and data that support the damages claim.

In 2021, the average ransomware claim exceeded USD 1.8 million – per individual insurance claim (Coalition, 2022 Cyber Claims Report). That’s why it’s growing critically important for policy holding organizations to have the cybersecurity forensics and analysis capabilities necessary to prove their claims and damages beyond a shadow of a doubt.

The Role of Forensic Analysis in Cyber Claims

Recently, Tom O’Neill, Management Liability Coverage Specialist at Fred C. Church, and Morey Haber, Chief Security Officer at BeyondTrust, sat down to discuss the importance of cybersecurity forensics – both from the insurers point-of-view and the perspective of a CSO. This webinar episode – Cyber Claims Part 3 – Forensic Analysis – marks the third installment of our webinar series on cyber insurance and cyber claims dives deeper into the world of cybersecurity forensics and the role it plays in cyber insurance issuance and claims processes.

You can watch this latest webinar on-demand here, or read the transcript below as Tom and Morey delve into topics including:

  • How cybercriminals get into your systems and what they may do to carry out an attack.
  • Where a forensic analyst may look for clues that you’ve been breached.
  • What worst-case scenarios may happen once you’ve been attacked.
  • Why bringing in a forensic analyst can help you mitigate the severity of a loss.


Tom O’Neill, Management Liability Coverage Specialist, Fred C. Church

Morey Haber, Chief Security Officer, BeyondTrust


Tom O’Neill: Hello everyone, and welcome to part three of our cyber webinar series, Cyber Claims from Preparation to Restoration. This is part three of the series, and we’ll be discussing forensic analysis in cyber claims. I’m Tom O’Neil, Management Liability and Cyber Practice Leader here at Fred C. Church, and today my guest is Morey Haber. Morey is the Chief Security Officer at BeyondTrust – he has more than 25 years of IT industry experience, is an author of three books, is currently overseeing BeyondTrust’s security and governance for corporate and cloud based solutions, and regularly consults for global periodicals, media, and much more. So, Morey, thanks for being here with us today.

Morey Haber: Thank you so much for having me, looking forward to our conversation.

Tom: Awesome. I gave the kind of cliff notes on you, but can you tell us a little bit more about you and BeyondTrust?

Morey: Certainly! BeyondTrust is a leader in intelligent identity and security access management. We have privileged access management solutions that range from password solutions to the removal of admin rights for least privilege, all the way through remote access technologies. As for myself, as you’ve indicated, I’ve been in the industry many, many years, and I’m also an author of three cybersecurity books covering privileged access management, vulnerability, and patch management, identity governance; and, a new book, which will be coming out by the end of the quarter, on cloud attack vectors. So again, happy to speak with you and share some of my knowledge.

Tom: Awesome. Yeah, once again, we really appreciate it. You are definitely the right guy for the conversation today.

So, a bit of housekeeping before we jump into kind of a Q&A with you, Morey. We have a lot of folks who registered from the BeyondTrust outreach, so thank you to you and your team for reaching out. For those who are kind of new to our webinar series, this is part three of a four part series. We’ve done two sessions already, and I think when you’re registered you have the option to get those recordings, so hopefully you got those. If you haven’t, please reach out, we’ll make sure we get those for you.

And just a little bit about Fred C. Church. We are one of the largest insurance agencies in the Northeast, in the top 100 full-service brokerages in the United States. We do everything from property casualty, employee benefits, personal lines, risk management, and of course, cyber. So, that’s Fred C. Church, and just something to keep in mind as we talk through this: we are the insurance agent, we’re not the carrier.

Jumping into it, Morey. We’ll primarily be discussing the role that forensic analysis plays as part of an insurance claim. But forensic analysis is maybe something that our guests today and their organizations might need prior to filing an insurance claim. Can you talk about why it’s important to clarify the role that forensic analysis can play both in the event of what might be an incident, and when your organization has officially sustained a breach?

