Incident response and digital forensics – or the securing of evidence in the digital environment

Author
Reinhold Zurfluh
Published
26. November 2018

CSI and other television crime series always center around the investigation of criminal offences such as murder, theft or blackmail. It is not too dissimilar here in our Cyber Defence Center. It is less about murder but theft and blackmail are sadly also common here. What the TV commissioners usually cover in an hour and a half, however, is often, in reality, a long, gruelling process that requires a lot of patience and care. How do our analysts and forensic experts investigate a cyber attack? Find out in this blog post.

Incident response starts with the securing of evidence

Initially, the "scene of the crime" is the starting point for the detailed analysis of a cyber attack and is also the starting point for the incident response. The first question here: Is the offender still in the client's network? If necessary, first aid also needs to be administered to avoid any greater damage. Only then can evidence be secured. Before that nothing can be changed or touched without "gloves". The crime scene is largely cordoned off. All possible access points, systems or "escape routes" are examined – perhaps the offender is still hiding nearby.

The aim of the initial analysis is primarily to clarify whether or not there has actually been a targeted cyber attack or if it was more of a harmless attack. For example, a broken pane of glass is not necessarily a sign of a burglary. It could also simply be an accident caused by children playing. The same principle applies to the cyber world. A missing log file was not always deleted by an attacker trying to hide his tracks. A system administrator may simply have deleted the file either deliberately or inadvertently.

Cyber analysts – the commissioners of cyber defence

If it really is a cyber attack, it is then a matter of analysing the security incident as quickly as possible and avoiding any hasty interventions. This is where our cyber analysts come in. They look for clues, evidence and digital "fingerprints". As in a murder case, they try to reconstruct the crime: Who could the offender be? How did it happen? Did they access sensitive data – the "crown jewels" of your company? What tools were used, in other words, figuratively, the weapons? (This tells us about the skills of the attacker.) And most importantly, was anything stolen, modified or even destroyed? Hopefully not! After all, the detection solutions employed should have detected the attack early on.

The cyber analysts use all of this information to create an offender profile:

  • Did the victim know the offender?
  • Was the attacker familiar with the "crime scene" and was it therefore an insider?
  • Did the attacker choose the target deliberately?
  • Is the offence connected with other events such as business activities, current projects or political or legal disputes?
  • Is this a repeat offender?
  • And so on...

All of these facts help establish whether the wanted individual is a known attacker or not. Or, at the very least, an assessment can be made of what type of attacker is involved and what additional attack phases may be expected.

The next step is to determine where the attack took place and how the hacker managed to access the company network. Our analysts in the Cyber Defence Center use this information to work out what the purpose of the cyber attack may have been. For this, it is important to know what the company's most prized assets are – after all, these will be the target for most attackers. Fortunately, even professional attackers sometimes make mistakes and leave clues behind. Even these tiny signs now help the Cyber Defence experts "arrest" the offender.

Warning sensors to detect hacker activities

There are no handcuffs and prison cells here – even though a cyber attack would indeed warrant them. It is more a matter of catching the attacker in the act. Since most attacks take place over a longer period of time (and the attacker is quiet throughout the process), the task now is to make the offender believe they have not yet been detected. Since we now know the intended target of the attack – the crown jewels, remember – thanks to the analysis, we can now predict how the attacker will proceed next. Bingo! Our cyber experts can now incorporate additional sensors where the crown jewels are. This will then trigger an alarm in our Cyber Defence Center when the attacker "passes them". If need be, honeytokens are also arranged as traps to impersonate the presumed target.

The ultimate goal is to banish the attacker from the company and keep them out for as long as possible because one thing is clear: When an attacker fails to reach their target, they usually come back with even better methods.

Therefore, as you have read above, how long it takes to resolve a cyber attack depends on numerous factors. What is certain is that our cyber analysts always need to work extremely accurately, firstly so that no clues are overlooked or destroyed, and secondly, so that the attacker is unaware that we are on their track. That could change their behaviour and thus make the investigation more difficult. Incident response and digital forensics are therefore not activities you can just do quickly in passing. They require experts, like our analysts at the Cyber Defence Center, who devote themselves entirely to this important task.

If you also wish to benefit from this expertise and our CSIRT in the event of a security incident, take a closer look at our Incident Response Service.

 

Incident Response Retainer

Incident response is more than searching for clues and catching the offender

Incident response is not simply a matter of catching the attacker though. Ultimately, the affected systems have to be cleaned and normal operation has to be restored. Even that is not the end, however. An important and, in our opinion, crucial, aspect is the optimisation of cyber security. The lessons learned from the security incident absolutely must be incorporated through the implementation of new measures, thereby ensuring that cyber resilience can be sustainably strengthened.

But what if, and we certainly hope this is not the case, a data protection-relevant leak occurs? Well, then you have precisely 72 hours...

Detection & response – but within 72 hours please

Yes, you guessed it, because of the GDPR reporting obligation. Where personal data is involved, you must notify the affected individuals and the relevant authorities within this period. And believe us, while this period may appear sufficient at first glance, in practice, it is extremely tight and only works if relevant processes have already been put in place.

Effective Cyber Resilience with Detection & Response

Detection & Response should be part of every cyber security strategy to ensure sustainable, effective cyber resilience. Do you think it's easier said than done? That's why our experts have created a checklist with comprehensive information on cyber resilience. The checklist gives you exactly the information you need to assess and optimize your cyber resilience. What are you waiting for? Download now for free!

 

Download  Cyber Resilience-Checklist

Share article