Cyber Forensic Business Services have become an integral part of any Cyber Risk Management Policy. Whether a company has the on-hand resources or a plan in place to investigate any cyber incidents that occur, greatly affects its ability to protect a multitude of resources within the company.
When considering incident management and implementing it within an organisation, it is important to recognise that there are two main classifications of an incident:
- Where the computer is misused to commit a breach of contract or policy, or potentially various laws or regulations
- Where a computer or device is the target of an attack, potentially relating to a crime
An external breach or illegitimate use is currently covered under UK law by the Computer Misuse Act 1990. Internal issues may be covered by the Act, but in most situations this would be covered by internal Human Resource policies. As such, it is important to recognise that the situation in which an incident has occurred greatly affects the way in which an investigation would be carried out.
A legal investigation has very strict rules, as set out by the Association of Chief Police Officers (ACPO), and as such will focus on the hard facts regarding a specific device after the incident has occurred. Within a business environment things have progressed and forensic offerings are no longer after the fact, when it comes to investigations of specific devices. Instead, incidents are responded to immediately. By examining live devices an investigator can see the infected device and re-trace their steps, looking at information from many sources to work out exactly what happened and why.
With this information, it is not only necessary to find the culprit, but to provide analysis on ways to improve security, hardening an infrastructure so that the incident does not happen again. Where “true forensics” still holds a significant value in HR issues, the process is somewhat different. For example, if a user has been found to be using his work computer for illegitimate usage, previously an investigator would focus on the device. Current Incident Responders would firstly look at the device, and then identify other sources of information within the customer environment. Utilising multiple information sources allows the investigator to find information that the user may have attempted to conceal. For instance, an email chain can be deleted locally; however, exchange server backups would be far harder for a normal user to delete.
With all situations – whether Civil, Legal or Internal – a solid process of collecting evidence is key. Cyber Forensic Business Services can aid a company’s Cyber Risk Management Policies by reducing the overheads associated with an internal team, whilst greatly improving the skill set of those investigating. Internally, an expert in many different technologies and investigative processes may be required and a multitude of experts can often be called upon for a much lower financial cost using a third party supplier. Incidents are also unpredictable, so having a contract in place is a useful way to cover basic security needs with a much lower outgoing.
Having a plan in place for dealing with any form of incident is clearly important, however, it is important to understand that in a network where all devices are connected, investigating the host and providing potentially limited facts may not prove helpful. In the grand scheme of things, the aim is to enhance the development of security and ensure that data remains protected, whilst also ensuring the host devices are not misused.