Improving Your Cyber Case Management

Improving Your Cyber Case Management

IT professionals have a wealth of knowledge about the cyber world. What happens when a data breach or business email compromise cripples their organization? They are now in the middle of a complex cyber investigation. IT crisis managers must manage the investigation, cover secondary security issues, and document the incident. There are standard techniques used in criminal investigations which can improve cyber investigations. This article, by Dr. Roger Mason, explains those fundamentals and how to employ them for more effective cyber case management.

 

---

 

Seven Fundamentals for Cyber Investigation Case Management

by Roger Mason PhD

Effective practitioners in the information technology world need vast amounts of knowledge. They are experts with impressive levels of technical expertise and understanding when it comes to cyber investigations. Sometimes, what is lacking is experience with case management, or how to manage a major investigation. Most companies have a Chief Information Security Officer (CISO). During a cyber-incident the CISO may be overseeing the incident or directly managing the investigation. How can they improve the overall management of the incident?

There are standard practices employed in criminal investigations that can improve the management of a major cyber investigation. Successful criminal investigations require someone to manage the investigation. The person managing the investigation is aware of what is happening. Their job is to keep the entire effort organized and focused, not to do the investigating. There are seven fundamentals that will improve the management

Everyone Can’t be a Firefighter

One of the biggest challenges in any investigation is who will do what? Cyber investigations provide unique problems. Typically, everyone in a cyber-incident is coming from the same perspective, applying technical solutions to software or hardware problems. Cyber-savvy people often use similar techniques for problem solving

A common approach is called recognition-primed decision making. People look at a problem and develop a solution based on their experience. They have preference attitudes based on their experience. If their background is in technical solutions, they will feel most comfortable directly invested in technical problem-solving.

The result is everyone becomes a firefighter. Everyone wants to be directly involved in the technical aspects of the investigation. This is where tech people are most comfortable. First responders deal with this problem every day. Everyone can’t be holding the hose, and everyone can’t be searching for the bank robber. There must be managers to oversee the incident (fire chiefs, incident commanders), logistics people to support and supply the operation, and communications people to collect information and tell the story.

Maintaining Your Balance

During a critical incident it is easy to forget everything else and focus on the crisis. You should take a lesson from your local public safety agencies. During any type of disaster, emergency, or crime most of the first responders will be at the scene. A percentage of responders is always held in reserve. This reserve is responsible for handling routine but high profile calls for service.

If a transportation accident resulting in mass casualties occurs this does not mean that people stop having heart attacks, there are no residential fires, or armed robberies. As soon as a major event occurs the local 911 center begins logging all pending calls for service. These are prioritized by criticality. The incident commander monitors this. Even though the responders are busy with an emergency life goes on and other priorities must be addressed. For cyber-security departments someone should be assigned to monitor the normal security help desk functions. This safeguard can prevent a small problem from becoming a second crisis.

Keeping Your Focus: The Incident Action Plan

A cyber-attack has crippled your organization. Everyone is working on trying to resolve the problem. As time passes the impact on your organization deepens and need for a quick resolution grows. As manager you see a confusing and compounding list of choices, clues, suggestions, best practices, hints, and requests. When the pressure grows you become less organized and more likely to pursue any new lead that could provide the answer.

You become less risk adverse regarding your actions and begin to employ heuristics. Heuristics is sometimes described as looking at a situation and taking your best guess. This sometimes turns into a series of “Hail Mary” passes hoping that something will work. The result is your incident organization dissolves, the investigation slows, and the operational focus is lost. However, how do you maintain your focus and keep the investigation moving forward?

FEMA has developed a system called Incident Action Planning. This is a standardized approach to maintain the focus and progress of incident response. The process should begin each day. The persons leading the investigation should review what has happened over night. This is a situational assessment of what is known and current state of the investigation or response. Based on these facts the incident leadership establishes a series of objectives for the next working period. (This could be 8/10/12/24 hours.) FEMA calls this an operational period.

The first step is identifying your objectives. Select objectives that can be accomplished given the current resource and personnel level. Then, develop action items specifically designed to achieve your objectives.  These will become the incident action items. Each item should be limited to a specific objective and measurable. You should avoid general action items that cannot be measured (Ex: Action item #3 is “everybody in IT getting this company back online.”). This is a worthy goal, but vague objectives result in action items that cannot be measured.

A better example might be (Ex: Action item #3 is restoring email to the executive team. Susan Jones is in charge with two people from the OPS team. The objective is to restore senior level email connectivity by close of business.) It is clear what the objective is, who is responsible, what their resources are, and when we expect to achieve it. Using the Incident Action Plan approach means you have organized the response, established operational direction, and have a way to measure your progress. 

Documentation

When you are in the middle of a cyber incident you may become overwhelmed by the sheer volume of information and details. You know that this information is essential, it should be captured, and you don’t have time to take care of it. It is critical that someone be assigned as a scribe to write down what is happening as it occurs.

Selecting a Scribe

The selection of a scribe is often an afterthought. It should be one of the first positions identified in the response. The scribe should be familiar with the types of documentation that will be maintained, what information must be collected, where the data is located and when it will be available. 

What Should be Documented?