Morey: Certainly, so this is key when talking about forensic analysis. Hopefully, you do have security teams that are basically looking after the organization and keeping an eye on potential threats. If they identify something, they are going to do an investigation internally. Typically, that will include looking at logs, interviewing people, trying to verify if any data’s been extracted, and vulnerabilities or exploits. This is assuming that the threat itself, and the repercussions of that are silent – it’s not as gross as something like ransomware, where everybody knows it and your services are down, et cetera.

So, you must first consider that when you have an incident in the investigation where you take it, and what you’re going to do with it next. If you do consider that there could be exfiltrated data or something serious, that you have to go for a cyber insurance claim, you’re going to probably say, “This is no longer an incident.” And you’re going to label it a breach.

This is key, once you use the “B word,” and it is the bad “B word” for this type of discussion, it has legal ramifications in many, many states and countries throughout the world. If you call it a breach, even if it’s a single mailbox or a stolen laptop, that word means that you must do some form of disclosure at some point. You must get into a forensic analysis, particularly with an outside firm, et cetera, in order to potentially resolve the issue, do notification, contact law enforcement, et cetera. Let’s just start with the concept of an incident, and we can take it further to the word breach as a part of this discussion.

Tom: Excellent. Yeah, I think it’s really important to keep that in mind. I know, Morey, for our larger discussion in our cyber webinar series that we’ve been doing, it’s really been about the lifecycle of a claim. Today, we’ll kind of primarily be focusing on how forensic analysis gets incorporated into the overall process when a client does go through that claim. Initially we discussed the importance of an incident response plan. In our second series, we talked about all the various vendors that kind of get quarterbacked in as you go through a claim. So, can you tell us about what it’s like as part of an insurance claim to go through forensic analysis?

Morey: Sure. We’ve already discussed a little bit about incident versus breach, but there becomes that decision point where you want to do the forensic analysis as a part of that cyber insurance claim.

Your incident has gone down a specific path where you may have internally been notified or someone has notified you of leaked data, or you’ve decided that there’s an outage, or had something as catastrophic as ransomware. When you’re doing that, you must start collecting evidence.

That evidence can range from log entries that indicate that there has been an anomaly: there has been a breach, there has been some activity that warrants the use of cyber insurance, in terms of recovery of time, notification of personnel, cleanup of a mess, etc. Whatever you may have in your policy that you feel that you need to get your business continuity plan back on track. And your IR, or your incident response, is truly just a portion of your business continuity plan.

Okay, so I’m going down this path of saying, “I need to use or perform a forensic analysis.” Rule number one, at least from my perspective, is when you get to that point you need to start looking for an outside firm.

While your team may be fully capable of doing the forensics, having that independent objective approach to go through your systems and help you certify what you’re looking at is accurate with an independent third-party auditor is key. Sometimes you will have incident response retainers with organizations – companies that will put boots on the ground and help you do this once you’ve classified something potentially with the “B word.” Now that we’re going down the path of collecting evidence to support that cyber insurance claim, they’re looking for everything from a firewall to authentication logs, to cloud trail logs; everything they can to build that story.

But in order to build that story, you have to be able to first say as a cybersecurity professional, or even an IT professional, “I am collecting that data, and I am storing it appropriately, potentially in a SIEM.” If you’re not logging firewall data, if you’re not logging authentication, if you’re not doing those steps, then it’s very hard for someone performing that analysis to build that story. Then you don’t even know necessarily what was jeopardized, what was stolen, what occurred, what malware may still be present, or anything along those lines, and that’s hard.

So, let’s take it from that first step as a professional way before any of this occurs – make sure that you’re collecting all the data possible to be used as a part of that forensic analysis. If you can, and you are so inclined to buy a SIEM or use an MSSP to bring all that data together, even better. When you get to that point of saying, “Hey, I’ve got something. I got all this data, I am going to classify it as a potential breach, notify cyber insurance and law enforcement.” The forensics can occur to look through all that data, and that’s fundamentally key to this entire process: the source, the escalation, the independent auditor, and then ultimately providing that evidence to your cyber insurance agent and carrier.

