BlueVoyant's Tom Moore Talks Legal Procedure Following Hack
In the aftermath of a cyber attack, organizations face a daunting task of mitigating the damage and restoring operations. This often involves a complex and resource-intensive process of identifying the breach, containing the threat, recovering data, and implementing enhanced security measures to prevent future incidents.
However, amidst the technical and operational challenges, a crucial yet often overlooked aspect is seeking legal counsel to navigate the intricate legal implications of a cyber incident.
Cyber attacks can have far-reaching legal consequences that require expert guidance. Failure to address these legal aspects can expose organizations to further risks, including regulatory fines, lawsuits, and reputational damage. Some key reasons why seeking legal advice is essential after a cyber attack include data breach notification requirements, regulatory investigations, and potential litigation and liability.
Cyber Magazine speaks to Tom Moore, Director of Forensics and Incident Response at BlueVoyant about how to support lawyers and their clients in times of crisis.
Tom provides insight into incident response, eDiscovery, and digital forensics tips for the unfortunate organisations who find themselves facing a cyber incident.
What are the different types of cyber threats?
When we talk about cyber security, we often think about hackers outside organisations trying to access private, sensitive data. However, threats from insiders are fast becoming a grave concern among businesses and invariably they are harder to identify and prosecute. Today, insider threats affect more than 34% of businesses globally and instances are rising, but an overwhelming number of organisations are not sufficiently prepared to know how to handle them.
Fundamentally, there are typically two kinds of insider threats: a malicious insider and a negligent one. Malicious insiders use their company access against their employer, perhaps as an act of revenge or for financial gain. A recent sentencing at Reading Crown Court involving an IT security analyst is a stark reminder of what some employees might attempt. This individual piggybacked off a ransomware attack to try to extort his employer. While the organisation’s efforts were focused on external attackers, the threat posed by this trusted insider could easily have been overlooked.
A negligent insider might leave their computer unlocked when they leave the room, allowing a malicious actor to hijack their user account to steal data, or gain unauthorised access to company systems. Other negligent insider errors might include documents and data being sent to the wrong recipient or failing to redact or use BCC appropriately on correspondence.
Unfortunately, in data-rich industries like the legal sector, financial services and insurance, staff take company data with them as they leave their roles. Although employees might not see this as data theft, it is just that. Inadvertent or deliberate abuse of insider access can have significant reputational and financial consequences for businesses of any size.
What action should you take when an attack does take place ? Is there a recommended procedure to follow?
When an organisation is faced with a suspected cyber security incident, they will often turn to their legal counsel for advice. Their law firm will typically, in turn, engage an expert digital forensics and incident response (DFIR) practitioner to provide forensic investigation services in support of the case.
Once engaged, the DFIR practitioner’s priority is to understand the known facts and to identify sources of digital evidence, which might be used to investigate the incident. Digital data on live systems is often volatile and so must be captured in a manner which preserves its integrity. Some of the most valuable digital clues can also be short-lived, so time is of the essence and a swift, expert-led response is the key to capturing evidence before it is lost forever. This is a highly specialised undertaking, and requires the skills of an expert with aptitude, experience, intellect, specialist knowledge, and understanding of the setting to use the right tools.
With the help of specialist practitioners, the embattled company can build up a picture of what happened, how a specific individual behaved, and what data has been affected.
From the earliest indications of a potential incident, the best outcomes are achieved by engaging a specialist partner who can work collaboratively, who can adapt their investigative approach as the situation unfolds and – most importantly – who has the necessary credentials, experience and blend of technical and legal knowledge to work in a way which ensures that their findings are robust, reproducible and, therefore, of real practical value, whether in informing risk mitigation measures or in seeking redress against a malicious actor.
During the course of an investigation, careful consideration must be given to practical issues such as legal privilege, which can put the law firm in a pivotal position in handling communications between the DFIR specialist and the affected client, and vice versa.
As the investigation proceeds and findings emerge from the sea of evidence, some form of reporting will undoubtedly be required. This could be anything from an advisory note setting out the key facts (which could, for example, be used to inform internal disciplinary procedures), through to a formal expert witness report, written statements or oral testimony in court.
Reports which could potentially be used in formal proceedings must meet the standards applicable to the forum in which they are to be used. In legal proceedings in England and Wales, for example, experts’ reports must comply with the Civil Procedure Rules (Part 35) or Criminal Procedure Rules (Part 19.4). In other contexts, such as international arbitration proceedings, the IBA Rules on the Taking of Evidence or other relevant standards might apply.
To ensure that these stringent standards are met, and to head off any dispute over the validity of the digital evidence or the forensic analysis techniques used during the investigation, legal counsel will often, on behalf of their client, look to engage a DFIR specialist with an experienced expert witness on their team, who can oversee the investigation.
You mention collecting evidence, once this has happened, how does the investigation proceed?
The specialist practitioner must be trusted to act on behalf of the client, quickly.
It should engage with key stakeholders to understand the timeline of the incident, identify affected systems and provide containment advice to prevent further damage, before identifying, capturing, and preserving valuable digital evidence. It should have a dedicated team of digital forensics and incident response specialists, who can optimise evidence capture and analysis to understand the anatomy of the incident and its root cause, thereby paving the way for clear practical guidance for remediation and risk mitigation.
Where e-discovery is required – say, to review the content of a leaked or stolen dataset – the practitioner should manage all stages of the e-discovery lifecycle, from evidence identification, collection, and preservation through to pre-processing, culling, review, redaction, and ultimately, production of document sets and bundles for intelligence or evidential use.
The ultimate test of this approach occurs when investigative findings are subjected to scrutiny as part of formal legal proceedings. Where a case ultimately reaches the courtroom, experienced expert witnesses will be able to provide oral testimony and assist legal advisors and counsel prior to and throughout the course of proceedings.
External and insider threats continue to be a significant problem for most organisations so, in the unfortunate case of an incident, what should the affected firm do to handle the situation effectively and minimise the damage?
Here are four tips that will ensure the law firm and its client secure the evidence they need to ensure a positive outcome:
- Act swiftly to secure evidence: digital data is volatile and it is critical to the outcome of the investigation to identify and preserve evidence in a manner which ensures its forensic integrity.
- Engage with a suitably resourced and qualified digital forensics and incident response provider to ensure that the correct procedures are followed and that vital steps are not overlooked, which could impact the case further down the line.
- Engage with practitioners who have a wealth of experience in dealing with this sort of engagement, and who understand both the technical and legal issues involved, including how to analyse evidence and report findings in a manner which meets the requirements of any formal legal process.
- Appoint practitioners who have robust in-house experience of presenting technical findings in court and other proceedings as testifying experts.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand