Oh, joy — your organization has been hacked. After all those penetration tests and all that employee training, some yahoos on the Internet still snuck onto the corporate network and absconded with your sensitive data. Now what?
That’s always the question at one of my favorite conferences of the year: an annual gathering of internal auditors, cybersecurity executives, and law enforcement, hosted by the U.S. Attorney’s Office of Connecticut and the Westchester-Fairfield chapter of the Institute of Internal Auditors. This year’s meeting happened on Tuesday.
The conference succeeds because law enforcement is such a strong voice on the agenda. I attend many conferences and have heard enormously thoughtful people — but usually they’re IT security vendors or advisory firm partners, talking about new threats and the best ways to preventing them. You rarely hear law enforcement voices, sitting side-by-side with corporate executives, essentially saying, “OK, here’s how to work with us after you’re screwed.”
One of the most practical talks came from Mona Sedky, a senior trial attorney in the Justice Department’s computer crimes section. Sedky is one of the people who will be on the other end of the phone if your company suffers a significant breach.
And what will Sedky ask for when she has you on the phone? Five specific pieces of information. They may not be news to your CISO or IT security team, but as effective cybersecurity becomes ever more of a team sport, compliance, audit, and risk executives will need a better sense of the IT security details, too.
So without further delay…
Five Cybersecurity Pieces
The suspect login credentials. Hackers gain entry past your network’s front door by posing as a user who has login permissions. Law enforcement will want to know what credentials the hackers used, and what the hackers did after gaining entry that triggered your suspicions.
For example, did they pose as a vendor, but logged onto the network from an unusual location or at a surprising time of day? Did they pose as an employee, but logged into a part of the network he or she normally wouldn’t touch? Did they log in as an administrator, but used an administrative account that hadn’t been active for months?
The suspect IP addresses. Those hackers came from somewhere. As best as you can determine, law enforcement will want to know the “last hop” IP address where the hackers came from, and any exfiltration IP address you believe the data was taken to.
Spoiler alert: your last hop IP address is probably wrong. Hackers routinely hop from one address to another before finally arriving at their target — and do the same again when they leave, to obscure their final destination. Still, the FBI computer crimes people can’t trace the route if they don’t have somewhere to start.
Images of affected servers. Law enforcement will want “images” (a technical term for “copy”) of servers the hackers visited, so they can reconstruct what the hackers did and how they did it. An image might include data, applications, operating systems, or all three.
Any responsible IT department will maintain images of servers; it’s crucial for business continuity planning. For those of you in the retail sector, you may also need to provide images of point-of-sale machines (which are, essentially, simple computer servers themselves).
You don’t need to provide copies of all affected servers, if many of them are identical. For example, if all your POS servers process the same data with the same applications, and they all fell victim to the same hack, a representative sample should suffice.
Samples of the malware. That’s self-explanatory. It’s worth noting that many hacks these days are not “zero day exploits” that nobody has seen before. Most are based on malicious code that has existed for some period of time. (Your company just fell victim to it because your patch management was insufficient, or employees didn’t follow their cybersecurity training.)
So law enforcement often can tell quite a bit about potential culprits, based on the malware samples you provide.
An idea of how the bad guys traversed your network. Once the hackers gain entry to your system (see bogus login credentials, above), they move around your network looking for data. If they find data they want to take, they will set up a command-and-control node somewhere to move the data off your network to destinations unknown.
Well, as best as you can figure — how did they move around? Which computer terminal or web page was the entry point? Where did they go after that? How long did they stay at each point in their journey? Where did they establish a command-and-control node? Where did the data leave your network?
Enforcement Is Your Friend
That’s a lot of data to surrender to the feds. Some companies might feel uneasy that if they talk with the FBI, Justice Department, or other law enforcement agencies, that information might end up in the hands of civil agencies such as the Federal Trade Commission, looking to discipline a company for poor cybersecurity practices.
Sedky stressed that those conversations do not happen. “We are not a pipeline to the FTC,” she said — and Sedky would know; prior to joining the Justice Department, she worked at the FTC for 10 years. Those conversations didn’t happen when she was on the receiving end, either.
That means Sedky and other law enforcement will not ask you about which executives knew what details about a breach, whether any red flags were triggered and ignored, or any other “you should have known” questions.
“I’m trying to get the bad guy,” Sedky said. “You’re the victim here.”
For the record, I have heard many other law enforcement voices say the same thing over the years. I believe them, and reside firmly on the pro-talking side. After all, cybersecurity breaches have a way of becoming public sooner or later, and then the decision to keep quiet looks really bad.
A special thank you to Neil Frieser, chief audit executive at Frontier Communications; and Vanessa Richards, assistant U.S. attorney in Connecticut. Frieser and Richards are the chief organizers of the conference, and have been doing a great job for three years (along with many others). Every IIA chapter and U.S. attorney’s office in the country should follow their lead.