Tom: Yeah, absolutely. What are some of the areas where you’ve seen organizations get kind of tripped up, where they didn’t have maybe the best logs, or they weren’t prepared? Where are some of the fault points? How can people make sure that they’re prepared to be ready to provide the information, or that their network is prepared to have forensic analysis be successful?

Morey: So, there’s a couple of failure points in all of this. When thinking like the threat actor, the hacker, or the attacker, and depending on how you’re perceiving the infiltration, one of their first steps is going to be hiding their trails if they’re doing this silently. Again, blatant, versus ransomware, versus the silent, methodical attack to have a persistent presence.

One of the things they’ll do is delete logs, so you must make sure that the logs are not delete-able, are being transmitted in real-time, and you’re protecting that data stream. Because many times those logs themselves can contain PII or other sensitive data, that if stolen in themselves could be a liability too. So, you must verify the integrity of the logs, the data, the transmission, and storage, and then also the purging, or the data retention aspect.

Many states will have laws that you must keep things for a certain amount of time. I reside in the state of Florida; our law here is that all public types of data — like if you work for a power company or state, must be kept for seven years, which is an enormous amount of time. So, you must consider your data retention, and the protection of that as well as a part of that forensics.

Okay, so a threat actor wants to delete it; that’s the first step for them, to cover their tracks. But they can do other things to basically mess with your environment. They could be forging DNS records; they could be working with certificates to conduct man-in-the-middle of attacks if they found a way inside your organization. They can mess with your NTP or your time servers so that the log times through various solutions are all out of whack, or keep on resetting, so you can’t get that clean alignment to produce that forensics analytics trail.

So, you must make sure that your cybersecurity basics are in place for the integrity of the forensics to occur. Hardening of DNS so changes can’t be made, making sure NTP is solid so it can’t be tampered with —all of those are common mistakes that people make when they must go through those forensics.

Tom: Nice. Yeah, I appreciate that. We had a question come in through the chat about balancing. They’re saying for smaller organizations — so maybe that organization that might be in the 25 million, 50 million in revenue range, something like that. How do they balance those capabilities with the costs to mitigate and prepare? Are there kind of basic things that any organization can do to be prepared for this kind of stuff?

Morey: I really do believe that there are some very basic things that even the smallest businesses can do. When I say small business, we’re talking more than 20 to 50 employees, anything smaller than that the cost problem is real. Think about some of the MDR vendors that are out there. They can provide very efficient cost-based services to give you a SIM in a box, to provide that forensic capability and to provide the analytic capability of data going out. So, while you may not have a dedicated security staff, or you outsource your IT, this additional help can ensure that your cyber insurance as a small business can be effective, and the data, the hardening, and all the aspects we talked about are working correctly.

Now, you don’t have to necessarily go to a third-party for these things. This is really, important. Many times, you may consider your ISP — your internet service provider. Many of them have business divisions that have these services in themselves to help you. So, while they’re protecting the organization from potential malicious threats transparently in their data centers, before you egress to the internet as a part of your ISP services, they can offer value-add services from a business perspective. Whether that’s antivirus solutions, whether that’s EDR solutions, or whether that’s log solutions to ensure the integrity of the data and the assets they’re protecting fall into that place as well. And they do this at scale. They are used to doing this for hundreds of small businesses and medium businesses at large — don’t discount their capabilities when applying these best practices.

Tom: Excellent. We actually had a follow-up to that question, maybe not in your area of expertise with regards specifically to Microsoft Azure, and any setups and configurations that are a must regardless of the cost. Before I pass it over to you, I certainly have one from the insurance perspective. As we help all our clients to renew their policies, the number one kind of control that the carriers care about the most is multifactor authentication.

