IR Philosophy and Ethics

Breach at CyberT Corp

CyberT Corp, a global tech giant, woke up to the worst possible breach scenario one summer day, where threat actors were able to perform goal execution without being detected. All the headlines are beaming with "Massive Data Breach at CyberT Corp! Millions of Users Affected!" As panic grips the company, customer data, financial records, internal communications, and company secrets are all potentially compromised. Customers start calling in to find out about the state of their data. The CEO calls the Digital Forensics and Incident Response team to get to the bottom of the situation - contain the breach, identify the adversaries and minimise the damage.

Digital Forensics and Incident Response Process

Phase 1: Containment

The containment phase marks the point when the resolution timer must be started. The DFIR team will have to get into a more drastic form of response known as "nuclear" containment, which occurs as a result of the threat actor having executed their goals before detection, necessitating measures so severe that they often involve taking the entire network offline or isolating all domain controllers and critical systems. The consequences of such containment procedures are profound, causing the business operations to halt in some capacity until the investigation and remediation are complete. It begins a crucial countdown, demanding swift and efficient actions.

In light of this urgency, the DFIR team engages in meticulous procedures. The first step is to isolate and quarantine compromised systems, a proactive measure to prevent the further spread of malware and damage. Once these systems are contained, the team needs to find out how the attackers got in - was it via a phishing email, a zero-day exploit to one of the applications, or was it targeted through an insider threat? Determining the attack vector requires an in-depth analysis encompassing logs, network traffic, and system configurations. It is akin to assembling puzzle pieces left behind after the security breach.

Yet, even as the bleeding is externally stemmed through isolation, the internal damage persists. Malicious processes may still linger on the isolated systems, underscoring the necessity for immediate action before delving into a comprehensive investigation. This is a race against time, acknowledging that while the external haemorrhage is contained, the internal ramifications persist, emphasising the need for surgical precision in the subsequent phases.

Phase 2: Investigation

The DFIR team working on the CyberT Corp breach will have to meticulously gather digital fingerprints left by the adversary, checking every click, keystroke and file accessed. Using specialised forensic tools, they capture hard-disk images, recover memory dumps and collect network traffic. But why is this necessary?

We can look at this as trying to find and connect two ends of a yarn - what the attackers did and what was their entry point. The team dissects recovered malware and data dumps, reconstructs the attack timeline based on the evidence, and tries to find a connection from ground zero of the attack to the goal execution. The process can take weeks or months in order to determine who the bad guys are via all possible TTPs and can often lead to rabbit holes. It is paramount for the investigation to stay on track as we remember that we are against time and repercussions.

Phase 3: Recovery and Remediation

CyberT Corp has to recover from the breach and set up measures to prevent another occurrence. This will involve patching all vulnerabilities found during the investigation process and documenting the findings and recommendations to prevent similar attacks - including improving their incident response process. Customers and stakeholders must be informed about the breach and support provided in amending any sensitive data that may have been compromised, such as passwords and personally identifiable information.

Scenario: The Ephemeral Breach

A cryptic message is plastered all over the screens of Rosy THM Research Lab: “Your secrets are ephemeral, soon to disappear.” Their breakthrough quantum computing prototype, Project Chimera, is missing. No firewall alerts were triggered, and there were no malware traces across the computers. The DFIR team assembles, facing a challenge like never before.

The challenges that face the DFIR team are as follows:

• There is no digital footprint or breadcrumbs left behind. The attack vector seems nonexistent, definitely against conventional cyberattack tactics.
• Lots of pressure is mounting - from investors demanding answers to the breach, the technology community seeking transparency, and rivals spreading whispers of sabotage.
• Project Chimera’s technology, in the wrong hands, could change the landscape of computing. The team must balance the right to privacy and due process with the potential global impact of stolen research.

Ethics in DFIR

Digital forensics and incident response adventures require technical expertise to navigate them, but principles of ethics also shape them. Decisions made shape the trajectory of your investigation and the ethical fabric of the digital world being navigated.

Ethical Principles

Based on our scenario, we shall discuss various ethical principles and their application in DFIR investigations.

Objectivity and Impartiality

The DFIR team has no clear starting point for their investigation efforts, forcing them to adopt a methodology of pure discovery. Analysis of network logs in search of anomalies begins, scrutinising access logs for unusual patterns and scraping through the code of Project Chimera itself. This must be done while maintaining an open mind to discoveries and avoiding preconceived biases.

