Shifting threat landscapes bring cyber forensics into focus
In the wee hours of a cold Saturday morning on a long weekend in 2020, we received a message for an urgent call from an organisation. On the call, it was learnt that the client suspected that it had become a victim of a cyber-attack and needed urgent assistance.
The first responders from the forensic technology team were rushed to the data centre to assess the situation. They confirmed the suspicion and learnt that the System Administrator account had been hacked after changing the credentials, and the cyber attacker had made himself a Super User.
Over the next 12 hours, the sleuths painstakingly and surgically tried to understand the extent of cyber damage: the extent of computer systems and servers attacked, how long the organisation had been under the attack, type of attack, volume and type of data stolen (“ex-filterated”), who could be involved, etc. Besides bringing the operations back-up on and thoroughly investigating the incident for the root-cause, other fundamental tasks for the organisation included regaining control of the administrator's account and identify the possible backdoors the attacker had created.
After a day of back and forth between the attacker and sleuths, the control over servers and computer systems was regained, some available back-ups restored but a large volume of data with no available backup was found locked and worse, stolen. The attacker had put some data over the darknet in an attempt to both pressurize the organisation to pay ransom, and possibly sell it to other organised or unorganised underworld. At some level, the organisation had started to consider ‘negotiating’ and making a deal with the hacker to get the decryption key so as to at least have access to critical data without the back-up.
This was one incident – but countless such incidents have taken place over the last 18 months with various small to very large organisations. Cyber incidents are being reported these days in alarmingly high numbers and the phenomenon kind of resembles a “Cyber Pandemic in the Health Pandemic” kind of situation. Several organisations consider cyber-attacks today among the top risks they face in current times.
So, what has caused the rise in the cyber-attacks?
For one, the prevailing situation of “New ways of working” made it imperative for businesses to quickly assess and adapt their security postures. With large number of people using the public internet, access to critical data has been opened and exposed over the computers and hand-held devices to keep the lights on.
Businesses have quickly changed security policies and installed / configured necessary security devices / software such as VPN (Virtual Private Networks) to allow its workforce to keep working. The pre-COVID-19 security posture across people, processes and technology was not necessarily meant to handle such an enormous load and exposure and this has resulted in an exponential increase on the Cyber Risk Index.
Businesses are allowing their workforces to access the network and data through bring-your-own-devices (BYOD) comprising personal computers and mobile devices. Some of them do not have a robust prevailing strategy and checks in place due to lack of such use cases and volumes in the past.
Also, organisations’ employees lack awareness and preparedness, and often downplay the cyber risks, that can bring about a flood of cyber-attacks. Major cyber security threats revolve around hacking, malware, spyware and data leakage. Lack of visibility and processes have made it difficult to check and ensure if computer devices have the latest security patches and enterprise grade anti-virus software. Various other factors may include lack of IT hygiene, high risk through third parties who do not have equally robust and secure systems, more time at the hands of criminals, development of sophisticated malware programs to hack computer systems, and difficulty in bringing the perpetrators to justice because of cross border attacks and no trace during settlement of ransom using bitcoins or cryptocurrency
Next let’s look at who are the cyber attackers and why do they attack?
Cyber attackers could be both organised or unorganised, acting alone or in conjunction with someone, government or non-government sponsored agencies, insider or outsiders, etc. Many well-known cyber attackers are suspected to have backing of sanctioned nations or other deep state actors, intelligence agencies, corporate spies wanting to obtain business secrets, etc. Just like other criminals, cyber attackers may indulge in cyber-attacks for various reasons such as greed/financial return, corporate espionage, damaging brand reputation, disgruntlement, getting even or just for fun.
What happens after a cyber-attack?
The pre-attack steps usually include identifying and insuring against cyber risks, good governance, raising awareness and robust defense for protection of the organisation’s systems. The post attack incident recovery and security measures broadly include:
1 Detection of the event as early as possible
2 Responding swiftly to the cyber event – first response, identifying and isolating affected IT systems, restoring backups, informing regulators and other stakeholders, working with insurers (if applicable),
3 Identify and remediate root cause
4 Tactical and strategic recovery phases
5 Lessons learned from the cyber-attack and strengthening the system against future attacks.,
The cyber forensic experts assist in investigations which include identification, collection, preservation, analysis and presentation of evidence of the incident. Given the increase in cyber-attacks, the inevitable requirement for swift and well-conducted investigations has significantly increased the need for cyber forensic work.
This brings us to how can we be prepared and become resilient to these cyber-attacks?
Criminals will exploit frailty in any system. Organisations would do well to have a robust and comprehensive cyber strategy that includes raising awareness and educating their employees on security challenges, conducting cyber maturity assessments, digital forensic readiness, identification of risks and threats, etc. to name a few. However, despite the best of controls, no organisation is totally immune from such attacks, which can be mitigated but not completely prevented. When an attack is suspected, swift response is imperative. The organization should be prepared through training drills and simulations to effectively contain and mitigate the impact.
Jagvinder Brar
Jagvinder Brar is partner and head, Forensic Services, KPMG in India. Views expressed in this article are his own.