Everybody who’s ever met me has probably heard me talk about this, but multifactor authentication is absolutely key, not only from a security aspect. I think actually Microsoft came out recently with a report, that 98% of the breaches that have happened could have been prevented with multifactor authentication. So, securing anything Azure with MFA is absolutely key, so I would say that’s my recommendation in terms of setups and configurations with Azure.

Any thoughts from you on that, Morey?

Morey: I think that’s absolutely sound advice, and I would probably take it one step further. Anything that you do should have some form of multifactor authentication or remember me for the next 30 days type approach when I’m using this system from this IP address, et cetera. When you think about Microsoft, you have Microsoft authenticator, you have Google authenticator, use it wherever, ever, ever possible. Whether it is just your personal banking systems, or your business banking systems, it will mitigate that many threats. If you’re relying on just a username and password, and that’s it, you at some point will be ripe for that attack.

Now, security best practices imply that every password on every system should be different. Personal password managers are great for the smallest of business, but as you start to cross that threshold into medium or enterprise, then you get into the next best practice that cyber insurance wants, and that’s privileged access management. That is the management of privileged accounts, and the removal of admin rights.

When you couple [privileged access management] with the MFA that you’ve been mentioning, you have a very sound strategy of unique passwords. Even if those are stolen, no one can authenticate no matter how sensitive the system is, because you’ve backed it up by some form of MFA. And those are the two key pieces, at least in my opinion, when applying for cyber insurance or answering the questionnaires that will help you lower your costs, or make sure that your policy’s not denied.

Tom: Yeah, I think that’s great advice.

Pivoting now from MFA towards another key security control that a lot of carriers ask about the most: backups. Getting back to the conversation about forensic analysis; how critical are the backups as part of that forensic analysis investigation? And have you seen situations where the backups can be breached as well? As part of the analysis, are we looking at the backups, and making sure that those are safe, and organizations can restore from their backups?

Morey: Backups are a very interesting problem in this entire space, small business to enterprise as well. It’s not that you’re just performing the backups, it’s how and where it’s stored, and what has access to it ultimately. If you’re still doing it on-premises that’s one thing, but you do have to worry about those threats, including ransomware. If the connection between the server you’re backing up and the backup server can be compromised, or has common credentials used in lateral movement, your backups could be just as compromised as the primary system during a ransomware attack. And that’s quite real; that’s a real potential threat.

So, what you must think about is, where are you storing it? How are you storing it? If you’re doing it to the cloud, make sure that it’s only accessible for restoration with key accounts, MFA, and not basically just an open S3 bucket where you’re dumping data to. That’s just a really bad idea.

In addition to that, if you’re doing it in the cloud, ask if they have fault-tolerance and procedures in case there is a problem. If you have an issue, can you get to your backups, and how long would it take to restore those backups as a part of RTO, RPO, and even MTTR, mean time to repair, bringing that system back? Obviously, that’s all going to be based on your internet connection.

If you have a slow piece of pipe, and your backups are put up there and you have an issue, it’s going to take you a long time. Now with that in mind, this is where cyber insurance becomes important, because they will as a part of normal policies cover any outage, or time, or anything else. So you have to consider, is my backup safe? Are they local or in the cloud? Can they be compromised? And how effective would it be for me to actually do a large-scale restore, considering the volume of data and everything that I need?

Tom: Absolutely. And I think more and more organizations are looking to their backups to restore, instead of paying that ransom. So, it’s critical to make sure that you understand: one, what your abilities are to back up, and two, how long it will take to do that backup. Because when you get into the insurance claim situation, not only are you managing whether you’re going to pay that ransom, the cost of the forensic analysis, and other vendor costs, but there’s also the business income portion of this.

Most cyber policies include a business interruption and extra expense provision within the policy, so if you’re the type of organization that loses money any time that you’re unable to access your systems, every day, every hour equates to a dollar figure. Having those backups and being able to trust your backups is critically important.

Morey: It is, and a lot of times you might not just start with restoring your system, you may need to do that forensics piece first in a good amount of detail to ensure that your backups don’t have the same problem. Or, you may have to go to an older date to determine when the actual infiltration or compromise occurred, so that you don’t reintroduce the problem.

