In 2019, one in three companies experienced at least one serious security incident – right across all sectors. For a speedy resolution using digital evidence, IT forensics experts are indispensable. The steps we take when looking for clues and how companies can prepare for cyberattacks.
Last year, digitalization at Berlin’s Superior Court of Justice came to an abrupt end: after an attack from an Emotet Trojan, the lawyers lost connection to the network and had to revert back to analog operations for several months. Security specialists from T-Systems wrote a forensic report at the time: cybercriminals wanted to tap into sensitive data. To achieve better IT security, we then recommended that the court reconfigure the IT infrastructure and the servers.
When companies or authorities alert us in IT forensics and incident handling, it’s always about determining the extent of the damage and limiting it, finding the perpetrators and their motives, and analyzing their approach. The IT experts then close the gateways and introduce countermeasures. Absolutely crucial: the IT forensics team must deliver facts which can be proved, and used in a court of law so that the courts do not later reject the digital evidence in subsequent proceedings. Or that companies come across problems when claiming for the resulting damages with their insurance company.
When it comes to claims, I recommend that companies keep calm. It’s not at all that easy when data is at risk or when blackmail is involved. But one false step at the outset can eradicate all traces and escalate the damage. My request: close off the scene of the crime for us forensics experts and don’t change anything yourself.
We, too, are not allowed to change or even destroy evidence – data carriers, saved images, or log data. This is why, when securing evidence, we always document and photograph all potentially relevant physical clues, too. Because what the environment looked like or where each cable was plugged into the laptop may be important at a later stage. Forensics experts work closely with the affected companies. This means that we require the trust of our clients and access to log files, hard drives, laptops, mobile phones, network data and plans, or emails with headers. It goes without saying that a forensics expert also gathers statements from those affected in order to complete the picture. They then create a fully forensic copy of the hard drive or secure the laptop.
Consequently, our crime scene is always both analog and digital: in addition to analyzing individual systems – generally workstation computers or servers – the investigation can also stretch to the entire IT landscape made up of hardware, software, services, organization, and planning. Our research looks for traces in the network and on computers. When data crops up in places it doesn’t belong, our ears prick up. Then we drill down deeper and follow the route to the malware: Where did the initial infection happen? How did the virus spread in the company network? Where did it come from? Did it come from inside or outside? Who was attacked and how big is the damage?
Attacks by encryption Trojans, Emotet, Cryptolockers or the blackmail Trojan Locky are less complex and actually comparatively easy to defend against. Nevertheless, the attackers always find interesting loopholes: for example, a 17-year-old recently hacked the Twitter accounts of well-known people – including Elon Musk, Bill Gates, Joe Biden, and Barack Obama. The objective is to acquire Bitcoins. Cybercriminals like to utilize current events as a decoy such as, right now, the coronavirus pandemic.
When it comes to industrial espionage or governmental sabotage, the perpetrators are more specific in their choice of target – and proceed in a much more skillful manner. According to the BSI, companies only detect these kind of Advanced Persistent Threats (APT) after an average of 205 days. Plenty of time to penetrate deep into the company’s structures and to worm out the desired information from the systems. Employees usually inadvertently become springboards into the company. The attackers communicate with their victims via a spear phishing email. These methods are known as social engineering. This means that the attackers first investigate the recipient, even their private life, so that they can send them a tailored email. The football fan receives a manipulated invitation to a football game involving their favorite team, and the controller receives a malicious invoice. This means that the employee or their computer unwittingly and unknowingly becomes an internal accomplice of the external attacker.
The Telekom security experts often identify that cybercriminals have infiltrated company systems before external parties inform the companies about it. Digital forensics experts are used, for example, when customers’ IT administrators notice that the IT systems are behaving differently to normal. For example, if the bookkeeper stumbles across transfers for which there are no invoices. Or the managing director wonders why their company has recently been outbid on every tender, or the competition from the Far East is arriving on the market with an innovation which is remarkably similar to the company’s own design.
Of course you can never achieve one hundred percent protection against a cyberattack. But with clearly agreed codes of conduct, you can at least limit the consequences.