Time
7 hours 36 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson offers and introduction into the legal considerations which must be taken during an incident response. Bottom line: the incident response MUST be legal as anything illegal may render evidence unusable during legal proceedings and it might cause even more harm to the organization than the incident. With incident response, remember the Fourth Amendment, which has the ultimate goal of protecting privacy and freedom.

Video Transcription

00:04
Hello, Siberians. Welcome back to incident. Where? Spots in advanced forensics. My name is Max Alexander, and I'll be your subject matter expert for the legal aspects of the incident. Response.
00:16
So one of the first things we want to look at in the illegal aspects or legal considerations when it comes to incident response. So first and foremost, every type of action that she performed during your incident response must be legal.
00:30
So any type of illegal action that you're taking a CZ you're going about your incident response process could render any type of evidence that you collect inadmissible future legal proceedings.
00:44
So going back to that first bullet point of incident response must be illegal.
00:50
Um,
00:51
your organization may span different jurisdictions that may span globally. So as an incident responders, you have to be aware of all the applicability, laws, rules and procedures that are applied to your organization. So that could be numerous laws and rules.
01:11
So this incident responders, you have to be aware of those.
01:14
They may not have to know every single one of them because that's what your legal counsel's. Therefore, But you do have to be cognisant up some of these basic rules and know when to actually seek out that legal counsel.
01:26
For instance, if you have something that happens to your organization, where someone has shown some type of data are perpetrated some crime against your organization,
01:36
you may want to take that person to court either criminally or civilly.
01:41
And if you if you do take certain actions that are illegal, any evidence that you gather might actually be thrown out of court, which could damage your case
01:52
worse. Any type of illegal action that you take might actually pose a greater threat to your organization in the initial incident itself.
02:00
And if you go back to one of our first discussions where we talked about the damages posed by incidents to an organization,
02:08
one of the slides that I had showed talked about or should an iceberg and the tip of the iceberg had all the known damages and kind of the below the surface damages were were most of the cost of incident response hurt.
02:24
So if you're conducting your incident response in an illegal manner, some of those hidden costs might be media relations. If your incident response kind of goes bad or illegal, and it gets out that your organization wasn't following the law.
02:42
So you are also
02:45
the individual whom you're trying to build a case against. If you go, I let that person's rights. He may in fact, bring legal action against you and further damage your organization.
02:55
So another aspect. Legal consideration. We want to talk about hack backs.
03:01
So a hack back is essentially where an organization is going to destroy an information system or hack into an information system that they believe
03:12
hacked them.
03:13
Now it doesn't happen often, but it does happen. There haven't been any prosecutions that I'm aware of this occurring, but nevertheless it is illegal and dust set your organization up for
03:28
some type of legal ramification if and when the federal prosecutors do want you to do this.
03:36
Uh, and also on top of this, if you're doing hacked back, you may not necessarily be harming left the actual attacker who's taken information from your organization Oftentimes in hack backs are these hacks.
03:52
Individuals who perpetrate these crimes are using someone else's server is more than likely unaware that their servers being used for some type of malicious activity. So if your organization starts destroying Mom and Pops server who are trying to run their small business
04:12
in some small town
04:13
on that gets up to the news media. Well, obviously, that would be pretty bad for your organization, and it might actually be worse than the initial hack itself.
04:23
So one of the first things that you want to talk about when securing evidence and doing search searches as it relates to our incident response is forthem it.
04:33
And the Fourth Amendment is essentially the bedrock of privacy when it comes to the U. S. Constitution
04:42
and the Fourth Amendment provides that the right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures shall not be violated and no warrant shall issue, but upon probable cause, supported by the oath or affirmation
04:59
and particularly describing the place to be searched and the persons are things to be seized.
05:04
So very short statement that actually contains a lot of information of kind violated some very important points when it comes to the Fourth Amendment,
05:14
is that first of all,
05:15
the Fourth Amendment protects individuals from searches. That reason
05:19
and there's lots of case law out there that describes what is what is not reasonable.
05:25
The Fourth Amendment protects individuals against unreasonable searches. So if you want to know what is and what is not reasonable, it's best to consult your legal counsel, and they should have a good idea and understanding of the reasonableness of a particular search.
05:42
The next aspect that I've highlighted
05:44
is a probable cause. And essentially, what probable cause is is the belief
05:50
by a reasonable and intelligent person that a crime has been committed, which would allow someone to be arrested and or other person search or a civil case to be brought against them. So again, that goes to a reasonable person standard.
06:05
And then the last thing is particularly describing the place to be searched in the personal things to be seized.
06:12
So if you do get a search warrant,
06:15
you can't just go in and blanketly take everything in the house or search everything that you feel like searching if it does not actually describe that within that warrant. So the word is going to limit the scope of that government search,
06:30
and then you're going to have to stay within the confines of the search
06:35
now out of this applies to
06:39
the government and or agents of the government. So in your organization, it may not specifically apply to a corporation or a non governmental organization.
06:50
That being said, if you do have a crime committed against your organization, and you do hope to essentially bring that person to prosecution on your consulting with law enforcement some point you may actually become an agent of the government,
07:06
even if the law enforcement agency it's not actually
07:12
investigating the case. But they're providing some type of direction, it's important to understand how the Fourth Amendment affects individual's rights.
07:20
So the ultimate goal of the Fourth Amendment is to protect people's right to privacy and freedom against these arbitrary governmental intrusions. And then private intrusions not acting in the color of government are exempt from the Fourth Amendment. So again, it's a very slippery slope. Once you start involving along
07:40
force mint. Once you start going about doing some of these activities,
07:44
it's it's very important that you understand
07:47
when the Fourth Amendment comes into play. So I would highly suggest that if you do come into some of these gray areas that you consult with your legal counsel

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor