Enhancing incident response with legal orders against attacker infrastructure

The issue of delayed response

A common challenge in incident response (IR), particularly in complex cases involving both computer and financial crimes, is the need to deal with multiple parties with different agendas and priorities. While addressing these different equities is critical for achieving a good outcome, this can result in a delayed response. The legal response to cybercrime is often dealt with separately, sometime after the event once the technical response has been addressed, which can leave the victim with limited legal options as the attacker hides evidence and takes steps to conceal the proceeds of crime.

At Mishcon, we take a holistic approach throughout the incident from end to end, dealing with both the technical investigation and remediation elements, as well as the critical legal, regulatory, and communications issues from the outset. MDR Cyber acts as a single point of contact in incidents. There is no need to manage two or three external parties trying to come together and work alongside each other, often for the first time, in a crisis situation. 

Our ‘enhanced’ IR service is distinctive in the market, ensuring a rapid, effective response, addressing the combined legal and technical demands of cybercrime. We offer the capability to go beyond responding to an incident to pursue an adversary and targeting attacker controlled infrastructure, and provide options for proactive recovery of lost funds or data while mitigating any losses. 

The benefit of Enhanced IR

IR engagements almost always result in the identification and enumeration of network infrastructure used by the attacker to control malware and host malicious resources. In most engagements, options for collecting information from attacker controlled hosts will be limited to open sources and passive technical reconnaissance. However, the close working relationship between MDR Cyber and our legal colleagues provides us with options for bringing legal actions against the companies hosting the malicious infrastructure.

Our integrated cyber and legal teams are able to initiate legal actions within hours. Equipped with court orders, we can collect information on the operators of malicious infrastructure, seize web domains, and access data stored on the target hosts. We also use these legal tools to identify wrongdoers and trace stolen funds or data. Combined with gagging orders, the attacker can be kept unaware of this activity.

While uncommon, there is some history of legal orders being used to inflict disruptive effects on cyber threat groups. Microsoft has previously used co-ordinated infrastructure seizures like this to disrupt and collect information on the activities of criminals and even nation state intelligence operations. MDR Cyber’s playbooks for IR engagements ensures collaboration with our clients and legal colleagues to review investigative findings and to identify opportunities to use court action to support response activity, which is central to our operational model. 

Gaining access to attacker controlled hosts can also facilitate intelligence development around the attacker’s wider operations, including their other victims, and even allow for identify those involved for the purposes of attribution. Skilled attackers understand the importance of maintaining their operational security and will often go to great lengths to conceal their origins when operating inside a compromised target network. However, fortunately for network defenders, maintaining perfect security is difficult and attackers may get sloppy when interacting with malware control servers they believe they have exclusive access to, leaving traces pointing to their locations or identities. Previous cases where incident responders have gained access to unsecured malware control servers demonstrate the potential value of access to attacker infrastructure for identifying the individuals and organisations behind attacks.

Working alongside a dedicated team of injunction specialists who deal with international crime every day, MDR Cyber can help incident responders develop a much deeper understanding of how an attacker is operating, the tools they are using, and the extent of their access to a client’s network. For incident responders trying to identify and contain compromised hosts across a client’s network, this visibility provides a substantial advantage, particularly if the seizure of attacker controlled hosts is co-ordinated and run synchronously with wider incident containment activity.

In the best case scenario, attackers go from believing they are operating undetected to suddenly losing access to their operational assets, losing control of compromised computers, and losing access to the victim’s network. They may also find themselves on the receiving end of the Court’s most powerful injunctions.

As well as collecting information on and disrupting attacker infrastructure, legal action can involve seeking disclosure and freezing orders against bank accounts, obtaining usage data from internet service providers and telecoms providers, and accessing logs for service account usage.

Consultation between the MDR Cyber team and legal colleagues takes place at every stage of the IR cycle, allowing development of response plans which go beyond responding to an incident to enter the realm of pursuing those responsible.

For more information on this or any of our related cyber services please get in touch here.