Blog by Chris Gausden, Arcanum Principal Consultant.
Having been formally trained first as a police officer and then a government security investigator it has always intrigued me as to how commercial organisations investigate security incidents. Many seem to shy away from taking any type of formal action in response to a security incident, or simply employ the wrong people to carry out an investigation. One of the first mistakes often made is the assumption that the ability to carry out an investigation of any kind is not a skill that has to be formally learned. The other is to assume that the practices and procedures exhibited in the many entertainment programs on TV represent investigative legal best practice and therefore can be used as a guide as to how to conduct a workplace investigation. So why might you want to carry out a cyber security investigation into a security incident?
There are a number of reasons including:
- Identifying exactly what happened and how it happened including technical root cause analysis.
- Identifying what you might do differently to reduce the probability of it happening again.
- To identify who, if anyone, was culpable and either provide the evidence required to discipline them or pass the details to an appropriate legal process (Police/Corporate Legal team etc) with a view to prosecution.
Effective investigation skills include a number of seemingly rare attributes. These include the ability to start with an open mind, following logical paths of investigation, using trusted technical specialists where appropriate, documenting each step meticulously and obtaining legal advice at an early stage, to establish the intended outcome should an individual or organisation be identified as culpable. The last element is crucial in order to ensure that you follow the right investigation methodology from the start.
Unsurprisingly there are rules that must be followed when pursuing a legal case against an organisation or individual, and the way in which an investigation is conducted will be scrutinised as part of the legal process. If an investigation starts too informally without following the principles relating to the gathering of evidence in a legal context it is not always possible to go back and repeat those early steps the correct way later. What starts as an internal disciplinary investigation involving the actions of employees can easily result in an industrial tribunal which again has specific legal rules governing the legality of evidence produced.
The best guidance would be:
- Make an early decision on the reasons for the investigation and expected outcomes.
- Ensure that you use appropriately trained and experienced resources to carry out the investigation.
- Ensure that an empowered employee of the company concerned owns the investigation and monitors progress making decisions (or escalates them) at each critical stage.
The most useful tool in any investigators toolbox is a professional digital forensics resource who can be called upon to examine any piece of technology that forms part of the investigation, in order to establish facts such what data is/was present on it, how it was used and often by whom. It is critical that the handling of physical evidence and the way in which logical evidence of its use is extracted follows the rule of law if it is to be presented in any legal proceedings. This means that the digital forensics team employed must be trained and qualified to carry out this specialist work, including legal recognition of their ability to present the evidence derived in a court if required.
In the UK this qualification is enshrined in BS EN ISO/IEC 17025 General requirements for the competence of testing and calibration laboratories. Workplace investigation qualifications are far more varied and course content can often stray into the world of digital forensics without adequately covering essentials such as the rules of evidence and recognising the limitations of authority of a workplace investigator. The below two courses seem to cover a reasonable syllabus as a start point, but there really is no substitute for experience.
[1] Arc Training, Workplace Investigations and Interviewing 5 day course
[2] First response, Cyber Security and Investigation Training Course
Arcanum have a fully BS EN ISO/IEC 17025 certified Digital Forensics laboratory and trained resources waiting to give advice and support to your investigation if you ever find yourself in need of professional support.
For more information, visit Arcanum Digital Forensics or call 01902 423601 today.