Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Organizations should focus data sharing post-incident, not attribution

Steve Ragan | Aug. 5, 2015
Assistant US Attorney Ed McAndrew shares tips on what organizations should do after a breach has been discovered. The key is information, not attribution.

"The FBI and the Secret Service are best equipped and positioned to conduct these national and international cyber investigations effectively and efficiently," McAndrew added.

This led to a follow-up question, are there any limits or rules for federal notification?

"Due to the multiple objectives of cyber actors and the constant evolution in the manner of attack and impact on organizations, there are no rigid requirements as to the cases that are ultimately investigated. There is no single standard when it comes to federal notification requirements for victimized organizations. There are over 50 federal laws relating to cybersecurity and data privacy. Different industries and sectors are often governed by different standards," he said.

When it comes to the information that should be collected and given to law enforcement, McAndrew noted that priority assets will vary per investigation, but in general law enforcement is interested in data that can be used to identify perpetrators, as well as data that relates to the timing and manner of breach, data exfiltration, and any disruptive or destructive activity.

"Any existing system logs, SIEM data, IDS, DLP, endpoint data, network and data flow maps might provide insights into these issues and be most helpful to investigations," he said.

But some organizations will be hesitant to share complete details. Even so, data related to internal investigative reports or forensic examinations conducted by non-law enforcement personnel should be shared anyway, even partial information.

"While law enforcement agencies can best help victims when provided with as much information as possible about a cyber-incident, we are very sensitive to the complex legal and business issues surrounding sharing data with government investigators," McAndrew added.

Law enforcement, he says, recognizes that organizations must balance the competing and contemporaneous roles of: crime victim; target of inquiry from governmental and non-governmental entities outside of federal law enforcement; and civil litigant.

"Federal law enforcement agencies are likely to seek only that information that is necessary to conduct the investigation."

Shifting forward, we asked McAndrew to explain the investigation process and some of its complexity.

"Even simple cybercrimes are complex in terms of the investigative process. Attribution of conduct for all essential elements of a crime is critical to a successful prosecution. Finding evidence beyond the victim's network and devices is likewise essential to proving a criminal case. Even if solid proof of criminal activity by particular individuals can be developed, their location beyond US borders often prolongs - if not derails - arrest and prosecution," he explained.

If investigators are successful in all of those steps, they might be able to convince individual targets to cooperate with the investigation into other targets and other cybercrimes. While this process takes place, criminal proceedings may be delayed or remain out of the public eye. Thus, major cases may take years to develop from inception to actual conviction and sentencing.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.