Preservation of Evidence

The entire organisation, its computers, software and personnel become a hive of evidence. Innovative techniques are employed to capture volatile memory dumps; system logs are analysed in real-time, and every fleeting piece of data is meticulously documented and preserved using advanced forensic tools. Several methods are followed to ensure this:

Chain of Custody

The DFIR team has to map out the project’s data journey, using secure hash functions to verify the integrity at every step and outlining all the responsibilities assigned to resources before the breach and during the investigation.

Metadata Preservation

Files contain hidden stories and details within their metadata. The DFIR team seek to reveal any hidden connections and inconsistencies that may expose the attacker from timestamps, file properties and revision history.

Digital Artefacts Collection

Deleted files, overwritten logs and inconsequential remnants of digital activity are recovered and analysed. The DFIR team has to piece together fragments to uncover the adversary’s digital footprint.

Minimisation of Disruption

Understanding the potential of collateral damage, the team has to isolate compromised systems, contain potential data leaks and implement security measures while prioritising their objective of recovering the project.

Proportionality

In the face of uncertainty, balancing immediate needs with long-term consequences requires the team to prioritise information gathering and analysis before making drastic decisions.

Transparency and Accountability

Regular updates are provided to stakeholders, including government agencies and experts. The challenges the team encounters are openly communicated, ethical considerations applied, and progress documented. This fosters trust and accountability throughout the investigation.

DFIR teams have access to many digital systems and sources of information during any security investigation. Their actions would not only change the status of an organisation but could change the world.

The following duties guide ethical conduct within DFIR teams and offer elements of responsibility during security incidents. The list was obtained from ethicsFirst, and you can follow the link to review their descriptions.

Duty of Trustworthiness

In a cyber breach, the duty of trustworthiness is paramount. It involves building and maintaining trust with stakeholders and ensuring the integrity of the incident response process. Teams achieve this by transparently communicating their actions, methodologies, and findings. For instance, during the Rosy THM Research Lab breach investigation, the DFIR team would document their procedures, detailing the tools used, the forensic artefacts examined, and the rationale behind each decision. This transparency builds confidence among stakeholders, fostering trust in the integrity of the incident response efforts.

Duty of Confidentiality

Maintaining the confidentiality of sensitive information is crucial during a cyber breach investigation. DFIR teams handle vast amounts of data, including personally identifiable information (PII) and proprietary data. To fulfil the duty of confidentiality - implementation of strict access controls, encryption of sensitive data, and limiting the dissemination of information on a need-to-know basis is required. This can even be guided by the Traffic Light Protocol (TLP). Secure communication channels and encrypted storage are employed to safeguard the confidentiality of investigative findings, ensuring that only authorised personnel have access.

Duty to Acknowledge

Acknowledgement is a fundamental aspect of incident response. When a security incident occurs, the duty to acknowledge requires the DFIR team to promptly recognise the severity of the situation, offer a timely response and set expectations for the next update. This involves establishing a clear incident identification and acknowledgement process. Automated alerts, anomaly detection systems, and security information and event management (SIEM) tools are crucial in rapidly recognising and acknowledging security incidents.

Duty to Inform

The duty to inform is closely tied to transparency and communication. DFIR teams must keep stakeholders informed about the progress of the investigation, emerging threats, and mitigation efforts while ensuring confidentiality and that privacy laws and regulations are observed. Regular status updates, incident reports, and briefings contribute to fulfilling this duty. Communication channels may include secure emails, encrypted messaging platforms, or dedicated incident response portals. Timely and accurate information sharing enhances collaboration among team members and external stakeholders, fostering a collective understanding of the evolving threat landscape.

Duty of Coordinated Vulnerability Disclosure

When a team identifies vulnerabilities during a cyber breach investigation, the duty of coordinated vulnerability disclosure comes into play. Instead of immediately publicising these vulnerabilities, the team should responsibly disclose them to the affected parties or vendors by crafting a detailed report outlining the nature of the vulnerabilities, potential exploits, and recommended mitigation strategies. Coordinated disclosure allows affected entities to develop and release patches or countermeasures before publicising the information, minimising the risk of widespread exploitation.