There are several types of documentation: incident logs, incident/investigative reports, and incident summaries. An incident log is a running chronology of what is happening. The scribe should be responsible for the incident log. It is important to capture what happened at what point in the investigation. Persons directly involved in the event should prepare incident and investigation reports. The reports should include a statement by the persons who initially discovered the problem or anomaly. The person conducting the forensic investigation should be submitting reports. (This includes any contractors that are involved)

The incident log and the incident/investigative reports provide the data for the daily executive summaries. The summaries are important to keep your executive decision makers appraised of what is happening. These summaries should not be over technical but provide the following information:

What Do We Know? These are the facts that have been confirmed.

What Do We Suspect? This is the possible conclusions drawn from a combination of facts and unconfirmed information.

What Do We Want to Find Out? This identifies what information needs to be collected or confirmed.

What Are We Doing? These are the steps being taken to accomplish our objectives.  

Informal Documentation

There are two types of documentation: notes and reports/logs. Notes can be informal. They should be used to document meetings, conference calls, and discussions. They are useful in memorializing what happened. During a recent cyber incident, that lasted eleven days, I took a variety of notes. I used the notes to prepare a twenty page after action report. Informal notes can also be used to prepare formal reports.

Avoid “Refreshing” Your Documents

A common practice in preserving electronic information or documents is refreshing the document. Everyone wants the documents to contain the most current and accurate information. This should be avoided. Each document should be a stand-alone picture of what you knew and the actions you took at a specific point in time. If new information becomes available, the document should state that during the preparation of this report the facts changed.

If you are continually updating and refreshing, you only preserve what just happened and the facts as you currently understand them. This can become a liability issue. If you are called to account for individual actions, it may become difficult to explain what you knew when and why you made certain decisions. Maintaining an accurate chronology of events, instead of just refreshing the facts is information that can help account for the decisions made and the actions taken.  

Being Aware of Transition Points

During an investigation, your will reach transition points. A transition point is where something changes that impacts your current or planned course of action. A common problem in criminal cases is the exhausted lead, sometimes referred to as a dead end. This means an avenue of inquiry has been exhausted and, pending new information, it is fruitless to continue pursuing it.

Another type of transition point is a change in available resources. The addition of your security contractor may allow you to pursue multiple lines of investigation. A reduction in your in team may means you know longer have the bodies to pursue promising leads. Case managers must be tracking the progress of the investigation in case it needs to be concluded, redirected, or changed.

A recurrent issue is the responsibility for protecting your cyber assets. One cyber event does not mean there are not new threats. Daily security procedures should not stop because you had a major incident. The necessity of resuming normal operations can result in a transition. Pursuing a case with the goal of developing attribution is nice but it may prove impractical given your resources. It may be time to move on to remediation and hardening your defenses. As circumstances and resources change, case managers should be looking for natural transition points to redirect their team’s efforts.    

Meetings

When you are managing a major investigation, you will have all types of meetings. Meetings are important for information sharing, problem solving, and decision making. There are four tips for managing your meetings.

Identify the Purpose

What is the purpose of this meeting? By establishing the purpose, it is possible to determine who needs to be involved, what information will be discussed, and what you intend to accomplish. Getting people together to “kick some ideas around” is nice but impractical when the ceiling tiles are crashing down on your head.  

Have an Agenda

As a manager, the discipline of preparing a meeting agenda will help you to stay focused. The agenda should include what topics will be discussed and who will be responsible to present it. This can be useful when off topic discussion threatens to hijack the meeting. The agenda should include who will chair the meeting and who the scribe will be. The proposed agenda should have the time, location, and any communication links required (ex: conference bridge information). Everyone should be told that they can bring any additional topics not listed in the agenda and a decision will be made at the start of the meeting if they will be included.

Take Notes

The scribe should take notes and provide a summary to the meeting chair as soon as possible after the meeting.

Limit Early Morning Meetings

Every day should begin with a review of what happened over night followed by a new incident action plan. The IAP ensures everyone is accomplishing something. Avoid general meetings at the start of the business day. Everyone not involved will be standing around waiting for directions. If your meeting lasts two hours, it may be

mid-day before anything gets done.

Using Outside Assistance

Cyber incidents may happen to any size organization. You may have enough personnel to conduct the investigation and remediation/recovery in house. Most companies have a contract with a security company to provide emergency response. A common approach is to bring on the minimal amount of resources you think will solve your problem. This is a risky option. You are betting you can anticipate how serious this incident is and what direction it may take.

A better approach is to engage outside assistance if it appears the incident could become critical. Each company should pre-determine their levels of criticality. This sets the standard for what response procedures will be used as well provides some level of expectation for the employees affected. Criticality factors may include the impact on business, support activities such as an attack on the company email, ransomware which has locked up your databases, or a compromise of customer information.

Another factor to consider is the impact on your IT security/service operations. Is everyone involved in the response and investigation? Is there anyone available to handle normal security issues or service tickets? The only solution may be to augment your internal resources with a trusted security contractor.

How should contractors be used? Ideally, your contractors should be used to provide specialized expertise. They should be employed to deal with the cyber event and not used as backfill for regular tasks such as the daily incident tickets from the help desk.

Summary

These fundamentals will not solve a single technical problem. They are designed to help optimize investigative operations. A successful cyber investigation is a balance between technical know-how and effective case management.