Cybersecurity

Managing a cyber crime scene

Shutterstock image: digital fingerprint, cyber crime.

Challenges to data security have reached epidemic proportions, as evidenced by recent consumer and government breaches that have put hundreds of millions of Americans' credit and debit cards, email addresses and other personal information at risk. The number of people affected by cyberattacks has intensified the spotlight on how organizations, including government, respond to data breaches.

Federal IT and security professionals can take a few tips from law enforcement and learn to secure technological "crime scenes," assess the damage and report on how an attack was carried out.

1. Arriving on the scene

As law enforcement officers at a physical crime scene first scan the area to make initial observations about how the incident occurred, security professionals must first assess the business impact of a technological crime scene. Specifically, they must determine the incident’s severity, whether confidential information was compromised, what steps have been taken to contain the immediate threat and how the attack happened.

Shutting down a system too quickly could compromise a forensic investigation. Therefore, security professionals should quickly identify what systems or servers have been affected, what data could be lost if a computer or system is powered off and what static data is stored on hard drives.

2. Collecting evidence

Similar to taking photographs and fingerprints at a physical crime scene, security professionals should use forensic imaging to record the affected system and related components. That approach captures significant network traffic and creates a snapshot of the network at the time the incident occurred. If system changes are made later in the investigation, an exact image of the breached network is preserved for analysis.

Next, the investigators should evaluate all available information sources, including virtual machines, log files and external devices that might have been used. They should “fingerprint” physical evidence using a one-way hash -- a cryptographically sound, non-reversible algorithm that becomes unique to the source being collected and can easily be verified later to prove the integrity of collected information.

3. Assembling the pieces

After a crime scene review is complete, detectives analyze fingerprints, initiate DNA testing and talk to witnesses. Federal agencies should conduct similar post-breach analyses by taking these steps:

  • Examine artifacts from collected images to develop a detailed timeline of the breach.
  • Determine how applications, servers and devices were configured or patched when the attack occurred.
  • Analyze file systems and memory images to determine if any unusual files, processes or suspicious network connections exist.

4. Documenting the investigation

If a cyber crime eventually proceeds to trial, a thorough report of the steps taken during the breach investigation will be important for the prosecution. To better defend any challenge to statements of fact made in the account, security professionals should include information on how the analyzed artifacts were recovered from collected data.

The narrative should be detailed enough to allow another expert to start from a duplicate copy, follow the steps outlined and reach the same results. The report should answer questions identified as critical during the investigation and clarify questions where no evidence supports the claim.

5. Updating the public

Despite the pressure to report some findings almost as soon as a security incident is uncovered, it is advisable not to rush evidence collection and analysis. Security leaders should understand applicable federal laws and notification requirements, and make sure they have gathered sufficient facts before making a public statement.

A technological crime scene is as complicated as a physical crime scene, and an effective probe requires a careful approach to preserve evidence for potential future litigation. Federal agencies must balance the need to respond to constituent concerns with the necessity to carry out a thorough investigation and should be cautious about providing information to the public until they have accurately confirmed the breadth and scope of the incident.

About the Author

Jayne Friedland Holland is chief security officer at NIC Inc.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.