So it’s happened. You really had hoped that it wouldn’t, but hope has let you down and you have run out of luck. A cyber breach has occurred, data has gone, you are not sure how, when or by whom. Your mind now starts to wonder if this was an attack, or perhaps a disgruntled employee? – after all you have just completed the latest round of HR reviews and some people were disappointed with the pay rise that was offered – What’s going to happen now? Do you tell your customers? Do you tell your suppliers? Should you be drafting a statement to put on your website? Perhaps you need to gather all the staff and talk to them, but then what will they say? Damn, you had been warned this might happen. It’s a mess and it’s going to get messier. Who are you going to call?
If that happened to you, what would you do? Have you ever wondered? Many companies have a critical incident policy in place that can be acted on should the worst happen, but precious few have one in place for cyber. This happened to me a handful of years ago when I was in charge of a large corporate network. A member of staffs’ laptop had been stolen, well actually they left it in a restaurant and when they returned it had gone. They arrived at work the next day came to the IT department and just asked for another. I referred the incident immediately to the senior management team that this had occurred and that the laptop contained, by admission of the user, company sensitive information, we needed to take action, but what? Sadly we were collectively caught out, there was no policy, there were no procedures, those that I turned to for leadership had nothing. The most insightful thing they offered was to claim on insurance (not cyber insurance) to replace the missing hardware. What did I do next? Who did I call? I actually called the Police.
The Police were very helpful, they took the details, issued me a crime number so we could claim on insurance, but they said as it was an opportunist crime and that the laptop would have more than likely been pushed through a high street ‘cash converting shop’ by now and would be almost impossible to find. It was odd that everybody I turned too was concerned about the hardware, not the information. Didn’t that have the potential to damage reputation? Or could be used for a more sinister activity? I decided to perform some rudimentary digital forensics. Essentially I was going to be ‘CSI Cyber’ in my own little corporate world.
At that time all of our laptops were fortunately installed with license management software. This software regularly self audited the machine and updated its profile on a central server. This enabled the organisation to understand what software was being used within it and could be compared to what software they actually legally held licenses for – there was a disparity, but that’s another story! It was possible to send an audit request from the central server out to a specific machine so that next time it was connected to the internet it would force an audit. Why? Because it would also show the IP address from where it was connected. I set this request and waited. Within 24 hours it showed up and as this auditing was a background task the user was unaware what was going on. An IP address was recorded and with a bit of research we could tie this down to a physical property. This information was passed to the Police, against the crime number. They did what they do well and knocked on a door and ‘had a word’. They never managed to recover the laptop there and then, but a couple of days later it actually turned up in the post with a note that this had been ‘found’ and as it had a sticker on saying that it was the company property of ‘us’ then it was sent back in a gesture of good citizenship.
Happy ever after? No. That wasn’t good enough. Myself and a colleague examined this laptop further, we took a complete copy of the hard drive and examined it. We retrieved deleted files and hidden files and found photos that had been placed on it. We found internet browsing history, that included searches on the day the Police made a visit for ‘tracking computers over the internet’, we found a name that we could cross reference with a Facebook profile, that had pictures that matched that of the photos we discovered. Our rudimentary digital forensics knowledge and a tenacity to ‘crack this case’ gave us some compelling digital evidence. We passed this evidence to the Police, they acted on it, made an arrest and obtained a conviction. The data we were worried about had not been breached and a sigh of relief was breathed all round, so no further action needed to be taken, with the exception of staff training on not to leave laptops in restaurants.
So the moral of this story? Is that you may not have heard the term digital forensics very often, but this is the discipline that you will need should a cyber incident occur. The days of finding clues in a crime has moved into the digital realm and there are teams of people out there to help you. These are not trench coat wearing detectives who work on a hunch, but highly skilled digital experts who can find the evidence you may need in order to take criminal or civil action against the criminals who have attacked you. I didn’t know about these crack teams of people when I suffered from an opportunist crime, but I know of them now and if I ever suffer again, I will be calling in the ‘Real CSI Cyber’ without hesitation. Will you?