Register by tomorrow to save $150 on top-notch cyber security training in Reston, VA!

SANS Security Insights

When Investigations Go South

How to avoid legal liability when stumbling into dicey and illegal situations during investigations

By Deb Radcliff, Creative Director, SANS Analyst Program

Stolen credentials, malware forums, human trafficking, drug dealing, kiddie porn: just about any illegal activity you can think of is facilitated over the dark web. Not surprisingly, this type of criminal activity also ends up on the servers inside of legitimate business and government organizations.

Wherever investigators are searching in cyber, they will likely run into evidence that could make them or their employers legally liable. In this blog, investigators and researchers share their experiences and tips for reducing liability for themselves and their organizations.

Illegal Images

Let's start with child porn, which is illegal to possess, store or transmit. Yet investigators stumble upon this type of material regularly.

"Too often, general legal counsel wants the investigator to turn illegal images over to them and then kill it, which is illegal," says John Toney, who heads a large cyber investigation practice. "Should one of my investigators come across child porn, it's pencils down, and we notify law enforcement."

Toney's advice: Do not copy, transmit or look at the images once you've found them. Contact law enforcement and legal team immediately (but don't transmit the images to them). And make sure you have legal protections and that people involved in the investigations understand the law regarding reporting illegal images.

Avoiding such images altogether is even safer, adds cyber investigator and attorney Mark D. Rasch. But it's hard to know what's inside image files until they're accessed and opened.

One intelligence analyst (who asked to remain anonymous) runs a small company of intelligence gatherers. He built special filters to prevent employees from even seeing illegal, violent images.

"Employees in my organization sometimes have to look at violent and racist videos, so I just wrote a tool that detects the keywords they are looking for," says the analyst. "Now I'm adding an extension that will detect the violent sections they can choose to skip. This protects us from viewing illegal images and also saves us time."

Mistaken Identity

Investigators sometimes also get caught in the dragnet of a legitimate policing operation, says Rasch.

"When cops show up with guns blaring because they think you are the bad guy, be helpful and cooperative with law enforcement without really giving them anything," he advises. "Staff should direct all inquiries to corporate counsel, even warrants, and the investigator should not consent to a search of systems or files without corporate counsel present. Counsel can also invoke attorney-client privilege, which forces law enforcement to conduct a more sensitive search."

Malware Intrusion

A downloaded remote access trojan (RAT) or other malware is also a liability, particularly if it traverses into the larger organization. So, investigators should set up their systems to prevent hostile takeover and spread. (Read my previous blog for more advice from experts on how to prevent malware installation, and check out advice from SANS instructor Micah Hoffman.)

In one case, a red team investigator (who asked to remain anonymous) says he was working for a client, tracking an active ransomware campaign originating from Eastern Europe. He used an intentionally insecure environment to observe the malware sample's worst behaviors.

"While I was analyzing the ransomware's action, I noticed that more than just the typical behavior of ransomware was going on. The attackers had remoted in to my server and begun messing with it physically," he says. "When I informed the hacker that he was in a virtualized environment, he called me a bunch of vulgar names, threatened me, then disconnected from the system."

Because he was in a secure environment, the investigator collected what metrics he could and erased the VM with no damaging effects.

Bad Clients

Investigators should also screen potential clients. Rasch relays a story from the past when his team flew to a foreign country on a client's behalf. The team uncovered digital evidence revealing that the client who hired them was actually the criminal who was using his own company to launder narcotics money.

"Once we found that out, our team left immediately for the airport and didn't even go back to collect their things at their hotel," he says. "Everything looked legit until we started digging during the investigation."

Another cyber investigator, Bryan Seely, was asked by a husband who wanted custody of his children to find dirt on his wife. Seely instead recorded the husband's request during their meeting, sent it to the man's wife, who used the recording to get a three-year restraining order against her now ex-husband.

These cases go beyond personal and business liability, also raising important moral and ethical issues to consider. Says Rasch, "Do you do security for anyone who pays, or do you investigate ahead of time and make value judgments on who you take as clients?"


Post a Comment


* Indicates a required field.