00:03
>> Hello Cybrarians.
00:03
Welcome back to incident response
00:03
>> in advanced forensics.
00:03
>> My name is Max Alexander,
00:03
and I'll be your subject matter expert for
00:03
the legal aspects of incident response.
00:03
One of the first things we want to look at in
00:03
the legal aspects are
00:03
legal considerations when it
00:03
>> comes to incident response.
00:03
>> First and foremost, every type of action that you
00:03
perform during your incident response must be legal.
00:03
Any type of illegal action that
00:03
you're taking as you're going about
00:03
your incident response process could render any type of
00:03
evidence that you collect
00:03
inadmissible for future legal proceedings.
00:03
Going back to that first bullet point
00:03
of incident response must be legal.
00:03
Your organization may span different jurisdictions,
00:03
it may span globally.
00:03
As an incident responder,
00:03
you have to be aware of all the applicable laws,
00:03
rules, and procedures that
00:03
are applied to your organization.
00:03
That could be numerous laws and rules.
00:03
a s incident responders,
00:03
you have to be aware of those,
00:03
and you may not have to know every single one of them
00:03
because that's what your legal counsel's there for,
00:03
but you do have to be cognizant of some of
00:03
these basic rules and then know when
00:03
to actually seek out that legal counsel.
00:03
For instance, if you have something that
00:03
happens to your organization where
00:03
someone has stolen some type of data
00:03
or perpetrated some crime against your organization,
00:03
you may want to take that person to court,
00:03
either criminally or civilly.
00:03
If you do take certain actions that are illegal,
00:03
any evidence that you gather might
00:03
actually be thrown out of
00:03
court which could damage your case.
00:03
illegal action that you take might actually pose
00:03
your organization than the initial incident itself.
00:03
If you go back to one of
00:03
our first discussions where we talked about
00:03
the damages posed by incidence to an organization,
00:03
one of the slides that I had
00:03
talked about or showed an iceberg,
00:03
and the tip of the iceberg had all
00:03
of the known damages and the
00:03
below the surface damages or
00:03
most of the cost of incident response had.
00:03
If you're conducting your incident response
00:03
in an illegal manner,
00:03
some of those hidden costs might be media relations,
00:03
if your incident response goes bad or illegal and it
00:03
gets out that your organization
00:03
>> wasn't following the law.
00:03
>> Also the individual whom
00:03
you're trying to build a case against,
00:03
if you violate that person's rights,
00:03
he may in fact bring legal action
00:03
against you and further damage your organization.
00:03
Another aspect in legal consideration
00:03
we want to talk about are hackbacks.
00:03
A hackback is essentially where
00:03
an organization is going to destroy
00:03
an information system or hack into
00:03
an information system that they believe hacked them.
00:03
Now, it doesn't happen often,
00:03
There haven't been any prosecutions
00:03
that I'm aware of this occurring,
00:03
but nevertheless, it is illegal,
00:03
and it does set your organization up for some type of
00:03
legal ramification if and when
00:03
the federal prosecutors do want to pursue this.
00:03
Also on top of this,
00:03
if you're doing hackbacks,
00:03
you may not necessarily be harming
00:03
the actual attacker who's
00:03
taken information from your organization.
00:03
Often times in hackbacks or in these hacks,
00:03
individuals who perpetrate these crimes
00:03
are using someone else's server who is more than
00:03
likely unaware that their server
00:03
is being used for some type of malicious activity.
00:03
If your organization starts
00:03
destroying Mom and Pops server
00:03
who are trying to run
00:03
their small business in some small town,
00:03
and that gets out to the news media, well,
00:03
obviously that would be
00:03
>> pretty bad for your organization
00:03
>> and it might actually be
00:03
worse than the initial hack itself.
00:03
One of the first things we want to talk about
00:03
when securing evidence and
00:03
doing searches as it relates
00:03
to our incident response is the 4th Amendment.
00:03
The 4th Amendment is essentially the bedrock
00:03
of privacy when it comes to the US Constitution.
00:03
The 4th Amendment provides that the right of
00:03
the people to be secure in
00:03
>> their persons, houses, papers,
00:03
>> and effects against unreasonable searches and
00:03
seizures shall not be
00:03
violated and no warrants shall issue,
00:03
but upon probable cause
00:03
>> supported by oath or affirmation,
00:03
>> and particularly describing the place to be
00:03
searched and the persons or things to be seized.
00:03
A very short statement that actually contains a lot of
00:03
information that highlighted some very important points
00:03
when it comes to the 4th Amendment,
00:03
is that first of all,
00:03
the 4th Amendment protects
00:03
individuals from searches that are unreasonable.
00:03
There's lots of case law out there that
00:03
describes what is and what is not reasonable.
00:03
The 4th Amendment protects
00:03
individuals against unreasonable searches.
00:03
If you want to know what is and what is not reasonable,
00:03
it's best to consult
00:03
your legal counsel and they should have
00:03
a good idea and understanding of
00:03
the reasonableness of a particular search.
00:03
The next aspect that I've
00:03
>> highlighted is probable cause.
00:03
>> Essentially what probable cause is,
00:03
a reasonable and intelligent person
00:03
that a crime has been committed,
00:03
which would allow someone to be arrested,
00:03
or the person searched,
00:03
or a civil case to be brought against them.
00:03
Again, that goes to a reasonable person standard.
00:03
Then the last thing is particularly describing
00:03
the place to be searched and
00:03
the person or things to be seized.
00:03
If you do get a search warrant,
00:03
you can't just bill in and blatantly take everything in
00:03
everything that you feel like searching,
00:03
if it does not actually
00:03
describe that within that warrant.
00:03
The warrant is going to
00:03
limit the scope of that government search,
00:03
and then you're going to have to
00:03
stay within the confines of that search.
00:03
Now a lot of this applies
00:03
to the government and or agents of the government.
00:03
In your organization, it may not specifically apply to
00:03
a corporation [NOISE] or a
00:03
>> non-governmental organization.
00:03
>> That being said, if you do have
00:03
a crime committed against your organization,
00:03
and you do hope to essentially bring that person to
00:03
prosecution and you're consulting
00:03
with law enforcement, at some point,
00:03
you may actually become an agent
00:03
of the government even if
00:03
the law enforcement agency is not actually
00:03
investigating the case but they're
00:03
providing some type of direction.
00:03
It's important to understand how
00:03
the 4th Amendment affects individual's rights.
00:03
The ultimate goal of
00:03
the 4th Amendment is to protect people's right
00:03
to privacy and freedom against
00:03
these arbitrary governmental intrusions.
00:03
Then private intrusions not acting in
00:03
the color of government
00:03
are exempt from the 4th Amendment.
00:03
Again, it's a very slippery slope
00:03
once you start involving
00:03
law enforcement and once you start going
00:03
about doing some of these activities,
00:03
it's very important that you
00:03
understand when the 4th Amendment comes into play.
00:03
I would highly suggest that if you
00:03
do come into some of these gray areas
00:03
that you consult with your legal counsel.