Duty for Responsible Collection

The duty for responsible collection emphasises the need to collect digital evidence in a forensically sound and legally defensible manner. The amount of information needed during an investigation may change, and team members should be able to adjust what they are collecting based on the needs. This involves setting clear policies and procedures for data collection and retention. Teams use specialised forensic tools to collect and preserve evidence during a cyber breach investigation. Chain of custody protocols are established to document evidence handling, ensuring its admissibility in legal proceedings, and only being used for its intended purpose and minimising risk of exposure.

Duty of Evidence-Based Reasoning

The duty of evidence-based reasoning underscores the importance of making decisions rooted in factual evidence. Teams analyse digital artefacts, logs, and other evidence during a cyber breach investigation to form conclusions. This duty requires rigorous adherence to the scientific method in digital forensics. Each step must be meticulously documented and validated, from evidence collection to analysis and interpretation. Evidence-based reasoning ensures that investigative findings are reliable, defensible, and withstand scrutiny in legal proceedings.

Duty to Team Ability

A core duty is building and maintaining a skilled and capable incident response team as incident management evolves. The DFIR team should have resources for ongoing training, skill development, and knowledge sharing. Engaging in regular tabletop exercises, simulated incidents, and continuous learning to stay abreast of evolving threats and technologies contributes to this goal. Cross-training team members on various aspects of incident response ensures a well-rounded and adaptable team capable of effectively tackling diverse challenges in a cyber breach scenario.

Duty of Authorisation

Duty to Respect Human Rights

Respecting human rights is a fundamental ethical duty when dealing with incidents. In cases of cyber breaches, teams must prioritise protecting individuals' privacy and rights. This duty extends to handling digital evidence and ensuring that data collection, analysis, and storage adhere to legal and ethical standards. Anonymisation techniques and redaction help safeguard sensitive information, demonstrating a commitment to upholding human rights throughout the investigative process.

This obligation extends not only to stakeholders and customers but also to employees who use the company's systems. DFIR teams must understand the complex relationship between users and accounts and know when to separate the two. The rationale behind this separation is rooted in the potential for exploitation by adversaries who can compromise a user's account and operate under the guise of that user. This dynamic creates a scenario where an account, seemingly belonging to a legitimate user, might be leveraged for malicious activities without the user's knowledge or consent. This issue raises a vital question during the investigation - who is the account's rightful owner, and is there a need for disciplinary action against them?

By disentangling the user from the account and meticulously investigating the ownership dynamics, DFIR teams can unravel the complexities of potential impersonation scenarios. This proactive approach not only ensures a more accurate attribution of actions but also safeguards individuals from unwarranted consequences arising from malicious activities conducted under the guise of their accounts.

Duty to Recognise Jurisdictional Boundaries

Jurisdictional boundaries can significantly impact cyber breach investigations, especially in a globalised digital landscape. DFIR teams must recognise and respect the legal and jurisdictional constraints that govern their actions. This involves understanding international laws, treaties, and agreements that may impact the investigation. Collaboration with law enforcement agencies and legal experts helps teams navigate jurisdictional challenges while adhering to the duty to recognise and respect these boundaries.

In essence, successfully executing these duties safeguards the integrity of the incident response process and contributes to building a culture of trust, transparency, and professionalism within the DFIR community. By adopting and embodying these duties, incident response teams strengthen their capabilities and uphold the highest standards of ethical conduct in the dynamic and challenging realm of cyber breach investigations.

Case Study

The document below provides a set of case studies highlighting security teams' situations and how the duties discussed above are implemented.

Ethics for Incident Response and Security Teams - Case Studies

While training with the digital forensics team at SwiftSpend Finance, you are presented with a tabletop exercise requiring you to make informed ethical decisions. Deploy the static site by clicking the green View Site button attached to this task to begin. Submit the correct flag at the end to complete your training.

Case Study: RSA Hack

Based on actual events, this case study serves as a rich tapestry illustrating the multifaceted nature of cyber security incidents and the ethical responsibilities entwined with the relentless pursuit of resolution in the ever-evolving landscape of digital threats. Many of the things discussed in the room are evidenced.

The Full Story of the Stunning RSA Hack Can Finally Be Told

Congratulations on completing the IR Philosophy and Ethics room.

In summary, we got a quick recap of the DFIR process and ventured into several aspects that foster effective, ethical practices within response teams. Achieving proper resolution during response activities is backed by understanding risk, policies, legal requirements and effective team training.

Next Steps

In the next room in this module, we will look at various challenges faced by DFIR teams revolving around organisational culture, resource limitations, data visibility and storage retention, anti-forensics, and human error.