LAS VEGAS - There have been several notable security incidents in the news this year, from healthcare and retail breaches, to financial; even security firms themselves have been targeted.
In each instance, attribution seems to take the lead during incident response, something organizations should resist. The key is collecting the right information and passing it on to the right people. When it comes to figuring out who did it and where they are, authorities are the ones who should take the lead – organizations that focus on this area first are wasting resources and time.
美国检察官埃德·麦克德鲁(DE),谁有多年的工作案例处理以互联网为犯罪的工作案例,最近与CSO在线进行了交谈,并提供了一些独特的见解,以了解联邦事件的响应方面,以及哪些组织可以更好地为执法参与做准备。
麦克德鲁说,组织应该抵制这一点,而不是专注于谁负责,而是将精力引导到损害和数据丢失方面,同时向执法部门提供详细信息,以便他们可以确定谁犯下了犯罪,以及需要采取什么行动对他们进行反对 - 无论是俘虏,起诉还是破坏和威慑。
"Organizations that suffer cyberattacks are victims. Like many other types of crimes, cybercrimes cannot be effectively investigated and prosecuted without the help of victims. The timely and meaningful sharing of information is critically important to our ability to help mitigate these crimes and, to the extent possible, prevent their continuation and recurrence," McAndrew said.
How the breach is detected will vary. Sometimes organizations are informed of a breach by a third-party, but some are able to self-detect. No matter how discovery occurred, law enforcement needs to be contacted about the incident, but should the organization contact local or federal authorities?
这个问题听起来很简单,但是一些较小的组织也可能将州警察甚至地方当局视为第一线联系。那是错误的。
“组织应联系联邦执法机构,尤其是联邦调查局和/或美国特勤局。从本质上讲,网络入侵以及由此产生的ID和IP盗窃在范围内是州际或国际范围。网络参与者经常在期间受害多个组织。2020欧洲杯夺冠热门同一时期。网络演员和受害者通常都分布在多个司法管辖区和国家。”麦克德鲁解释说。
By going federal, the organization starts a process that enables an efficient and comprehensive investigation. No case is perfect, but the ability to investigate and document the steps taken on both sides (victim and perpetrator) is critical to attribution, mitigation and prosecution.
麦克安德鲁补充说:“联邦调查局和特勤局最有能力能够有效,有效地进行这些国家和国际网络调查。”
This led to a follow-up question, are there any limits or rules for federal notification?
“由于网络参与者的多个目标以及对组织的攻击方式和影响的不断发展,对最终调查的案件没有严格的要求。在联邦通知要求上,没有单一的标准受害组织。有50多个与网络安全和数据隐私有关的联邦法律。不同的行业和部门通常受不同的标准管辖。”他说。
When it comes to the information that should be collected and given to law enforcement, McAndrew noted that priority assets will vary per investigation, but in general law enforcement is interested in data that can be used to identify perpetrators, as well as data that relates to the timing and manner of breach, data exfiltration, and any disruptive or destructive activity.
他说:“任何现有的系统日志,SIEM数据,ID,DLP,端点数据,网络和数据流图都可能为这些问题提供见解,并对调查最有帮助。”
但是一些组织会犹豫分享完整的详细信息。即便如此,无论如何也应分享与非法执法人员进行的内部调查报告或法医检查有关的数据,甚至应分享部分信息。
"While law enforcement agencies can best help victims when provided with as much information as possible about a cyber-incident, we are very sensitive to the complex legal and business issues surrounding sharing data with government investigators," McAndrew added.
Law enforcement, he says, recognizes that organizations must balance the competing and contemporaneous roles of: crime victim; target of inquiry from governmental and non-governmental entities outside of federal law enforcement; and civil litigant.
"Federal law enforcement agencies are likely to seek only that information that is necessary to conduct the investigation."
向前转移,我们要求麦克安德鲁解释调查过程及其复杂性。
“在调查过程中,即使是简单的网络犯罪也很复杂。犯罪的所有基本要素的行为归因对成功的起诉至关重要。在受害者的网络之外找到证据,而设备超出了证明刑事案件也是必不可少的。即使牢固他解释说:“可以开发特定个人的犯罪活动证明,他们的位置以外的地方通常会延长逮捕和起诉。”
如果调查人员在所有这些步骤中都取得了成功,他们可能会说服个人目标与其他目标和其他网络犯罪的调查合作。尽管这一过程发生了,但刑事诉讼可能会被延迟或离开公众视线。因此,主要案件可能需要数年的时间才能从成立到实际的定罪和量刑。
“除了对国际网络犯罪进行这些极其复杂的调查和起诉外,执法机构越来越多地通过寻求帮助组织更好地保护自己免受持续的网络威胁来扮演缓解威胁的非传统作用。正义的计算机犯罪和知识产权部门最近创建了一个专门针对这一目标的网络安全部门。”麦克德鲁说。
Each case is a tough case from start to finish, and McAndrew explained that advances in speed, capacity, locational obfuscation and encryption have only made the job harder over the years.
他说:“我在不断变化的技术环境中面临的最困难的案例涉及一群威胁参与者,每个参与者都具有高质量的运营安全,使他们的活动,身份和彼此之间的关系难以追踪。”
“这些相同类型的案件通常涉及位于不同地方的多个受害者。研究当前数据泄露响应义务中正在进行的犯罪是每天的高线法案。每个网络案件都是对每个受害者的危机。面对未知维度的持续伤害,对受害者提出的竞争要求是一个持续的挑战。”
因此,当发生违规时,不要专注于归因,专注于恢复并减轻损害和数据丢失。之后,将必要的信息侧重于尽快将必要的信息发送给执法部门,同时开始通知客户和在适当时间范围内受到影响的过程。
除了日志和其他以前的技术信息外,麦克安德鲁还准备了信息组织的清单,应准备与执法部门分享。
CSO Online在下面重现了此列表:
- 负责各种事件响应组成部分(合法,IT,高级管理人员,外部顾问等)的个人身份和联系信息。
- 关于事件发现以来事件的发现和步骤的信息。
- 与当前事件有关的过去事件有关的信息。
- Information about past contact with law enforcement agencies about other incidents. [This can allow the LEA to quickly cross reference historical information].
- 识别涉及的信息系统和组件及其位置。
- 检测到的恶意软件,间谍软件等的签名。
- 与事件有关的系统日志(DNS,服务器等)。
- IP addresses and other external identifiers believed to be involved in the incident.
- 网络图,位置和与事件有关的数据流,包括供应商和云服务提供商。
- Data Loss Prevention (DLP) information.
- Intrusion Detection System (IDS) information.
- SIEM information and log correlation information.
- 端点管理和访问控制信息与事件有关。
- Information for firewalls and anti-virus, anti-spam, anti-spyware, malware and phishing defenses networks related to the incident.
This story, "Organizations should focus data sharing post-incident, not attribution" was originally published byCSO 。