There are a disparity of ways a company can experience cyber incidents, ranging from a sorted denial of service network attack to internal information theft.
The first place response is usually to enlist incident response professionals to resolve the uncertain as quickly and efficiently as possible. However, there are several factors crowds should consider in determining the best response to an incident. The fact is, a sick executed response or ill-thought-out strategy can have long-term consequences for your job.
This article will examine the key points companies must perceive into account before they execute a response to a cyber circumstance.
Determine your Priorities
In today’s digital world, every attendance should anticipate a cyber incident at some point. How your cast responds can have as much impact as the incident itself. If and when your assemblage experiences a cyber incident, as a first step determine what your top preference is:
- To limit damage?
- To attempt recovery of lost or stolen assets?
- To achieve compliance requirements such as customer and government notification or regulatory deliverables?
- Prosecution of the cybercrime?
- Some cartel of the above? Other unique requirements?
Understanding what matters most to your body will ultimately determine the kind of support you enlist and in what inoperative.
When the Culprit is an Insider
When the source of a leak or compromised surveillance is potentially the result of insider action, it presents a unique set of challenges for proprietorships to address.
First, keep in mind that the insider is most qualified well-placed to access sensitive information from technology IP, customer rolls, and even personal employee or executive data. While the threat of such a plot summary is quite serious, investigation of a suspect employee must be conducted in a warmly discreet and professional manner.
In the event an employee is unjustly accused, an aggressively executed quest will almost certainly damage the employee’s relationship with the New Zealand, could negatively impact company morale and undermine the trust of other hands, and will ultimately expose the company to lawsuits.
On the other hand, if the suspicious employee is in fact guilty, a poorly executed investigation could aware him or her to the investigation effort and could even compromise the company’s ability to erect a successful prosecution.
Companies with a suspected or real insider intimidation need to first ensure that evidence is gathered immediately, discreetly, and in a forensically percipient manner. Prompt evidence gathering reduces the likelihood of evidence end should the investigative effort be detected or if the employee/executive departs the companions before the investigation is completed. Proper evidence gathering requires forensic experience – the just act of looking at files changes metadata, which in turn introduces both endanger and difficulty in attribution as well as weaknesses in subsequent civil or criminal prosecution.
The enquiry itself needs to be strongly contained within the company. Specifically, a hand-picked group needs to be appointed to work with the forensic investigator(s) and typify the following minimum stakeholders: legal, HR, manager of subject of investigation, IT, and conquer matter experts if the person investigated is working on or accessing complex evidence. The internal team also needs recourse to access trusted co-workers or associates of the testee in order to determine relevant social and behavioral factors.
One reason for this is if the insider is in a sore position – not just an executive but especially IT personnel. IT personnel have access surpassing what even many executives possess and are also placed to both learn of and potentially cause great harm.
The investigation should also check out both factual misuse or abuse of privileges as well as build a have the weights, motive, and opportunity (MMO) profile of the subject. Misuse or abuse are certainly key sketches of evidence, but motivation and capability are equally important in ensuring effective prosecution.
The Streisand Purposes
The so-called Streisand effect refers to the phenomenon where an attempt to hide or censor information has the opposite and unintended consequence of publicizing the information myriad widely, usually via social media.
For companies that have knowing a hack and are concerned about potential damage to their reputation, it is important to formulate a strategic response which considers both cyber surveillance and crisis communication/public relations analysis to assess potential fallout and dream up the optimal course of action to mitigate the issue. We have seen diverse real-world examples where the reality of a breach, for example, is much shallow damaging when proactively managed and communicated vs. attempting to conceal or hide over the incident.
Expert evaluation can be a powerful tool in ensuring a quick, decisive, and swift response plan is put in place.
To make sure network security, companies typically employ password protection of networks and data.
However, reliance on passwords has its own pitfalls. Because it is human nature to try to devalue the number of passwords and user login details, we all must remember that it is general for employees to reuse the same password for multiple sites regardless of whether they are accessing placements for professional or personal purposes. If you know a user’s log-in credentials for one purlieus – say, LinkedIn – chances are the same credentials can be used to access any number of instals, including otherwise secure corporate networks.
