Organizations should focus data sharing post-incident, not attribution

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csoonline.com/article/2956417/security-industry/organizations-should-focus-data-sharing-post-incident-not-attribution.html

There have been several notable security incidents in the news this year,
from healthcare and retail breaches, to financial; even security firms
themselves have been targeted.

In each instance, attribution seems to take the lead during incident
response, something organizations should resist. The key is collecting the
right information and passing it on to the right people. When it comes to
figuring out who did it and where they are, authorities are the ones who
should take the lead – organizations that focus on this area first are
wasting resources and time.

US Attorney Ed McAndrew (DE), who has years of experience working cases
dealing with Internet-based crimes under his belt, recently spoke to CSO
Online and offered some unique insight into the federal side of incident
response and what organizations can to do better prepare for law
enforcement involvement.

McAndrew says that instead of focusing on who is responsible, organizations
should resist this and direct their energies towards damage and data loss
mitigation, while providing details to law enforcement so they can be the
ones to determine who committed the crime, and what actions need to be
taken against them - whether that is capture and prosecution or disruption
and deterrence.

"Organizations that suffer cyberattacks are victims. Like many other types
of crimes, cybercrimes cannot be effectively investigated and prosecuted
without the help of victims. The timely and meaningful sharing of
information is critically important to our ability to help mitigate these
crimes and, to the extent possible, prevent their continuation and
recurrence," McAndrew said.

How the breach is detected will vary. Sometimes organizations are informed
of a breach by a third-party, but some are able to self-detect. No matter
how discovery occurred, law enforcement needs to be contacted about the
incident, but should the organization contact local or federal authorities?

The question sounds simple, but some smaller organizations, large ones too,
might consider state police or even local authorities as the first line of
contact. That's wrong.

"Organizations should contact federal law enforcement agencies -
particularly the FBI and/or the United States Secret Service. Network
intrusions and resulting ID and IP theft are, by their very nature,
interstate or international in scope. Cyber actors often victimize multiple
organizations during the same time period. Both the cyber actors and the
victims are often spread across multiple jurisdictions and countries,"
McAndrew explained.

By going federal, the organization starts a process that enables an
efficient and comprehensive investigation. No case is perfect, but the
ability to investigate and document the steps taken on both sides (victim
and perpetrator) is critical to attribution, mitigation and prosecution.

"The FBI and the Secret Service are best equipped and positioned to conduct
these national and international cyber investigations effectively and
efficiently," McAndrew added.

This led to a follow-up question, are there any limits or rules for federal
notification?

"Due to the multiple objectives of cyber actors and the constant evolution
in the manner of attack and impact on organizations, there are no rigid
requirements as to the cases that are ultimately investigated. There is no
single standard when it comes to federal notification requirements for
victimized organizations. There are over 50 federal laws relating to
cybersecurity and data privacy. Different industries and sectors are often
governed by different standards," he said.

When it comes to the information that should be collected and given to law
enforcement, McAndrew noted that priority assets will vary per
investigation, but in general law enforcement is interested in data that
can be used to identify perpetrators, as well as data that relates to the
timing and manner of breach, data exfiltration, and any disruptive or
destructive activity.

"Any existing system logs, SIEM data, IDS, DLP, endpoint data, network and
data flow maps might provide insights into these issues and be most helpful
to investigations," he said.

But some organizations will be hesitant to share complete details. Even so,
data related to internal investigative reports or forensic examinations
conducted by non-law enforcement personnel should be shared anyway, even
partial information.

"While law enforcement agencies can best help victims when provided with as
much information as possible about a cyber-incident, we are very sensitive
to the complex legal and business issues surrounding sharing data with
government investigators," McAndrew added.

Law enforcement, he says, recognizes that organizations must balance the
competing and contemporaneous roles of: crime victim; target of inquiry
from governmental and non-governmental entities outside of federal law
enforcement; and civil litigant.

"Federal law enforcement agencies are likely to seek only that information
that is necessary to conduct the investigation."

Shifting forward, we asked McAndrew to explain the investigation process
and some of its complexity.

"Even simple cybercrimes are complex in terms of the investigative process.
Attribution of conduct for all essential elements of a crime is critical to
a successful prosecution. Finding evidence beyond the victim's network and
devices is likewise essential to proving a criminal case. Even if solid
proof of criminal activity by particular individuals can be developed,
their location beyond US borders often prolongs - if not derails - arrest
and prosecution," he explained.

If investigators are successful in all of those steps, they might be able
to convince individual targets to cooperate with the investigation into
other targets and other cybercrimes. While this process takes place,
criminal proceedings may be delayed or remain out of the public eye. Thus,
major cases may take years to develop from inception to actual conviction
and sentencing.

"In addition to conducting these extremely complex investigations and
prosecutions of international cybercrime, law enforcement agencies are
increasingly playing the somewhat non-traditional role of threat mitigation
by seeking to help organizations better protect themselves against
persistent cyber threats. In fact, the US Department of Justice's Computer
Crimes and Intellectual Property Section recently created a Cybersecurity
Unit dedicated to this objective," McAndrew said.

Each case is a tough case from start to finish, and McAndrew explained that
advances in speed, capacity, locational obfuscation and encryption have
only made the job harder over the years.

"The most difficult cases I have faced in a constantly changing
technological environment involve groups of threat actors each with high
quality operational security making their activities, identities and
relationships to one another difficult to trace," he said.

"These same types of cases often involve multiple victims located in
different places. Investigating what are ongoing crimes in the current
climate of data breach response obligations is a daily high wire act. Every
cyber case is a crisis for every victim. Remaining sensitive to the
competing demands placed on victims in the face of ongoing harm of unknown
dimensions is a constant challenge."

So when a breach happens, don't focus on attribution, focus on recovery and
mitigating the damage and data loss. After that, focus on getting the
necessary information to law enforcement as quickly as possible, while
starting the process of informing customers and those impacted within a
proper time frame.

In addition to logs and the other previously technical information,
McAndrew has created a checklist of information organizations should be
prepared to share with law enforcement.

CSO Online has reproduced this list below:

- Identity and contact information for individuals responsible for various
components of incident response (legal, IT, senior management, outside
consultants, etc.).

- Information about discovery of the incident and steps taken since the
discovery of the incident.

- Information relating to past incidents that may be related to the current
incident.

- Information about past contact with law enforcement agencies about other
incidents. [This can allow the LEA to quickly cross reference historical
information].

- Identification of information systems and components involved and their
locations.

- Signatures for detected malware, spyware, etc.

- System logs (DNS, servers, etc.) relating to the incident.

- IP addresses and other external identifiers believed to be involved in
the incident.

- Network maps, locations and data flows relating to the incident,
including vendors and cloud service providers.

- Data Loss Prevention (DLP) information.

- Intrusion Detection System (IDS) information.

- SIEM information and log correlation information.

- Endpoint management and access control information relating to the
incident.

- Information for firewalls and anti-virus, anti-spam, anti-spyware,
malware and phishing defenses networks related to the incident.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!