Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Organizations should focus data sharing post-incident, not attribution

Steve Ragan | Aug. 5, 2015
Assistant US Attorney Ed McAndrew shares tips on what organizations should do after a breach has been discovered. The key is information, not attribution.

biometric data ts

LAS VEGAS - There have been several notable security incidents in the news this year, from healthcare and retail breaches, to financial; even security firms themselves have been targeted.

In each instance, attribution seems to take the lead during incident response, something organizations should resist. The key is collecting the right information and passing it on to the right people. When it comes to figuring out who did it and where they are, authorities are the ones who should take the lead organizations that focus on this area first are wasting resources and time.

US Attorney Ed McAndrew (DE), who has years of experience working cases dealing with Internet-based crimes under his belt, recently spoke to CSO Online and offered some unique insight into the federal side of incident response and what organizations can to do better prepare for law enforcement involvement.

McAndrew says that instead of focusing on who is responsible, organizations should resist this and direct their energies towards damage and data loss mitigation, while providing details to law enforcement so they can be the ones to determine who committed the crime, and what actions need to be taken against them - whether that is capture and prosecution or disruption and deterrence.

"Organizations that suffer cyberattacks are victims. Like many other types of crimes, cybercrimes cannot be effectively investigated and prosecuted without the help of victims. The timely and meaningful sharing of information is critically important to our ability to help mitigate these crimes and, to the extent possible, prevent their continuation and recurrence," McAndrew said.

How the breach is detected will vary. Sometimes organizations are informed of a breach by a third-party, but some are able to self-detect. No matter how discovery occurred, law enforcement needs to be contacted about the incident, but should the organization contact local or federal authorities?

The question sounds simple, but some smaller organizations, large ones too, might consider state police or even local authorities as the first line of contact. That's wrong.

"Organizations should contact federal law enforcement agencies - particularly the FBI and/or the United States Secret Service. Network intrusions and resulting ID and IP theft are, by their very nature, interstate or international in scope. Cyber actors often victimize multiple organizations during the same time period. Both the cyber actors and the victims are often spread across multiple jurisdictions and countries," McAndrew explained.

By going federal, the organization starts a process that enables an efficient and comprehensive investigation. No case is perfect, but the ability to investigate and document the steps taken on both sides (victim and perpetrator) is critical to attribution, mitigation and prosecution.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.