How to Respond as a Victim
This article is not a discussion on the standard practices of the "Incident Response Process" that governs how cyber investigations are conducted. This article focuses on the victim and the direction that can be taken to help get their lives back in order and possibly seek justice. The following is a general overview to provide direction in which to begin a response to a cyber incident and should not be taken as legal advice or acted on as such.
There are various forms and degrees of internet or cyber crime. Just as internet crimes vary, their nature usually determines the target. The type of internet crime will depend on how an individual or organization responds. There are two methods to managing internet crime responses, proactive and reactive. By understanding how to respond to and incident, the process can be made in a matter that will return one self back to normalcy.
A proactive method establishes a plan to be executed upon the event of an internet crime being perpetrated. While incident response plans are more geared towards organizations, having a personal response plan is a good idea. The incident response plan simply provides a documented checklist and procedures on what steps to take to mitigate the damages of an incident and reporting the crime to the appropriate authorities.
Reactive, as the name implies, is a reaction to an unexpected event. Reactive responses are generally more chaotic as the victim doesn't know what actions to take or how to execute those actions.
Confirmation of a Crime
Before any action is taken, verification that a crime has been committed needs to occur. This ensures that false alarms are not sounded in error, which might have legal repercussions unto themselves.
Some states and municipalities in the United States do have laws against cyber bullying, stalking, and sexual advancements. Seek legal advice on how to properly proceed in these cases. The general recommendation is to first issue a warning to the offender, if the behavior persists, contact local authorities.
If a cyber bullying, stalking, or harassment crime has been committed, any digital transmissions such as texts, emails, instant messages, etc. should be preserved for evidentiary purposes. In cases such as identity and financial fraud or theft, physical documents and digital documents will have to be preserved. Physical documents may include bank statements and credit reporting documents among others.
When an intrusion has taken place, the level of damage has to be assessed. Devices that have been effected should be disconnected from the network. When organizations are affected and can potentially impact business continuity. Evidence should be preserved as long as it doesn't cause long-term disruption of business continuity. Redundancy in the network architecture will help mitigate any disruption as long as no critical nodes have been compromised.
Reporting the Crime
Generally, isolated instances of viruses or malware being found on a personal or business computer will not be pursued by authorities. They may take a report to establish precedence of activity. Reporting these activities also provides security analysts with data that can be correlated with other malicious activity in case prosecution is pursued. Security analysts may take the opportunity to review the actual malware for a more in-depth analysis.
In other instances, contact local law enforcement as well as filing an incident report with the Internet Crime Complaint Center (IC3) at ic3.gov. The IC3 is a reporting office of the FBI that reviews complaints and forwards the report to the appropriate investigative agency. If the receiving agency opts to pursue further investigation, an agent may contact the complainant.
When developing an incident response plan, coordinating with local law enforcement with regard to their standard procedures and protocols will streamline the reporting and investigation process.
If an organization collects and stores personally identifiable information (PII) or falls under the purview of HIPAA, PCI, Sarbanes-Oxley, or similar compliance regulation, informing customers or public as a whole may be required. Follow the rules and guidance set forth by the appropriate regulating agency and seek legal advice on how to alert consumers regarding the potential disclosure of information.
Investigation and Beyond
If local, state, or Federal agencies opt to conduct an internet crime investigation, there is a standardized process which must take place for the investigation. The process includes validating and capturing digital evidence, analyzing the evidence and systems involved, conducting forensic analysis, then reporting back to the investigating agency. Moving forward, the process will vary depending on the findings of the investigation.
Should a criminal investigation not be sought, an alternative is available to further respond to the incident. There are private sector entities that can be commissioned to conduct their own evidence collection, remediation, forensic analysis, and reporting. These entities operate on the same guidelines that govern law enforcement computer forensics. A private sector forensics entity will pursue direct remediation of the victim's systems and infrastructure to ensure that any vulnerabilities are removed or mitigated. Additionally, the entity will work hand-in-hand with the victim to establish or improve policies and procedures from the lessons learned.
Being the victim of an internet crime is a trying experience. As with any crime, the idea of loss and being a victim can be intimidating, as an individual or an organization.
By changing the security posture of an organization, the risks and exposure of internet crime can be mitigated. The first step is the development of a incident response plan. Retaining a cybersecurity analyst, network security specialist, or private sector entity to conduct a vulnerability assessment of on and off premise systems and internal policies and procedures will help identify any risks or exposure that may exist.