There have been several notable security incidents in the news this year, from healthcare and retail breaches, to financial; even security firms themselves have been targeted.
In each instance, attribution seems to take the lead during incident response, something organisations should resist. The key is collecting the right information and passing it on to the right people. When it comes to figuring out who did it and where they are, authorities are the ones who should take the lead – organisations that focus on this area first are wasting resources and time.
US Attorney Ed McAndrew (DE), who has years of experience working cases dealing with internet-based crimes, has offered unique insight into the federal side of incident response and what organisations can to do better prepare for law enforcement involvement.
Mitigation
McAndrew says that instead of focusing on who is responsible, organisations should resist this and direct their energies towards damage and data loss mitigation, while providing details to law enforcement so they can be the ones to determine who committed the crime, and what actions need to be taken against them — whether that is capture and prosecution or disruption and deterrence.
“Organisations that suffer cyberattacks are victims. Like many other types of crimes, cybercrimes cannot be effectively investigated and prosecuted without the help of victims. The timely and meaningful sharing of information is critically important to our ability to help mitigate these crimes and, to the extent possible, prevent their continuation and recurrence,” McAndrew said.
How the breach is detected will vary. Sometimes organisations are informed of a breach by a third-party, but some are able to self-detect. No matter how discovery occurred, law enforcement needs to be contacted about the incident, but should the organisation contact local or federal authorities?
The question sounds simple, but some smaller organisations, large ones too, might consider state police or even local authorities as the first line of contact. That is wrong.
In the US, McAndrew advises, “organisations should contact federal law enforcement agencies — particularly the FBI and/or the United States Secret Service. Network intrusions and resulting ID and IP theft are, by their very nature, interstate or international in scope. Cyber actors often victimise multiple organisations during the same time period. Both the cyber actors and the victims are often spread across multiple jurisdictions and countries,” McAndrew explained.
By going federal, the organisation starts a process that enables an efficient and comprehensive investigation. No case is perfect, but the ability to investigate and document the steps taken on both sides (victim and perpetrator) is critical to attribution, mitigation and prosecution.
“The FBI and the Secret Service are best equipped and positioned to conduct these national and international cyber investigations effectively and efficiently,” McAndrew added.
When it comes to the information that should be collected and given to law enforcement, McAndrew noted that priority assets will vary per investigation, but in general law enforcement is interested in data that can be used to identify perpetrators, as well as data that relates to the timing and manner of breach, data exfiltration, and any disruptive or destructive activity.
“Any existing system logs, SIEM data, IDS, DLP, endpoint data, network and data flow maps might provide insights into these issues and be most helpful to investigations,” he said.
Full sharing
But some organisations will be hesitant to share complete details. Even so, data related to internal investigative reports or forensic examinations conducted by non-law enforcement personnel should be shared anyway, even partial information.
“While law enforcement agencies can best help victims when provided with as much information as possible about a cyber-incident, we are very sensitive to the complex legal and business issues surrounding sharing data with government investigators,” McAndrew added.
Law enforcement, he says, recognises that organisations must balance the competing and contemporaneous roles of: crime victim; target of inquiry from governmental and non-governmental entities outside of federal law enforcement; and civil litigant.
“Federal law enforcement agencies are likely to seek only that information that is necessary to conduct the investigation.”
Shifting forward, we asked McAndrew to explain the investigation process and some of its complexity.
Complex investigations
“Even simple cybercrimes are complex in terms of the investigative process. Attribution of conduct for all essential elements of a crime is critical to a successful prosecution. Finding evidence beyond the victim’s network and devices is likewise essential to proving a criminal case. Even if solid proof of criminal activity by particular individuals can be developed, their location beyond US borders often prolongs – if not derails – arrest and prosecution,” he explained.
If investigators are successful in all of those steps, they might be able to convince individual targets to cooperate with the investigation into other targets and other cybercrimes. While this process takes place, criminal proceedings may be delayed or remain out of the public eye. Thus, major cases may take years to develop from inception to actual conviction and sentencing.
“In addition to conducting these extremely complex investigations and prosecutions of international cybercrime, law enforcement agencies are increasingly playing the somewhat non-traditional role of threat mitigation by seeking to help organisations better protect themselves against persistent cyber threats. In fact, the US Department of Justice’s Computer Crimes and Intellectual Property Section recently created a Cybersecurity Unit dedicated to this objective,” McAndrew said.
Advances
Each case is a tough case from start to finish, and McAndrew explained that advances in speed, capacity, locational obfuscation and encryption have only made the job harder over the years.
“The most difficult cases I have faced in a constantly changing technological environment involve groups of threat actors each with high quality operational security making their activities, identities and relationships to one another difficult to trace,” he said.
“These same types of cases often involve multiple victims located in different places. Investigating what are ongoing crimes in the current climate of data breach response obligations is a daily high wire act. Every cyber case is a crisis for every victim. Remaining sensitive to the competing demands placed on victims in the face of ongoing harm of unknown dimensions is a constant challenge.”
So when a breach happens, do not focus on attribution, focus on recovery and mitigating the damage and data loss. After that, focus on getting the necessary information to law enforcement as quickly as possible, while starting the process of informing customers and those impacted within a proper time frame.
Checklists
In addition to logs and the other previously technical information, McAndrew has created a checklist of information organisations should be prepared to share with law enforcement.
- Identity and contact information for individuals responsible for various components of incident response (legal, IT, senior management, outside consultants, etc.)
- Information about discovery of the incident and steps taken since the discovery of the incident
- Information relating to past incidents that may be related to the current incident
- Information about past contact with law enforcement agencies about other incidents. [This can allow the LEA to quickly cross reference historical information]
- Identification of information systems and components involved and their locations
- Signatures for detected malware, spyware, etc.
- System logs (DNS, servers, etc.) relating to the incident
- IP addresses and other external identifiers believed to be involved in the incident
- Network maps, locations and data flows relating to the incident, including vendors and cloud service providers
- Data Loss Prevention (DLP) information
- Intrusion Detection System (IDS) information
- SIEM information and log correlation information
- Endpoint management and access control information relating to the incident
- Information for firewalls and anti-virus, anti-spam, anti-spyware, malware and phishing defences networks related to the incident
Steve Ragan, IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers