Digital Forensics, Incident Response & Attribution

Uploaded on 2017-01-06 in NEWS-News Analysis, FREE TO VIEW, TECHNOLOGY--Resilience

Cybercrime investigations are similar in nature to fraud and financial crime investigations. Today, a great deal of financial crime is in fact cyber-crimes and cybercrimes, just like financial crimes, are frequently difficult to spot.

In the case of financial crimes, it might take something like a quarterly financial audit to reveal that something suspect is going on. Some cyber-crimes are subtle like this, too. 

For instance, in the case of a hidden attacker maintaining persistence on a corporate network for purposes of long-term data exfiltration, the intrusion might only be revealed during a network sweep, as part of periodic threat assessment process, or via a newly installed intrusion detection system.  

Not all cybercrimes are difficult to spot. Some cybercrimes reveal themselves as part of the operation, an attacker will contact the victim organisation and will attempt to extort a ransom, or an attacker will leak data to the public, and the victim company will find out about it.

It’s interesting to note that several high-profile breaches during the past few years were discovered when a cyber security vendor installed their technology stack on the victim’s network as part of a pre-sales demo or trial period.

Regardless of how it’s discovered, once a company suspects that they’re the victim of a financial or cybercrime, they’ll need to collect additional evidence before involving law enforcement. 

Once an investigation is initiated, a variety of third party auditors are usually brought in to help. In the case of suspected fraud or financial crime, insurance companies can provide some of those services. 

In the case of a cybercrime, a cyber security firm specialised in digital forensics and incident response will be called in.

The victim organisation pays for such services out of their own pocket. Why? Because incident response isn’t just about forensics. It’s about cleaning up affected systems, restoring the network to a non-compromised state, restoring lost data, and often it’s also about providing assistance to the victim organisation in adjusting security practices and risk management plans to avoid future incidents. 

As part of the incident response process, law enforcement is involved once enough evidence has been collected to determine when and how the crime was committed.

Once involved, law enforcement agencies utilise the forensic data collected by privately run incident response operations as a starting point for their own investigations. Remember that the police have access to additional sources of evidence that private investigators don’t. 

For instance, law enforcement agencies can subpoena logs from additional private sources (such as Internet Service Providers), and can correlate data from other investigations they’ve run. In our experience, law enforcement will often continue to cooperate with third party first-responders during an ongoing criminal investigation.

Attribution is more of an art than a science. When it comes to cyber-crimes, private incident responders perform educated guesswork. This usually involves correlating the tactics, techniques, and procedures (TTPs) found at the crime scene with previous casework or open source threat intelligence. 

This guesswork includes analysing samples, such as custom tools or malware, found at the scene, language and content patterns found in phishing emails, the locations of C&C servers and phishing sites, techniques used for persistence or lateral movement, IP addresses associated with the attacks, and any other metadata uncovered during the investigation. The motives of suspected criminal groups may also factor into attribution guesswork. 

It’s not uncommon for private cyber security companies to work with law enforcement when determining attribution. However, due to the confidential nature of ongoing law enforcement work, evidence collected by or provided by law enforcement agencies isn’t normally made public as part of a third-party’s attribution conclusions.

There are a lot fewer cyber security companies in the world than there are insurance and financial services companies. Because of that, the demand for cyber security services companies is high. So high, in fact, that security-conscious organizations will often pay a yearly fee to keep a cyber security firm on retainer. By doing this, they ensure that help will be at hand as soon as an incident happens, and that prices for incident response work are charged at agreed upon rates. 

This is not unlike keeping law firms or financial services firms on retainer (for emergencies) or having certain special corporate agreements with insurance partners in place. Organizations that don’t have a cyber security firm on retainer typically have difficulty securing incident response and forensics services when they’re needed, and may end up paying rather high prices when they finally find someone who can help.

Incident response work isn’t just about reacting to breaches and cyber-crimes. Companies are now able to purchase cyber insurance policies. Here’s how forensics work comes into play in the case of an insurance settlement related to a cyber security incident. 

