This week on our blog, we have a guest post from Thomas Padgett who is Senior Incident Response Analyst at NTT Security.
Several times I have been asked, “why are hackers, cyber criminals, and others responsible for cybersecurity incidents rarely prosecuted for their crimes?”
Allow me to shed some light on the subject, based on my 15 years of prior law enforcement experience, and provide a few tips. It is important to remember that the tips provided below are really the only thing that you can control as it relates to possible criminal or civil litigation. These same tips are also crucial to help determine the root cause of the incident, identify violations of company and HR policies, assist with complete mitigation/recovery of a security related incident and provide the ability for third parties to investigate.
There have been many reasons for non-prosecution provided to me by attorneys and legal counsel, such as the attacker or the victim does not live locally, there is a relatively small likelihood of a successful criminal prosecution and more often, there is not enough probable cause based on a lack of evidence. The “lack of evidence” is where I would like to focus my attention to in this post to attempt to bridge the gap.
Typically, a victim organization responds with a focus on getting back online and does not consider the need to properly collect items of evidentiary value. This gap can be bridged by implementing additional training to provide a focus and awareness of the importance of evidence collection on the frontend. It’s better to have the evidence and not need it than to need it and not have it.
To bridge the gap, there needs to be an increased focus on three key areas:
- Preservation of evidence
- Collection of evidence
- Chain of custody
I specifically separate the preservation of evidence and the collection of evidence because these are not always the same actions.
Preservation of evidence:
The preservation aspect references stopping any alteration of the evidence during the containment, mitigation and recovery phase in response to a cybersecurity incident. For instance, this can be accomplished by simply taking a snapshot of a VM before beginning any work, by maintaining the original endpoint device, and/or by maintaining the storage device that may have been compromised.
Collection of evidence:
This may seem simple in theory but can be more complex than many believe. This is due to:
- Lack of training
- Lack of tools
- Business impact vs collection process time
- Lack of executive management support
The collection of evidence should be performed in a forensically sound manner that can be tested and repeated. It is important to document the steps taken, the dates and times these steps were taken, the methods used, and why the action was performed. There are many ways to accomplish these tasks, although there are preferred methods and industry best standards.
Chain of custody:
Documenting and maintaining the chain of custody of the evidence is another area of importance but too often overlooked. If proper chain of custody is not followed it will call into question the preservation and collection of the evidence even though all the proper protocols were followed. Questions that are always challenged and are points of interest in any criminal or civil proceedings are:
- Who had access to the items of evidentiary value?
- Who Imaged the device, or collected the evidence?
- What are the original and working copy hash values? Do they match?
- What are the dates and times the evidence was accessed by anyone?
- Where is the evidence stored? Is the storage location secure and who has access?
- What are the identifying marks for each piece of evidence?
The key for a strong chain of custody is simple. A paper or electronic format should be used to document the date and time the evidence was collected, document the date and time the evidence was provided to any other person and to document the secure and limited storage area for the evidence. Litigation normally takes places months after the incident date, but if the chain of custody is maintained the timeframe will not matter.
Items of evidentiary value vary in each case. In incidents involving a data breach it is common for the incident to be discovered days, weeks or even months after it initially occurred. Therefore, when an incident is discovered we must all be cognizant of the importance of collecting evidence. You must preserve the evidence, document all steps taken, how steps were performed, and ensure that actions were completed in a method that will allow the evidence to be admissible in court. Proper collection of evidence will also provide the ability for analysis to help determine the root cause of the incident.
Awareness and practice of these tips throughout a response to an incident will help prevent losing evidence and create challenges. Consider these same tips during the preservation of logs files, memory files, back-ups and any other items of evidentiary value. Be aware that the response should not solely focus on returning the endpoint, server etc. to a normal state to minimize any disruption to services, but also to preserve evidence for possible litigation or follow-up investigations. There should be polices and procedures in place, for the preservation, collection, and chain of custody of evidence in conjunction with an incident response plan. These tips will place you in a better position in a criminal or civil proceeding and assist your case from being dismissed due to “lack of evidence”.