Partners against crime: First response

As a cybercrime investigator with the Toronto Police Service, I see the importance of having a complete incident response and recovery plan.

In the wake of a breach, most organizations are concerned with figuring out how the attacker got in, what damage they did, how to get the attacker out, and how they can prevent it from happening again. From a law enforcement perspective, the goal is attribution. We forensically examine the evidence in an effort to ultimately “put the suspect behind the keyboard” and lay criminal charges. Remediation and attribution work hand in hand because they both rely on the same artifacts, known in my world as evidence. A detailed and robust cybersecurity incident response plan can go a long way to ensuring your organization is ready.

1. Know exactly what your systems are logging and how much data you have. While the numbers are coming down, statistics still show that cyber attackers have a foothold in your system for approximately 100 days before they are discovered. The trend is moving away from external notification and more towards internal discovery, yet you don’t want to be in a position where you need to rely on your system logs (firewall, access control, intrusion detection, IP video surveillance, etc.) for 90 days of data then realize you only have nine. It is important for both external cybersecurity experts who are helping with remediation and your law enforcement partners who are working towards attribution to have a clear picture of the body of evidence they have to work with.

2. A million events may not mean you have an incident. While this may come across as an over simplification, with a cyber incident plan, it is important to know exactly when the threshold is met to actually execute said plan. Most (I dare say all) corporate networks are being “probed” on an ongoing basis. Each probe, scan and attempted entry is logged as an event. At what point does this mass of events become an actually cyber incident? This is not a question I can answer for you in this column, but it is one you must answer for yourself as an organization. You don’t want to trigger your plan and contact the regulators unless you are sure you know what you are dealing with.

3. Part of your plan should be to invest in cyber awareness training for your people and improve their cyber hygiene. Make sure the part of your plan that addresses resiliency testing also tests your people.

4. The greatest harm from a successful cyber-attack is not corrupted data but damaged corporate reputation. Let’s take a quick look at just some of the communications outreach that needs to be done during cyber incident: Media statement; Report to the board; Notice to staff; Notice to customers; Contact regulators; Contact credit reporting; Contact external cyber security; Contact cyber insurance company; Contact (report to) law enforcement. The message in terms of content and timing is key. You don’t want to be in a position where the Office of the Privacy Commissioner is contacting you because they got wind of your breach in the media.

5. Businesses are connected to customers, suppliers, service organizations, regulators and more. Don’t overlook the security considerations of these connections when developing your plan. In many cases, cyber-attacks are facilitated not directly through your own infrastructure, but through a trusted connection of a known third-party.

Also, pay attention to the technology connecting you to third parties and examine these devices on an ongoing basis from a vulnerability perspective. Equally as important, pay attention to the language in the contracts governing how those connections are used. The wrong wording can shift liability in your direction. Be sure to have trusted legal counsel draft and review these contracts on your behalf.

I have provided five guidelines but I have a bonus thought for you. As a living entity, your cybersecurity plan should receive care and feeding in the form of regular reviews and updates. Your plan should also be vetted by a trusted third party and tested periodically.

Kenrick Bagnall is a Detective Constable with the Toronto Police Service Computer Cybercrime Unit (C3). Twitter: @KenrickBagnall.

This story was featured in the Summer 2019 edition of Canadian Security magazine.