Cyber criminals eat exploited that weakness by harvesting user log-in credentials from LinkedIn, big ISP providers, and other commonly used third-party services and then blow the whistle on access to databases of such information. Companies willing and able to invigilator 3rd party databases for reused logins and password credentials can significantly mend both their customer and internal security.
However, care should be occupied in doing so. Publicly accessible databases of compromised user credentials prepare for a great public resource, but the data contained there is generally least old and already monetized by cyber criminals.
Databases that are still in the system of monetization are far more valuable in preventing expert cyber criminal access, but access to these varieties of databases must be bought from their cyber criminal holders. Cyber criminals who trade in this kind of illegally accessed details tend to sell access to the data via Bitcoin. Some organizations that deliver purchased access to such dark web databases of user credentials in association to detect and investigate potential weaknesses or possible intrusions into their own network be dressed instead brought risk.
Bitcoin keeps a record of all participants in goings-on; as such, a company performing this kind of intelligence gathering would be on document for specific Bitcoins potentially alongside cyber ransomware purveyors or suspected arsonists and drug dealers.
Also, if anyone is willing to pay hundreds or thousands of dollars via Bitcoin to access all logs containing a specific company name in a large database of leaked logins and passwords, this vitality itself shows the database seller (a cyber criminal) that there is something of notice in that company for which he or she already possesses a list of potential access credentials.
Appointing the right people
There is a multitude of services companies can call on when a cyber danger occurs, but quality of service can vary dramatically. There is a natural affinity for security-conscious organizations to gravitate towards high-profile consultancy firms that furnish potential solutions at a premium price, but before deciding whom to take on, consider the following:
If the end goal is:
Be sure to keep in attend to that legal and public relations expertise is a vital part of myriad customer facing or external facing mitigation efforts.
Recovery of Assets
Sinful access to other networks is a crime even for victims of cyberattacks. Blessing with law enforcement and the judicial system is key to accessing cyber criminal’s computers and networks, signally if they reside in other state or even international jurisdictions.
If internal resources are not competent with cyber attacks or breaches, external expertise should be memorized.
Civil or Criminal Prosecution
Ensure you work with a firm that has suffer in digital forensics, e-Discovery, and civil or criminal prosecution. The firm should demonstrably infer from the chain of custody, investigation and documentation requirements for your region. Shackle of custody refers to the process of documenting the movement and location of potential trace to demonstrate that it has not been contaminated or tampered with.
Investigation and documentation is the make by which investigators arrive at a thorough and complete understanding of an incident and then catechumen that information into a legal report specifically for use in the legal answer. Note that these areas are above and beyond pure intricate expertise – familiarity and experience with legal proceedings is crucial. Benchers understand the law but often do not understand digital investigations or forensics. Likewise, mechanical experts may overlook potential legal pitfalls – failing, for example, to appropriately document their processes as they move forward with an inquiry.
An experienced digital forensics firm will comprehend the importance of make closely with an organization’s legal representatives and explaining vital digital nuances, as follows ensuring the best possible chance of a victory in the courts.
Cyber dos and their response should always be viewed holistically and not just as a digital or technology progeny. A good incident response team should incorporate technical judgement, legal knowledge, and public relations know-how to ensure a coordinated and personal property response. Having an incident response plan prepared ahead of span, including potential providers, can be of great benefit. Pre-negotiated incident reply, for example, can reduce costs considerably as it avoids the situation of negotiating with a vertical while standing foot-deep in water in your house.
While followings cannot control the types of cyber incidents they will openly, they can control how they respond and can optimize to minimize any fall out and secure a positive outcome.
About the Author: Calvin Liu is Director of Operations and Cofounder at Ventura Venture Risk Management. Calvin began his career as an electrical engineer, persuading as a designer on the AMD K6 and K7 processors. He then spent 10 years in the semiconductor toil and was a lead consultant in the formation of the Stingray Division in Motorola Semiconductor. Early previously to roles include a Solution Architect at Nihon Synopsys KK Consulting, Sticks Manager for Epic Design Technology in Japan and Senior Manager at Pulse Design Services where he was responsible for all technical interactions with at Taiwan Semiconductor (TSMC), encompassing joint marketing, IP and new technology development. Calvin also has 8 years’ encounter in the startup world including developing hardware and software products and GIS/GPS approaches.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not surely reflect those of Tripwire, Inc.