LAS VEGAS - There have been several notable security incidents in the news this year, from healthcare and retail breaches, to financial; even security firms themselves have been targeted.
In each instance, attribution seems to take the lead during incident response, something organizations should resist. The key is collecting the right information and passing it on to the right people. When it comes to figuring out who did it and where they are, authorities are the ones who should take the lead – organizations that focus on this area first are wasting resources and time.
US Attorney Ed McAndrew (DE), who has years of experience working cases dealing with Internet-based crimes under his belt, recently spoke to CSO Online and offered some unique insight into the federal side of incident response and what organizations can to do better prepare for law enforcement involvement.
McAndrew says that instead of focusing on who is responsible, organizations should resist this and direct their energies towards damage and data loss mitigation, while providing details to law enforcement so they can be the ones to determine who committed the crime, and what actions need to be taken against them - whether that is capture and prosecution or disruption and deterrence.
"Organizations that suffer cyberattacks are victims. Like many other types of crimes, cybercrimes cannot be effectively investigated and prosecuted without the help of victims. The timely and meaningful sharing of information is critically important to our ability to help mitigate these crimes and, to the extent possible, prevent their continuation and recurrence," McAndrew said.
How the breach is detected will vary. Sometimes organizations are informed of a breach by a third-party, but some are able to self-detect. No matter how discovery occurred, law enforcement needs to be contacted about the incident, but should the organization contact local or federal authorities?
The question sounds simple, but some smaller organizations, large ones too, might consider state police or even local authorities as the first line of contact. That's wrong.
"Organizations should contact federal law enforcement agencies - particularly the FBI and/or the United States Secret Service. Network intrusions and resulting ID and IP theft are, by their very nature, interstate or international in scope. Cyber actors often victimize multiple organizations during the same time period. Both the cyber actors and the victims are often spread across multiple jurisdictions and countries," McAndrew explained.
By going federal, the organization starts a process that enables an efficient and comprehensive investigation. No case is perfect, but the ability to investigate and document the steps taken on both sides (victim and perpetrator) is critical to attribution, mitigation and prosecution.
"The FBI and the Secret Service are best equipped and positioned to conduct these national and international cyber investigations effectively and efficiently," McAndrew added.
This led to a follow-up question, are there any limits or rules for federal notification?
"Due to the multiple objectives of cyber actors and the constant evolution in the manner of attack and impact on organizations, there are no rigid requirements as to the cases that are ultimately investigated. There is no single standard when it comes to federal notification requirements for victimized organizations. There are over 50 federal laws relating to cybersecurity and data privacy. Different industries and sectors are often governed by different standards," he said.
When it comes to the information that should be collected and given to law enforcement, McAndrew noted that priority assets will vary per investigation, but in general law enforcement is interested in data that can be used to identify perpetrators, as well as data that relates to the timing and manner of breach, data exfiltration, and any disruptive or destructive activity.
"Any existing system logs, SIEM data, IDS, DLP, endpoint data, network and data flow maps might provide insights into these issues and be most helpful to investigations," he said.
But some organizations will be hesitant to share complete details. Even so, data related to internal investigative reports or forensic examinations conducted by non-law enforcement personnel should be shared anyway, even partial information.
"While law enforcement agencies can best help victims when provided with as much information as possible about a cyber-incident, we are very sensitive to the complex legal and business issues surrounding sharing data with government investigators," McAndrew added.
Law enforcement, he says, recognizes that organizations must balance the competing and contemporaneous roles of: crime victim; target of inquiry from governmental and non-governmental entities outside of federal law enforcement; and civil litigant.
"Federal law enforcement agencies are likely to seek only that information that is necessary to conduct the investigation."
Shifting forward, we asked McAndrew to explain the investigation process and some of its complexity.
"Even simple cybercrimes are complex in terms of the investigative process. Attribution of conduct for all essential elements of a crime is critical to a successful prosecution. Finding evidence beyond the victim's network and devices is likewise essential to proving a criminal case. Even if solid proof of criminal activity by particular individuals can be developed, their location beyond US borders often prolongs - if not derails - arrest and prosecution," he explained.
If investigators are successful in all of those steps, they might be able to convince individual targets to cooperate with the investigation into other targets and other cybercrimes. While this process takes place, criminal proceedings may be delayed or remain out of the public eye. Thus, major cases may take years to develop from inception to actual conviction and sentencing.
"In addition to conducting these extremely complex investigations and prosecutions of international cybercrime, law enforcement agencies are increasingly playing the somewhat non-traditional role of threat mitigation by seeking to help organizations better protect themselves against persistent cyber threats. In fact, the US Department of Justice's Computer Crimes and Intellectual Property Section recently created a Cybersecurity Unit dedicated to this objective," McAndrew said.
Each case is a tough case from start to finish, and McAndrew explained that advances in speed, capacity, locational obfuscation and encryption have only made the job harder over the years.
"The most difficult cases I have faced in a constantly changing technological environment involve groups of threat actors each with high quality operational security making their activities, identities and relationships to one another difficult to trace," he said.
"These same types of cases often involve multiple victims located in different places. Investigating what are ongoing crimes in the current climate of data breach response obligations is a daily high wire act. Every cyber case is a crisis for every victim. Remaining sensitive to the competing demands placed on victims in the face of ongoing harm of unknown dimensions is a constant challenge."
So when a breach happens, don't focus on attribution, focus on recovery and mitigating the damage and data loss. After that, focus on getting the necessary information to law enforcement as quickly as possible, while starting the process of informing customers and those impacted within a proper time frame.
In addition to logs and the other previously technical information, McAndrew has created a checklist of information organizations should be prepared to share with law enforcement.
CSO Online has reproduced this list below:
- Identity and contact information for individuals responsible for various components of incident response (legal, IT, senior management, outside consultants, etc.).
- Information about discovery of the incident and steps taken since the discovery of the incident.
- Information relating to past incidents that may be related to the current incident.
- Information about past contact with law enforcement agencies about other incidents. [This can allow the LEA to quickly cross reference historical information].
- Identification of information systems and components involved and their locations.
- Signatures for detected malware, spyware, etc.
- System logs (DNS, servers, etc.) relating to the incident.
- IP addresses and other external identifiers believed to be involved in the incident.
- Network maps, locations and data flows relating to the incident, including vendors and cloud service providers.
- Data Loss Prevention (DLP) information.
- Intrusion Detection System (IDS) information.
- SIEM information and log correlation information.
- Endpoint management and access control information relating to the incident.
- Information for firewalls and anti-virus, anti-spam, anti-spyware, malware and phishing defenses networks related to the incident.
This story, "Organizations should focus data sharing post-incident, not attribution" was originally published by CSO.