A business client contacts your law firm and says their information system was hacked or breached, and they need to pursue legal action. The first step is proving that a crime occurred and how it occurred. Think CSI: Cybersecurity.
CRIME SCENES
There are different entry points for a cybercriminal and different things that happen. Hackers have a variety of motives, and they’re looking for low-hanging fruit. The entry point is where the crime scene begins.
Maybe one of your client’s employees was sitting in the airport working for 30 minutes checking e-mails. Three months later, they realize that some type of breach occurred, and it may have happened at the airport. That’s how this stuff happens frequently.
An employee of your client may have gotten tricked with a phishing e-mail and provided their credentials. This is where digital forensics comes in. I’ve seen certain cases where the hackers will then spy on the e-mails and look for keywords like “wire transfer,” “checking” or “ACH.” They then intercept the transaction and hijack the money.
There could be zero-day malware that’s installed in your client’s information system, such as a key logger that is undetectable. It was what happened at Target. The attack came through a trusted vendor, and all the keystrokes were captured. Having all your keystrokes equals having all your data.
In instances where there’s exfiltration of trade secrets and data, I’ve seen a breach of user’s credentials that spy on communications via e-mail. Some of those communications were sensitive and involved health care matters, so your client may have some HIPAA breach reporting requirements.
INVESTIGATING THE CRIME
When we are called in by your law firm, we are thorough in our assessment. We’d scan your client’s network, their digital systems, look at their computer endpoints as well as their firewall, their cybersecurity system and their e-mail systems with a finetooth comb to figure out what happened. Is it a ransom situation, or is it theft of intellectual property? It could be identity theft, selling the personal identifiable info and/or phi on the dark web, or getting surgery under a different identity. What kinds of crimes are we looking at? It could be multiple crimes.
Sometimes during forensic ediscovery, when we find the original crime, we also find malware that may be launched in the future that your client didn’t know about.
Not just anybody who has cybersecurity experience can follow the path. It’s very complicated. It’s a lot of work. It’s a lot of detail. Very expensive technology, and tools need to be used. It’s not just about having access to the right equipment and the right tools, but about having the knowledge and certifications to use the tools effectively to produce the evidence for your client.
PROVING THE CRIME
Next, we’d meet with you and prove the scenario that we think occurred. We’d document the path and create a breach report that outlines the evidence and summarizes it in an easy-to-read format.
Once we prove that a crime has occurred and we determine the extent of the damages or what assets were stolen, you and your client can make an informed decision on the next steps. Digital forensics discovery does not place a dollar value on the extent of the damages or any intellectual property that was stolen or compromised.
Part of our report will also make recommendations on how to plug the gaps in your client’s information system to prevent similar attacks, and we’d identify other vulnerabilities in their system.
TO CATCH A THIEF
An actual criminal cybercrime can be very hard to prove. We have to open a case with the FBI and submit the evidence. Often times we can prove how it happened, but catching the criminal is up to the FBI. Craig A. Petronella