As cyber criminals become ever-more sophisticated, approaches to cyber security are evolving. This means re-evaluating the way your organisation deals with different types of attacks and developing playbooks for various scenarios.

Our National Technology Forensics Manager, Phil Magness is in the hot seat for the first episode of our Corrs Cyber Playbook Series and says a one-size fits all approach could prove to be costly indeed.


Phillip Magness: Corrs Chambers Westgarth – National Forensic Technology Manager, Melbourne

The traditional approach where a threat occurs or where someone may believe that someone inside their network is to simply contain them. Shut them down, remove them as soon as we can because, of course, we don't want data loss, we don't want data to leave the organisation and be in the hands of a third party and if you can, of course, prevent that you will do everything in your power to do so.

But the problem is the average timing from detection up to when the person was first in the network or attacker or attackers could be I think the average could be 400 days in this country, 90 days globally. So that person has been there for 90 days they have had 90 days to be within your network, they have had 90 days to scope, you don't know exactly where they are so the instinctive approach is, well the modern approach now is what we call is threat hunting, that is to look and employee agents and employ experts like myself and experts like Mandiant and other companies to go in and to scope your entire network, to work out where the attackers are and where they have a foothold.

Because to contain them in one part they will just pop up somewhere else and in doing so you run a number of other risks. You run the risks that firstly they may take all your data on one big hit and leave, exfiltrate faster, secondly they might become destructive so all the evidence we are hoping to gain the log file data, the forensic artefacts will be wiped furtively and they become very, very upset and simply try to hide all their tracks and start being destructive. So the traditional approach of containing them and alerting your attacker to your knowledge of them really needs to change.

Now that doesn't apply to all cases because for example if you have a crippling ransomware which is running rampantly your company the first thing you need to do is you need to stop it. That is an example of an overt action where they are virtually announcing their presence by encrypting their system. Where there is a virus through the network, where there is a phishing email that has been sent - they are overt actions by an attacker and so where an overt action happens well you maintain and contain that as soon as you can. When they are quiet and you believe they are in there you must take a different approach. I think that is where it has to change and the mindset has to change.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Chambers Asia Pacific Awards 2016 Winner – Australia
Client Service Award
Employer of Choice for Gender Equality (WGEA)