29 August 2024
Even the most cunning criminals usually leave traces – and this is as true in cyberspace as it is in analogue life. Identifying, isolating and evaluating these is the task of forensic IT experts. Having started out as a special task force under the auspices of the investigative authorities, TÜVIT experts are now also following the digital trails of cybercriminals on behalf of companies.
Whenever Claus Krause turns up at a company with his emergency kit consisting of laptop, hard drives and writing pad, this is usually a sign that something major has happened. The forensic IT expert is one of five from TÜVIT who provide rapid assistance in cyber emergencies and set about nailing down hard evidence that can stand up in court. “Most customers only come to us in an emergency, once their data have already been encrypted or their business has been paralysed,” says Mr. Krause, Lead Consultant for Cyber Defence at TÜVIT.
Don't panic!
As a rule, the experts in Digital Forensics & Incident Response are assigned to deal with the fallout from ransomware attacks, in which criminals encrypt data on companies’ IT systems and demand a ransom for their decryption. These attacks have been on the rise for years, often affecting entire industries. “Our ultimate goal is damage minimisation,” explains Mr. Krause. However, notwithstanding all the necessary haste, the first thing the companies concerned need to do is keep calm. “Panic leads to overreactions, which can cause further damage,” says Carsten Keil, Senior Sales Manager at TÜVIT.
Digital search for clues
Based on its experience, the Cyber Defence team has developed a list of questions that the experts systematically work through during their deployments. First on the list are the immediate measures required to secure the operational capability of the company. This is followed by a digital search for clues. Mr. Krause likes to compare this to the crime scene investigation work done by the police after a burglary: A piece of jewellery may be missing, but, at first glance, nothing else seems to be amiss. Then the forensics team will check whether someone has tampered with a window lock, opened and closed the window to gain entry, and perhaps left fingerprints behind in the process. “We do the same at at the technical level,” says Mr. Krause. One thing he knows is that “burglars almost always leave traces – even in the digital space.”
The AOK Federal Association of insurers recently called on the assistance of the cyber cops from TÜVIT. AOK is one of the thousands of companies worldwide that use the “MOVEit Transfer” software for data exchange. These include banks, corporations and health insurance companies. At the end of May, this software was affected by a security vulnerability that the German Federal Office for Information Security (BSI) classified as a business-critical IT threat at the second highest warning level (orange).
The cyber cops from TÜVIT set about analysing the digital traces left behind by the responsible hacker group, known as “Clop”, when they accessed the data exchange software. Happily, the security experts were able to give the all-clear, having found no evidence that personal customer information had been leaked. This was an important finding for a health insurance provider like AOK: Data protection violations resulting from cyberattacks always involve high claims for damages, and in disputes over questions of guilt, high insured sums come into play. It is therefore important for the traces to be picked up and recorded in a way that will stand up in court.
Mafia-like structures in cyberspace
Whenever managing directors express their hope that the TÜVIT staff will catch the guilty parties, Mr. Krause reminds them that his team are not the police. “Arresting the perpetrators is solely a matter for the investigative authorities,” Mr. Krause emphasises. “We're talking about mafia-like structures here.” Cyber experts like Mr. Krause are seeing the increasing professionalisation of blackmail gangs, which now operate according to the principles of division of labour and even run blogs on the dark net. “The methods of penetrating corporate systems are becoming more and more sophisticated, and the perpetrators are investing a lot of criminal energy in doing what they do,” says Mr. Krause.
It is not uncommon for forensic IT experts to discover that malware has lain dormant in systems for many years. It’s for this reason that the experts also check corporate IT systems for previously undetected hacker activities as part of a “compromise assessment”; they analyse the risks of a far-reaching security incident and recommend measures to eliminate the threat and address the relevant vulnerabilities. In other words, they ride to the rescue before the digital bombshell can explode.
© TÜV NORD GROUPThe emergency kit provides equipment for first aid after a cyber attack for the TÜVIT experts.
The human factor
“Aside from the technology, it’s also crucial to communicate and interact with the employees,” says Carsten Keil. “Cyber incidents are a massive liability for managers and employees alike.” It’s important that no blame should fall on individual employees or IT departments, Keil says. But those affected in the hacked companies will often inevitably be on edge.
“A cyberattack undermines our basic need for security,” explains Tiana Schuck, psychologist at MEDITÜV: “If you add feelings of helplessness and a high workload to the mix, massive mental and emotional suffering can result. There’s evidence that a cyberattack can be traumatic for those affected.” This is why Ms. Schuck and her colleagues accompany the cyber cops from TÜVIT to the affected companies and provide their employees with psychological support. The idea is for everyone involved to get through the cyber crisis as unscathed as possible.
© TÜV NORD GROUPClaus Krause is an IT forensic expert who provides first aid in cyber emergencies and collects forensic evidence.