Since time immemorial, criminals have robbed individuals, stagecoaches, trains, and banks. Why? Because, as Willie Sutton famously said, “That’s where the money is.” In today’s age, criminals have become smarter and are conducting fraud, theft, and espionage through cyberspace.
Cybercrime is a massive threat for organizations as it has long-term effects. The theft of intellectual property or business secrets impacts a business’s profits negatively. Similarly, identity theft results in degrading credit standing and loss of personal resources for individuals.
Cybercrime’s economics tilt towards criminals. Hence, responding to cybercrime is a daunting task. It takes only a laptop for an individual to wreak havoc on individuals and organizations with no cost and little risk. In upcoming times, cutting-edge technologies and protective measures will deter suspicious conduct, helping security personnel curb cyberspace’s menace. In the meantime, digital users should practice basic cybersecurity hygiene to stay protected from cybercrimes. In this article, we help you with crucial steps to take in response to cybercrime.
1. Be prepared
Sometimes a cyber attack is detected after the damage is done. Hence, it is vital to ensure a cyberattack doesn’t go undetected for a long time. The key to staying vigilant is to perform enterprise-wide monitoring and diagnostics frequently.
Also, you should have access to resources to carry-out damage repair when the need arises. For example, the FTC (Federal Trade Commission) steps in and can conduct a formal investigation if a cybercrime involves data privacy and security breaches and results in consumer information exposure.
So, you need an FTC attorney to respond to the FTC investigation with a proactive and strategic approach. So ensure you are well-prepared and connected with a reliable FTC counsel. Eminent lawyer Nick Oberheiden, who has expertise in such cases, often states that being well-prepared is the ideal defense to tackle cybercrimes.
We cannot undo the damage the cyberattack has already done. However, we can certainly limit the damage to ensure a minimum loss. The key is to isolate the incident and zero in on the impact.
Knowledge of the enterprise network environment plays a vital role in this scenario. Factors like severity, complexity, and urgency of the incident will help you decide whether the appropriate response should have a full-scope investigation following the cybercrime response plan.
3. Investigate and remediate
The investigation should find how and when the compromise occurred, its root cause, and its impact on the organization. Urgency and secrecy are critical to the investigation process. To achieve both these aspects, each organization should have a well-established, tangible cybercrime response team having relevant lines of business and executive functions, with defined roles and responsibilities, as well as internal and external communication protocols.
The team should consist of HR managers, IT managers, a board member, and legal resources. You should also test the effectiveness of the plan using table-top exercises.
1. Identify, gather, and document pieces of evidence
You should quickly and efficiently gather all host-based evidence critical to the type of incident. Scout for any running processes, open ports, and remote users. Network-based log files like routers, firewalls, servers, and intrusion detection system (IDS) sensors can reveal critical information. So skim through them. Also, conduct internal and external interviews to dig deep into the breach.
2. Conduct forensic analysis and data analytics
Have a detailed forensic examination to zero down on the attack vector, the extent, and depth of the compromise. Look out for unauthorized user accounts or groups and rogue processes and services. You should also examine unauthorized access points existing in the ecosystem.
3. Connect the dots by understanding fact patterns
The critical aspect is to find out who is involved. Once you have figured out the participants, connect the dots and get a clear picture of the entire incident by answering the questions: what, when, where, and how. Be ready for necessary disclosures as facts unfold.
4. Draw inferences and make recommendations
The investigation should enable you to understand the entire incident and answer critical questions. You should be able to answer why the breach happened? and what loopholes exist in the system? Make a report of recommendations that includes points like disclosures, program improvement, discipline, and remediation.
The key is to locate and repair the vulnerabilities existing in the environment. The goal should be to make it difficult for the attacker to get back in the future. You should create systems so that such attacks in the future are detected well in advance, and you are well prepared for eradication events.
The immediate reaction to the incident is always tactical. However, with time, it should transform into a strategic response. You should conduct attack and penetration exercises to analyze the effectiveness of the tactical fixes.
Most times, attackers try to re-establish their presence and entrench themselves into the network. Hence your eradication plans should be well-coordinated and executed with speed and precision. The work on an eradication event should begin during the investigation phase to ensure eradication starts as soon as the investigation ends.
Gather and document data depending on flexible needs of regulatory reporting, insurance claim and dispute, litigation, and customer notification. Cross-border collaboration can be very effective. Various stakeholders require different types of information. For example, board members need more detailed information than the suppliers. So figure out what to disclose to various stakeholders.