The secret cyber files 

The team was working on an incident response case for a global logistics firm that had suffered a series of cyber-attacks. The team was tasked with conducting the technical incident response.  

Working with legal counsel, and the client’s chief information security officer (CISO), the team was tasked by the client with reducing the impact of the incident and appropriately managing it. The forensics team identified that a significant volume of data had been stolen by the threat actor, and traced the threat actor’s activities to a commercial server farm being used in complete breach of the commercial terms of use. The team identified the geographic location of the server farm, it was near – actually, I can’t tell you where, but it was a large European city. Our team was physically dispatched on an early morning flight to the rough location of the data farm, for the purposes of establishing if there was anything that we would be able to do to support the wider forensic and response efforts.  

Further analysis identified a single server where the data was being held. Accompanied by the CISO from the impacted organisation, the team presented the forensic evidence to the server farm’s executives. After consultation, an agreement was reached and the team was permitted physical access to the server farm, so we could remove the server with the stolen data on it. Additional technical efforts by the forensic teams allowed the impacted organisation to recover all its data. 

The incident response was effective only because of the speed of the response by the team, its extensive technical abilities, and its willingness to understand the challenges and work in a creative – but pragmatic – way to assist the client.  

File Two: Identifying a new malware variant (Cactus) 

File under: 

• Cyber threat intelligence 

• Detail-focused 

• Technical expertise 

Cyber security is a rapidly evolving industry. There is a continuous cat-and-mouse game that, for the most part, goes unnoticed. It bubbles to the surface when there is a significant incident, or a seismic change in the activities or impact of threat actors.  

For individual organisations it will become a focus in the event of an incident. What is not seen or widely understood is that an effective cyber security capability and response is only possible if you leverage effective threat intelligence. Threat intelligence is the discipline of capturing data from as many sources as possible, and extracting value and insights from it.  

It requires a level of focus, attention, and experience that many cyber security organisations do not have, and even fewer have the patience to invest in such a practice. Where it is done, threat intelligence is usually done poorly, or done in an incomplete manner and then dressed up as something more than it is. Another, greater, challenge organisations have is that there is frequently a disconnect between the data and the organisation’s ability to leverage it proactively.  

At the heart of cyber security is the need to monitor and understand the speed, directions, trends, and activities of threat actors.  

After tracking new activity across several cases, the team identified unique activity where a legitimate looking file (always present on a windows filesystem) was appearing in an unusual place just prior to an unknown ransomware was executed on the system. This activity was distinctive in comparison to other known variants and it caught the attention of the CTI team. The team managed to decode this legitimate looking file and identified that it was used to pass the launch commands to the ransomware.  

File Three: The eBay bandit 

File under: 

• Digital forensics 

• Credit card fraud/theft 

• Insider threat 

The client was concerned that someone on its senior leadership team was engaging in, let’s say, “potentially fraudulent activities” that were doing the company harm. It waited until this guy booked some annual leave and then called us and said, “We suspect that this person is doing something he shouldn’t. He’ll be away from work on these dates, can you come in during that time and figure out whether we should be worried or not?”  

So initially I was thinking this would be a routine job – you know, no matter what size an organisation is, there will be only so many people who have a corporate credit card. And the client had an inkling that this guy, who was the chief technology officer, the CTO, had been buying laptops using his company card and submitting the receipts as expenses. He was claiming that the laptops were to distribute to people in the company, but the client had no idea where all the machines had been going. After some OSINT work, we found an eBay account where he had a nice side-hustle selling these brand-new laptops at a knock-down discount. It took almost a year before the client spotted that no one in the company had had a new laptop, but they were buying them like they were going out of fashion. 

Anyway, in those circumstances I’d say I can be forgiven for assuming, “well, OK, he’s not exactly a criminal mastermind but at least this will be a straightforward job for us, and we’ll be home by dinnertime”. But then while we were there, working in the company’s office checking all this hardware and software for evidence of the theft, and to prove that the identified eBay account was his, we also found quite a collection of questionable content on company-owned kit that this CTO had access to. Obviously that opens up the client to all kinds of legal and digital vulnerabilities. In the end, it was a burner phone that had been connected to his machine that had the same name as the eBay account that connected all the dots and provided the evidence we needed. 

Anyway, much to nobodies surprise, he was greeted in the arrivals hall by the police when he came back from the holiday he’d been on while we were doing all the forensic stuff. I am still, even now, surprised by what people think they can get away with. 

File Four: “We promise you we’re not just making it up” 

File under: 

• Digital forensics 

• National security 

• Recovery and escalation 

Cyber security forensics is something that is often overlooked. It is sometimes seen as the “unnecessary component” of the incident response process. It slows the ability of an organisation to fully recover, and in an urgent response the focus can be on getting infrastructure and systems back up and running as quickly as possible – whether they’re ready or not. So the true reality of digital forensics is that it performs a critical component in the incident response process.  

In some countries, I have encountered heads of national cyber security agencies who will privately admit the challenges they have with exactly this – in governmental bodies and industry bodies, in some geographies, there is a known and widely acknowledged lack of expertise at the information and communication officer (ICO) level, and so in the wake of an incident the recovery stage is rushed through, and it leaves the target more vulnerable to further attack. 

So the forensics element and the clean-up stuff is used further down the line with the ICO. It’s not just that we've stopped the bleed, it's that we’ve gone and done the analysis and that all goes into the report to the ICO. So you know, the good lawyers that we work with will take whatever stage you get to, but you the need the forensic element to be able to say to the ICO, we're confident that, yeah, this is what we found. Or this is why we haven't found it – or, you know, there's nothing to find for these reasons and we promise you we’re not just making it up!  

If they just want to flatten everything, rebuild it, and they want to do it yesterday because they don't really care about recovering, then you've got more of a tension between the recovery and the escalation. That’s when, to be fair, you need lawyers involved. We need to do some investigation because otherwise you can't meet your obligations.