The importance of a strategic response to data security Incidents
There are a variety of ways an organization can experience cyber incidents, ranging from a distributed denial of service (DDOS) network attack to an internal information theft.
The first response is usually to enlist incident response professionals to resolve the issue as quickly and efficiently as possible. However, there are several factors that organizations should consider in determining the best response to an incident. The fact is that a poorly executed response or ill-thought-out strategy can have long-term consequences for your business.
Here are key points that an organization must take into account before they execute a response to a cyber incident.
Determine your priorities
In today’s digital world, every organization should anticipate a cyber incident at some point. How your organization responds can have as much impact as the incident itself. If and when your organization experiences a cyber incident, as a first step determine what your top priority is:
· Is it to limit damage?
· Is it to attempt recovery of lost or stolen assets?
· Is it to fulfill compliance requirements such as customer and government notification or regulatory deliverables?
· Is it prosecution of the cybercrime?
· Some combination of the above? Other unique requirements?
Understanding what matters most to your organization will ultimately determine the kind of support you enlist and in what order.
When the culprit is an insider
When the source of a leak or compromised security is potentially the result of insider action, it presents a unique set of challenges for organizations to address.
First, keep in mind that the insider is most likely well-placed to access sensitive information from technology IP, customer lists and even personal employee or executive data. While the threat of such a scenario is quite serious, investigation of a suspect employee must be conducted in a highly discreet and professional manner.
In the event an employee is unjustly accused, an aggressively executed investigation will almost certainly damage the employee’s relationship with the organization, could negatively impact morale and undermine the trust of other employees, and will ultimately expose the organization to lawsuits.
On the other hand, if the suspect employee is in fact guilty, a poorly executed investigation could alert him or her to the investigation effort, and could even compromise the organization’s ability to build a successful prosecution.
Organizations with a suspected or real insider threat need to first ensure that evidence is gathered immediately, discreetly and in a forensically sound manner. Prompt evidence gathering reduces the likelihood of evidence destruction should the investigative effort be detected or if the employee/executive departs the company before the investigation is completed.
Proper evidence gathering requires forensic experience – the mere act of looking at files changes metadata which in turn introduces both risk and difficulty in attribution as well as weaknesses in subsequent civil or criminal prosecution.
The investigation itself needs to be strongly contained within the company. Specifically, a select group needs to be appointed to work with the forensic investigator(s) and represent the following minimum stakeholders: legal, HR, manager of subject of investigation, IT and subject matter experts if the person investigated is working on or accessing complex data.
The internal team also needs recourse to access trusted co-workers or associates of the subject in order to determine relevant social and behavioral factors. One reason for this is if the insider is in a sensitive position – not just an executive, but especially IT personnel. IT personnel have access above what even many executives possess and are also placed to both detect and potentially cause great harm.
The investigation should also examine both factual misuse or abuse of privileges as well as build a means, motive and opportunity (MMO) profile of the subject. Misuse or abuse are certainly key pieces of evidence, but motivation and capability are equally important in ensuring effective prosecution.
The Streisand effect
The so-called Streisand effect refers to the phenomenon where an attempt to conceal or censor information has the opposite and unintended consequence of publicizing the information more widely, usually via social media.
For organizations that have experienced a hack and are concerned about potential damage to their reputation, it is crucial to formulate a strategic response which considers both cyber security and crisis communication/public relations analysis to assess potential fallout and formulate the optimal course of action to mitigate the issue. We have seen many real world examples where the reality of a breach, for example, is much less damaging when proactively managed and communicated vs. attempting to conceal or gloss over the incident.
Expert evaluation can be a powerful tool in ensuring a smart, decisive and swift response plan is put in place.
To ensure network security, companies typically employ password protection of networks and information. However, reliance on passwords has its own pitfalls.
Because it is human nature to try to minimize the number of passwords and user login details we all must remember, it is common for employees to reuse the same password for multiple sites regardless of whether they are accessing sites for professional or personal purposes. If you know a user’s log-in credentials for one site – say, LinkedIn – chances are the same credentials can be used to access any number of sites, including otherwise secure corporate networks.
Cyber criminals have exploited that weakness by harvesting user log-in credentials from LinkedIn, major ISP providers and other commonly used third-party services and then selling access to databases of such information. Organizations willing and able to monitor third party databases for reused logins and password credentials can significantly improve both their customer and internal security.
However, care should be employed in doing so. Publicly accessible databases of compromised user credentials such as HaveIBeenPwned.com provide a great public resource, but the data contained there is generally very old and already monetized by cyber criminals.
Databases which are still in the process of monetization are far more valuable in preventing expert cybercriminal access, but access to these types of databases must be bought from their cybercriminal owners.
Cyber criminals who trade in this kind of illegally accessed data tend to sell access to the data via Bitcoin. Some organizations that have purchased access to such dark web databases of user credentials in order to detect and investigate potential weaknesses or possible intrusions into their own network have instead brought risk.
Bitcoin keeps a record of all participants in transactions; as such, a company performing this kind of intelligence gathering would be on record for specific Bitcoins, potentially alongside cyber ransomware purveyors or suspected terrorists and drug dealers.
Also, if anyone is willing to pay hundreds or thousands of dollars via Bitcoin to access all records containing a specific company name in a large database of leaked logins and passwords – this action itself shows the database seller (a cybercriminal) that there is something of interest in that company for which he or she already possesses a list of potential access credentials.
Hiring the right people
There is a multitude of services companies that an organization can call on when a cyber crisis occurs, but quality of service can vary dramatically. There is a natural tendency for security-conscious organizations to gravitate towards high-profile consultancy firms who offer potential solutions at a premium price, but before deciding whom to hire, consider the following:
If the end goal is:
· Limiting Damage: be sure to keep in mind that legal and public relations expertise is a vital part of most customer facing or external facing mitigation efforts.
· Recovery of Assets: improper access to other networks is a crime even for victims of cyber attacks. Cooperation with law enforcement and the judicial system are key when accessing cyber criminal’s computers and networks, especially if they reside in other state or even international jurisdictions.
· Compliance: if internal resources are not experienced with cyber attacks or breaches, external expertise should be retained.
· Civil or criminal prosecution: ensure you work with a firm that has experience in digital forensics, e-Discovery and civil or criminal prosecution. The firm should demonstrably understand the chain of custody, investigation and documentation requirements for your region. Chain of custody refers to the process of documenting the movement and location of potential evidence to demonstrate that it has not been contaminated or tampered with. Investigation and documentation is the process by which investigators arrive at a thorough and complete understanding of an incident and then convert that information into a legal report specifically for use in the legal process. Note that these areas are above and beyond pure technical expertise - familiarity and experience with legal proceedings is crucial. Lawyers understand the law, but often do not understand digital investigations or forensics. Likewise, technical experts may overlook potential legal pitfalls – failing, for example, to properly document their processes as they move forward with an investigation. An experienced digital forensics firm will comprehend the importance of working closely with an organization’s legal representatives and explaining vital digital nuances, thus ensuring the best possible chance of a victory in the courts.
Cyber incidents and their response should always be viewed holistically and not just as a digital or technology issue. A good incident response team should incorporate technical expertise, legal knowledge and public relations know-how to ensure a coordinated and effective response. Having an incident response plan prepared ahead of time, including potential providers, can be of great benefit.
Pre-negotiated incident response, for example, can reduce costs considerably as it avoids the situation of negotiating with a plumber while standing foot-deep in water in your house. While companies cannot control the types of cyber incidents they will face, they can control how they respond and can optimize to minimize any fall out and ensure a positive outcome.