Law school teaches young minds that most answers are found in case law. While there are a few courses on practical skills, there is almost zero instruction on computers. With the need for cybersecurity lawyers rising, the absence of technology instruction is troubling.
In seminars, I advise attorneys to sit at the table with their clients’ information technology staff and simply listen, ask questions, and take notes. For several years, I enjoyed the experience of being the person with the most questions in every incident prevention, planning, or response meeting. Those questions, the answers received, dry-erase board illustrations, and notes taken proved invaluable. And now, I walk into every situation providing more value than during the previous event.
Unfortunately, almost every interaction with “cybersecurity attorneys” who decline the “sit, listen, and learn” approach often result in those attorneys being ignored or worse, promoting advice with potentially disastrous results. Below are 5 tech concepts attorneys MUST understand in order to provide meaningful counsel prior to or during an incident:
1. Memory Malware. Malware essentially means a file that is designed to do “bad” things within a network, often disguised, through its title, as a normal executable file that the computer would expect from its operating system (Mac/Windows). This malware, sometimes referred to as “Fileless malware” is undetectable because it lives only in the memory and uses existing operating system processes to operate, often evading most monitoring software. This means that if the malware entered the system at any time before endpoint detection/anti-virus software is installed, the software will not find or identify the presence of the malware in the memory. Rather, the sudden installation of such software can notify the bad guys that the victim knows something is wrong and prompt premature encryption.
2. Domain Controllers. These are core assets of any network, holding the keys/access to all data on the network. Every time a user tries to open a file stored on the server, the domain controller checks that user’s privileges and password before allowing that file to open. The Domain Controller stores every username and password, whether for a user with very limited network access or those with unfettered access. Cyber-criminals like their malware to find the domain controllers and harvest (steal) all credentials from each user. This means that the bad guys can log into a network as the CEO or receptionist and everyone in between because they have every password and matching username. Therefore, malware in a domain controller means that the network owner no longer controls its network – the bad guys do (and resetting the passwords will simply give the bad guys the new passwords).
3. System logs. These are digital logs of everything happening within the operating system, including every login, error message, and application launch. Ideally, every network should retain system logs for a minimum of 90 days. However, cyber-criminals know that system logs may capture the entry and activity of their malware and accordingly, malware is often designed to delete system logs (without any notification to IT staff) to further hide evidence of its existence.
4. Firewall Configurations. Firewalls are great. They are designed to work as a digital wall intercepting and deflecting malicious internet traffic. However, and as best said by a client, firewalls are only as useful as the configurations. This means that simply buying a $15,000.00 firewall may not provide much help. A firewall engineer needs to configure the permissions within the firewall to ensure that it best serves the specific needs of an individual network. And while it is impossible to intercept all bad activity, even with the best engineers configuring it, firewalls do also keep logs of activity allowing professionals to potential identify the date, time, and source of an undesired internet connection (capable of transmitting malware).
5. Memory Forensics is Absolutely Required. Memory forensics is the process of capturing a sample of the device’s running memory (RAM), which is then removed offsite, and analyzed for evidence of malicious activity. If you made it through this article so far, you know that malware can evade firewalls and anti-virus/endpoint detection software, as well as erase system logs. Therefore, memory forensics is crucial for any suspected cyber incident since memory is where the sophisticated malware resides. There are open-source tools through which to perform memory captures and forensics; however, a skilled and qualified engineer is required to analyze the results. To truly identify and/or prevent a cyber incident, memory forensics is the first and most important start on the journey to recovery.
With the holidays attracting cyber-attacks while people enjoy their paid leave, breach counsel and cybersecurity attorneys would be wise to read up on crucial tech concepts.
Comments