"In addition to conducting these extremely complex investigations and prosecutions of international cybercrime, law enforcement agencies are increasingly playing the somewhat non-traditional role of threat mitigation by seeking to help organizations better protect themselves against persistent cyber threats. In fact, the US Department of Justice's Computer Crimes and Intellectual Property Section recently created a Cybersecurity Unit dedicated to this objective," McAndrew said.
Each case is a tough case from start to finish, and McAndrew explained that advances in speed, capacity, locational obfuscation and encryption have only made the job harder over the years.
"The most difficult cases I have faced in a constantly changing technological environment involve groups of threat actors each with high quality operational security making their activities, identities and relationships to one another difficult to trace," he said.
"These same types of cases often involve multiple victims located in different places. Investigating what are ongoing crimes in the current climate of data breach response obligations is a daily high wire act. Every cyber case is a crisis for every victim. Remaining sensitive to the competing demands placed on victims in the face of ongoing harm of unknown dimensions is a constant challenge."
So when a breach happens, don't focus on attribution, focus on recovery and mitigating the damage and data loss. After that, focus on getting the necessary information to law enforcement as quickly as possible, while starting the process of informing customers and those impacted within a proper time frame.
In addition to logs and the other previously technical information, McAndrew has created a checklist of information organizations should be prepared to share with law enforcement.
CSO Online has reproduced this list below:
- Identity and contact information for individuals responsible for various components of incident response (legal, IT, senior management, outside consultants, etc.).
- Information about discovery of the incident and steps taken since the discovery of the incident.
- Information relating to past incidents that may be related to the current incident.
- Information about past contact with law enforcement agencies about other incidents. [This can allow the LEA to quickly cross reference historical information].
- Identification of information systems and components involved and their locations.
- Signatures for detected malware, spyware, etc.
- System logs (DNS, servers, etc.) relating to the incident.
- IP addresses and other external identifiers believed to be involved in the incident.
- Network maps, locations and data flows relating to the incident, including vendors and cloud service providers.
- Data Loss Prevention (DLP) information.
- Intrusion Detection System (IDS) information.
- SIEM information and log correlation information.
- Endpoint management and access control information relating to the incident.
- Information for firewalls and anti-virus, anti-spam, anti-spyware, malware and phishing defenses networks related to the incident.