You might have that lag time in between to say, “Okay, I might lose a week’s worth of data, or a month’s worth of data, which would be horrendous, but it’s still going to take me two, three weeks, or even a day, depending on bandwidth to do that cloud based restore.” That’s the only bad caveat about a cloud based solution, is how long it would take compared to me having high speed backup systems, potentially still on-premises, with the network available to do so.

Tom: Right, makes sense. So, I know I want to touch on a few more things about BeyondTrust, and privileged access management solutions. But before we kind of pivot to that, for the CSOs and the IT directors listening in today, business leaders – what are some of the things you recommend, whether it’s from a procedural standpoint, or a software standpoint? What are the key takeaways that they can bring back to their organizations as they think about how to prepare for a breach, how to prepare to be ready for forensic analysis? Anything that we haven’t touched on yet?

Morey: Yeah. So many of you have probably heard, it’s not if I will be breached, it’s when. As a cybersecurity professional running a business, incidents happen all the time – that’s a given. It’s when that incident gets to that threshold that you must be prepared. If you are doing the right things, like collecting the logs and ensuring their integrity, make sure you at least have someone looking at them on a regular basis. Because if you’re not, then you can’t look for normal behaviors and patterns, even if you’re using the best SIM that’s out there.

If you don’t have the resources to do that, get that external help, that MDR vendor, the MSP, or the ISP business center, to help you do that too. The biggest mistake that I see going on in the recommendation, is that no one is looking. You’ve set everything up to do the look, but you might have been able to find the problem much sooner if someone was just keeping an eye on it. That’s my biggest recommendation, to invest in something that’s basically minding the store, keeping an eye on your logs, your security events, to ensure that there isn’t that subtle backdoor potentially waiting to be exploited.

Tom: I think that’s great advice. It reminds me of one of the things that I like to preach the most, which is cybersecurity and network security are no longer somethings that just your IT team does. It truly should be something that you take at an enterprise risk management approach, it’s something that your entire organization needs to be bought into, you build a culture around it, and those are the organizations that are truly protected the most.

I want to get to the questions, but I also want to just quickly touch on privileged access management, and the BeyondTrust Discovery App. So, of course, in addition to you being a forensic analysis guru and able to walk us through all this today – BeyondTrust’s privileged access management services, there are several of them. Can you tell us a little bit more about BeyondTrust, and specifically this application? Which I’m going to share in the chat, so everybody has the ability to access it.


Certainly. BeyondTrust is a leader in Privileged Access Management solutions, covering Password Management: check-in, check-out rotation with full session recording. Endpoint Privilege Management, which is the removal of admin rights on Unix, Linux, Windows, Mac, anything. Users do not need local admin rights at all, which is a key attack vector used by threat actors and one of the biggest things to help ensure your cyber insurance is at the lowest cost in addition to MFA.

And then Secure Remote Access technologies: the ability to securely connect help desk, or vendors, contractors, or third parties into your organization at a low risk without the need for VPN. Now, once a threat actor does potentially penetrate an environment, one of the things they do, is they try to enumerate assets to determine where they can move laterally. Or they have compromised an individual account associated with an identity, and can leverage it against additional assets.

So, in my case, it might be my name present on multiple systems, or have access authority to multiple systems. To eliminate or mitigate those threats before a potential incident, BeyondTrust offers a free privileged access discovery application, as you can see here on the slide. This tool will help discover all your assets in your environment and the local and domain accounts that are present so you can determine how a threat actor could potentially move throughout your environment.

Do you have the same service accounts? Do you have the same admin account and password? It highlights things like that, so that you can basically say, “Look, every system should have a unique password.” Or “Why does John Doe have a local account here? Why does John Doe have administrative access for all these systems?”

