May 31, 2019 — On May 1st, Charles River Labs announced a breach and reported that data had been copied out from approximately 1% of their clients. They worked with federal law enforcement and determined that “very sophisticated, well-resourced intruders were responsible for this incident” and that the intruders “have been independently targeting multiple organizations”.1
While that announcement certainly generates not only curiosity, but also concern for others within the industry, nothing has been released since, which leaves us several questions: What happened? Could it happen to us? What should we do? This quiet period after a breach is normal, as we’ve seen with others. It usually isn’t until a year or more later that the full study of the incident is released.
We don’t know the details of what this victim is going through during this time, but based on other companies’ breaches over the years, we can surmise the general process that they’re going through:
First, with a breach, certain reporting and notification are required. This means that the company has to inventory which data was compromised and create a list of all of the individuals whose protected information was affected. Depending on whether the data is structured (e.g. in databases) or unstructured (e.g. in documents and other office files), this can take a lot of time. Following that, there’s the process of notifying those individuals.
Second, with a sophisticated and well-resourced attacker, there are questions as to how the attacker was able to get into the network, and are they still there? This can result in ongoing forensics efforts with third parties to determine:
It’s not uncommon for a victim to kick an attacker out of their network and clean up after them, only to have the attacker come right back in again. Several well-known companies offer Compromise Assessments, which involves installing agents on workstations and servers, and analyzing retrieved data for anomalous files and behaviors. While the forensics effort is taking place, there can also be quarantining and rebuilding of affected IT infrastructure (while still running the day to day business) and continued monitoring to detect any additional or previously unseen malicious behavior on the network.
Third, in addition to containing and eradicating the threat, the victim company will likely deploy increased security controls and also increase their visibility of their environment, to prevent this type of attack, and those like it, from happening again. This may be in the form of policy and process improvements, additional user training, or product or service acquisition. The goal at this point is to learn from the experience and get back to normal business, even stronger than before.
There isn’t much to read about the Charles River Labs breach today. Perhaps in the future there may be a case study or other presentation detailing the events and the attacker’s methods. Today, it’s important to realize that biotech firms are being targeting by sophisticated and well-resourced attackers aimed at stealing data, this industry’s greatest asset. This is a good time to make sure that your organization has a well thought-out security strategy with a complete, well-rounded security program and is dedicating sufficient resources and priority to it. It’s important to partner with the right vendors to provide expertise where it’s most needed, and also to audit and test the robustness of your security program. If we’ve learned anything from the history of breaches, it’s that they often result from a series of relatively small events, oversights, or process breakdowns, while seemingly insignificant on their own, left unnoticed and given time to percolate, can clearly erupt into catastrophe.
1 April 2019. Charles River Cybersecurity Incident Q&A for Clients.