If the company’s IT systems are comprised, act first to stop the bleeding. When someone is out there in the bushes collecting firewood or grazing cattle, and they get bitten by a snake the first priority is to provide first-aid with the sole objective of preventing the poison, from going to the heart. Of course, in case of an accident, you want to stop the bleeding.
In case of a cyber attack, the bleeding is the loss of confidentiality, integrity of data and system availability. You want to stop the bad guys from doing more harm. When IT systems are breached, the blood of the business (intellectual property and money) could be flowing out and being lost. First, disconnect the suspected victim systems from an active Internet connection. Put the system down in a way that does not comprise the integrity of evidence to preserve the crime scene. Report the matter to the top leadership, as you file a brief police report.
First things first. The back story.
14th June 2018. In a late evening email to the CEO, the IT Director stated that the Deep Fresh Beverages’ server is down, the website is defaced, and the business customer supply chain database is locked.
According to the preliminary findings by the IT team, this is what happened. Intruders cracked the email account of Stella, the CEO’s assistant using an email phishing scheme. They used the assistant’s credentials to log into the company’s customer supplier database and locked legitimate users out. One of the assistant’s emails contained communication from the IT with credentials to the web server. The intruders took advantage to deface the website.
In his concluding paragraph, the Director IT asked ‘what next?’
The starting point
We have the Computer Misuse Act 2011 which provides for crimes committed through the computer. If the company is going to prosecute the case, you will have done the right thing. You need to have done proper crime scene first responder procedures, especially with respect to evidence preservation and chain of custody. The police should have a record of the matter. Focus on avoiding evidence contamination as such spoils it and renders it inadmissible. You do not want critical evidence to be lost in the process. This helps to determine what took place through the use of digital forensics.
One of the biggest challenges as leaders is having an incident without being able to know what happened. This happens due to poor response to the crime scene. Critical evidence could be if not well managed in line with the rules of evidence. It is recommended that network logs, database logs, and logs of other critical services like the active directory or emails are backed up in real-time to an offsite environment or on the cloud with limited access to the insiders. Many leaders rely on network devices like firewalls to also back up logs. The challenge with these is they limited storage memory and cannot store logs for a longer period.
Before the incident happens, the criminals could have been doing footprinting to gather as much information as they can about the target for more than a year or so since they have time and are patient. That could have been the case at Deep Fresh Beverages IT systems. Relying only on the network backup, those logs could have been overwritten by the system itself as it frees up space to back up the newest logs thereby (overwriting) deleting the old logs. However, with automatic external backups, you have a high chance of reliving the incident to determine what exactly could have happened. An investigation helps to determine the possible involvement of outsiders in the attack. If the network devices do not show usual traffic originating from the outside it excludes the possibility of outsiders having been involved in the crime. You can then zero down on the internal suspects. This gives the confidence to know that the enemy is inside. You have solved one of the biggest parts of the puzzle. When you have a big problem, break it down into small parts. Once this is achieved, restrict access to the evidence including internal people. We call this trust after controls.
Do not put full trust in your IT team or risk management until you put in checks and balances, and the evidence shows otherwise. In a forensics investigation, everybody is a suspect until evidence proves otherwise. Restricting access to critical information, especially the investigation file and preserving the evidence is very important. You want to know which of the computers was at the centre of the crime. Which one was used? Or which one facilitated the crime?
Physical security has to work together with digital security, or else you will struggle in connecting the dots that help solve the case. In one of the cases we investigated, a service provider left a key logger in a core banking system with certain auto instructions. For the keylogger to be activated, someone had to manually switch it on. The person who accessed the server room requested the cleaner to open the door for him. The cleaner innocently opened. It took countless hours to figure out how the hack was executed. After months of investigations, with digital evidence that was not conclusive, we need to know who could have accessed the server room for a manual switch. We had to go back to the records of the biometric access. We got everybody who accessed the offices from both the main gate and other restricted floors on that day – to check on cameras and biometric access. Later, we casually learnt from the Cleaner that she opened the server room for one of the staff. This helped us to connect the dots to close the case. Make sure your physical security is aligned with your cybersecurity, else whatever you are doing is a wasted investment.
It’s critical to restrict access and hold everyone accountable for their user rights. Evaluate Deep Fresh Beverages’ extent of the damage. Evaluate your cybersecurity insurance option to inform your insurance partner. Continuously conduct cyber security hygiene practices of penetration testing to minimize the attack surface areas of your organization.
For a cyber security maturity assessment for effective cyber hygiene, contact us.
Copyright Summit Consulting Ltd, white hut team 2022. All rights reserved.