Role of Forensic Cybercrime Experts
While not all forensic cybercrime experts are created equal, those who consult with organizations and attorneys on a regular basis are typically adept at translating “geek speak” into normal language. Highly specialized “cyber fighters” can help legal resources teams, risk managers, senior executives, and other stakeholders navigate the often-murky waters of the digital high seas. A member of this “nerd herd” can be your new best friend.
Cyberattack Basics: SamSam Ransomware Attacks
Let’s take a step back and look at what a cyber-related case may look like when it washes up on your shore. Obviously, there have been a number of cyber incidents involving high-profile organizations (e.g., Anthem, Target, Equifax) that have led to litigation, but the potential for litigation is a risk for any organization. The following is a summary of a fairly complex but potentially lesser-known recent case that resulted from a cyber event.
An electronic health-care record provider (the cyber victim) was sued by medical institutions and health-care providers as a result of a SamSam ransomware attack that it suffered, which effectively shut it down for over a week. As a result, thousands of the cyber victim’s customers were unable to access patient and client information for the duration of the event. During this time period, the victim’s customers had to find alternative methods for their administration of patient health-care records, resulting in a considerable disruption to health-care delivery.
The key facts of the cyberattack are as follows:
- SamSam is frequently involved in cyberattacks within the health-care industry and has characteristics that lead cyber investigators to believe that attacks using SamSam are often manual.
- While the cyber target hasn’t publicly acknowledged the original point of compromise, a remote desktop protocol (RDP) attack is often the point of entry for a SamSam attack. RDP is a tool that is included by default in Microsoft Windows, allowing a user to remotely connect to a computer system. An attacker will find a computer in the environment that is RDP accessible and will attack the machine and take over. The attacker will then use the compromised machine to remotely connect to other systems in the environment. RDP is quite susceptible to brute-force attacks in its default configuration.
- Once the attackers have access, they are likely to use hacking tools (e.g., Mimikatz and PowerShell Empire) to survey the environment and identify potential high-value systems and information technology (IT) infrastructure targets from which to launch a ransomware attack with the maximum potential business impact. Mimikatz is a free tool that allows an attacker to view and steal user names and passwords. Logging into your bank account? Sure thing, it will capture that information. Checking your email? You guessed it—your credentials are compromised. PowerShell Empire is a tool known to be used during cyber incidents to maintain persistence within a compromised environment and allow the unauthorized user(s) to easily use other tools to perpetuate an attack.
This example illustrates the challenging technical vernacular that attorneys encounter in cyber-related cases. As such, it is important for attorneys to identify a trusted adviser who can provide insight into the cyber event and be a translator and guide on this journey.
Breach-Related Litigation Stats
The 2019 Data Breach Litigation Report, published by Bryan Cave Leighton Paisner, includes several intriguing takeaways about the landscape of litigation related to data breaches:
- The percentage of publicly reported breaches that led to class action litigation has risen annually:
o 2016: 3.3 percent
o 2017: 4.0 percent
o 2018: 5.7 percent
- The complaints mainly involve two to four high-profile breaches.
- The number of unique defendants per case is rising (26 unique defendants in 2017 and 36 unique defendants in 2018).
These facts indicate that although the number of cyber-related litigations isn’t extremely high, the number of lawsuits has been increasing along with the number of unique parties named in the lawsuits. These statistics reflect the increased likelihood of litigation and regulatory defense costs noted in NetDiligence’s 2018 Cyber Claims Study, which are summarized in figure 1.
Figure 1. Average legal and regulatory defense costs (2013 to 2017)
Likely Future Cases
While it is always difficult to predict new cyber-threat vectors, past trends are a good indicator of future cases. The following list contains a few examples of cyber issues that likely will increasingly lead to litigation and regulatory fines:
- Business email compromises. Companies are falling victim when an attacker compromises one or more email accounts as a result of a phishing attack. The attackers can effectively take over the user’s account and download all mailbox data or use their access to imitate the legitimate user and redirect financial transactions.
Figure 2 shows the true financial impact of email account compromises, along with the resulting financial fraud, which is leading to more civil litigation between parties as victims try to reclaim losses. As a result, regulators are increasing pressure to investigate these types of events. In addition, more litigation is being contemplated by the third parties who lost money or did not receive payments and are trying to recover some of the loss from another entity.
Figure 2. Business email compromise losses
- Industry-specific compromises. As noted in figure 3, there is a significant risk to entities in the professional services (e.g., law firms and accounting firms), financial services, and health-care industries, which together account for nearly 50 percent of data breaches. These industries are especially targeted due to the type of data that can be found and stolen. For example, personally identifiable information (PII) and protected health information can be sold on the deep and dark web—and can lead to significant fraud against the aggrieved party.
As a result, there is an increased potential for investigations or litigation surrounding these cyber incidents. Based on the statics in the Bryan Cave report, this is a consistent theme in which cyber incidents relating to PII accounted for 78 percent and 82 percent of litigations in 2017 and 2018, respectively.
Figure 3. Cyber incidents per industry (2013 to 2017)
Breach Triage: Key Points
With cyber threats evolving and becoming more prevalent, what should you do to prepare yourself to handle a cyber-related matter? Attorneys will best serve their clients if they not only understand a number of the more technical details, some of which are best rooted out by a forensic cybercrime expert, but also become versed in leading practices in triaging a cyber-related matter.
Specially trained cyber warriors—the nerd herd—can help attorneys decipher key data points, such as the following:
- Understanding the attack scenario
What are the characteristics of the attack method (e.g., automated versus manual, credential harvesting versus data exfiltration)?
How did the attacker gain access to the environment?
What actions did the attacker take once inside?
- Evaluating the entity’s response to the cyber event
How timely was the response?
Did the entity actively identify potentially compromised systems? Did the entity interrogate them to determine which actions the attacker performed?
Was the entity using adequate tools to identify potential attacks and malicious software?
- Evaluating the recovery and remediation approach
Did the entity have secure backup copies of key systems to get affected systems back online in a timely fashion?
Did the entity make sure that all compromised accounts were reset and ensure that all compromised systems were remediated or rebuilt to prevent future attacks?
Were changes made to harden the environment and make it more difficult for another attack?
Many people with a technical IT background can answer most of these questions. However, to establish more than a timeline of the attacker’s actions, experienced forensic professionals can maximize effective cyber-event mitigation by quickly discerning and communicating the relevance, importance, and overall impact of an attacker’s actions on the victim’s systems.
Sean Renshaw leads the digital forensics and incident response (DFIR) practice and oversees global operations for cybercrime and data breach investigations, digital forensics, and incident response services at RSM US LLP in Chicago, Illinois.