Insurance firms employ claims adjusters whose job it is to investigate insurance claims and determine the extent of a company’s liability when the claim is filed. In a traditional sense, claims adjusters gather data in a variety of ways, including interviewing claimants and witnesses, consulting police and hospital records and inspecting property damage. In the case of a cyber-crime, cyber claims adjusters, are brought in to run forensics in a similar way to how incident response is carried out. 

Compensation is awarded to the claimant based on the findings of the cyber claims adjuster. If the cyber claims adjuster were to, for instance, determine that a network was breached via a known vulnerability that should have been patched long ago, the claimant may receive a low amount of compensation. This is completely analogous to how an individual claimant would receive a low amount of compensation if they were burgled and it was later determined that they’d left their front door open.

With cyber security incidents becoming more and more widespread, businesses are learning that they need to adapt. This includes setting aside budget to keep cyber security services on retainer, paying for periodic trainings, threat assessments, and risk assessments, and even bringing experts onto their payroll to properly manage their cyber security practices. 

The cost of not taking cyber security seriously today is akin to the cost of not having your business properly insured. And yet there are plenty of businesses out there who don’t think they’ll become the victim of the next breach, and who clearly don’t take these costs into account. And they’re most likely going to end up paying through the nose in the long term.

fSecure:                  Cultural Strategies For Data Security (£):
 

« Artificial Intelligence, Self-driving Cars & Cyberwar In 2017
Company Boards Need To Get A Grip. »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Digital Forensics Inc (DFI)

Digital Forensics Inc (DFI)

Digital Forensics Inc. is a nationally recognized High Technology Forensic Investigations and Information System Security firm

Forensic Control

Forensic Control

Forensic Control specialise in providing simple & straightforward Cyber Security to organisations, helping them assess, prevent and respond to cyber threats.

Maverick Technologies

Maverick Technologies

Maverick is an industrial automation, enterprise integration and operational consulting company. Services include industrial cyber security.

Norwegian Information Security laboratory (NISlab)

Norwegian Information Security laboratory (NISlab)

NISlab conducts international competitive research in information and cyber security and operates study programs in this area.

Matta

Matta

Matta is a cyber security consulting company providing information security services and solutions including vulnerability assessments, penetration testing and emergency response.

Cyber London (CyLon)

Cyber London (CyLon)

CyLon is a leading cyber security accelerator and seed investment programme. We help entrepreneurs from across the globe to build cyber security businesses, raise investment, and develop partnerships.

Bottomline Technologies

Bottomline Technologies

Bottomline Technologies is an innovator in business payment automation technology, helping companies make complex business payments simple, smart and secure.

Harel Mallac Technologies

Harel Mallac Technologies

Harel Mallac Technologies is a Mauritian organisation that has developed a strong network of ICT specialists with nodes across the African continent.

Microland

Microland

Microland’s delivery of digital is all about making technology do more and intrude less for global enterprises. Our services include Cloud & Data Center, Networks, Cybersecurity and more.

Evanssion

Evanssion

Evanssion is a value added distributor specialized in Cloud Native & Cyber Security across Middle East & Africa.

Winmill Software

Winmill Software

Winmill is a technology services company that provides expert consulting services in Application Development, Application Security and Cyber Security.

DigitalWell

DigitalWell

DigitalWell provide fully managed IT and communications solutions for a truly innovative end-to-end experience - for your customers and teams.

Artjoker

Artjoker

Artjoker is a full cycle software development partner specialized in Blockchain projects and smart contract development including full cycle information security of all projects.

ID R&D

ID R&D

ID R&D is an award-winning provider of AI-based facial liveness, document liveness, and voice biometrics.

Epic Machines

Epic Machines

Epic Machines is a Value Added Reseller and Managed Security Services provider offering Security Transformation using Cloud-native solutions to commercial and government markets.

Aegis9

Aegis9

Aegis9 is an Australian owned and sovereign consultancy that specialises in providing tailored security solutions for both public and private sector clients based on their specific needs.