This allows you to prevent many of the attacks, the lateral movement, or the things used by ransomware, or the exfiltration of data that would cause you to basically have a cyber insurance claim. If you’ve not seen this tool, I encourage you to check it out. You’ll find the results to be quite interesting, because it is designed to help you understand where that identity account relationship exists, and the liability that it would pose to your organization. Back to you.

Tom: Yeah, you can’t fix what you’re not aware of, so this a great place to start. We do have a little bit of time for questions, maybe I’ll just kind of tee some of these up to you Morey, if that works for you?

Morey: Certainly.

Tom: Can you touch on your point of view about the importance of a network topology, an architecture documentation that is stored securely and accessible?

Morey: Really critical. First off, your network should be segmented – having flat networks is just a bad idea. Users should not be able to cross zones without an explicit need, and if it’s a very sensitive zone containing PII it should be gated access. Now, part of any good plan is that documentation, knowing where systems are, et cetera. And that shouldn’t be just placed on a file share of, like any other document.

The reason being is it is PII, for the business itself, it lays out the network blueprint that a threat actor wants, so that they can figure out the host names, IP addresses, gateways, firewalls, everything that you may have put in place internally to get to the information they want. Now, with the digital transformation approach, and a cloud approach where cloud is first for applications, your network topology might be pretty slim. You’ll have a user LAN, a guest network, maybe a couple of domain controllers, but everything egresses to the cloud.

You might document things like, here’s my gateway, here’s my proxy, here’s whatever it may be, or an SD-WAN approach to controlling traffic to the cloud as well. Even though that may seem simple and agnostic, it still provides critical information to a threat actor as to how they can navigate the environment. I would treat network architectures, IP addresses, host names, all of that, just as sensitive as any PII, and secure them in a place that when needed they’re there, but they’re not generally available to anyone just on a file share type access.

Tom: Great advice. I want to wrap up with this final question here. In a breach/incident, remediation and evidence collection are often in competition. Do you have any advice or guidance on managing that?

Morey: They are in competition, getting the business back in a stable state is key. There are ways of considering how to do this, if you do have a formal DR plan, relying on your disaster recovery machines or virtual machines until the primary systems are cleaned up, that’s just the best approach that I would normally recommend.

If your business does not have a DR plan where you could spin up VMs or fault tolerate over to other systems, you’re going to have to have that measure or that priority as a part of your business continuity plan. Which is going to take precedent: restoring those systems, reloading them, bringing them from backup, or getting the proper information for cyber insurance? Now, you might find the answer to be a little bit telling there, you may forego operations and a little bit of brand reputation in order to leverage your cyber insurance. But if it’s something like, “We’re out right now, and I can’t file claims during a natural disaster,” you may weigh the business portion before that. A lot of that becomes an executive decision, but your IR plan should state your priorities. And I can’t tell you which one is more important based on your vertical, and the delivery of your services or products to clients, that becomes an individual decision.

Tom: Yeah, absolutely. The key takeaway being though, get everybody in the room who’s appropriate to be making that decision on the front-end, put it on your internet response plan, test your internet response plan, and you will be prepared. Hopefully it doesn’t happen though.

Morey: And if you’re large enough, consider a DR type scenario for your most critical systems. Look, if it’s a virtual machine, that’s not that hard to do. As long as that DR system was not compromised as a support of whatever incident or breach that you’re dealing with.

Tom: Yeah, absolutely, awesome. Well, I think that’s a great place to kind of wrap up. So once again, I really want to thank you Morey for joining us today, I think that was some really good insight, and a peek behind the curtain into how this whole forensic analysis really goes down. And hopefully everyone has some takeaways to think about that they can use to be prepared, in the event that it does happen to them.

Morey: Yeah, plan, plan, plan, and pray you never have to use it. That’s the best way to think about it.

Tom: Absolutely. So thanks to everyone for joining today, and please look out for our invitation to part four, which will be our fourth and final part to the webinar series about cyber risk management. And we look forward to seeing you again, thanks.


Thank you all.

This post was first first published on BeyondTrust website by . You can view it by clicking here