A compromised network requires a fast response. Understandably, your immediate actions will focus on the removal of the threat and restoring normal operations. You may have met your Service Level Agreement (SLA). But did you know that you’re missing an important step in the incident management process – one that has consequences beyond your team, your organisation and even your state? Kinetic IT’s Information Security Manager Peter Yorke looks at the incident management process and the role of law enforcement in cyber crime.
You are an IT Manager in a large organisation. One of your employees, an administrator with a high degree of systems privileges, has just been fired for misconduct. He is asked to pack up his belongings and leave the premises, as per your account management process. But you don’t have time to revoke his access before he goes home and remotely accesses your corporate network, maliciously deleting important business documents.
This situation is quite common, where a disgruntled or aggrieved employee attacks the company out of spite and malice, yet rarely are the police informed. In this common scenario, a technology-related crime, or cyber crime, has been committed, as the ex-employee accessed the organisation’s network and deleted files without authorisation. The perpetrator has caused harm to the business, but you don’t feel it’s necessary to call the police? Why not?
What if it wasn’t such an obvious attack? Would you feel like reporting a ransomware outbreak, denial of service, or spear-phishing attempt to the police? You might think it’s not important enough for the police to investigate and would not be worth your effort. I’ve heard several comments in my career, such as: “The police won’t be interested in this — it’s way too small for them” or “the offenders are probably overseas, so the police won’t have jurisdiction to do anything”.
But that’s not the case. We look at the reporting of cyber crime and when it’s the right time to contact the police.
RELATED CONTENT: 9 ways to retain customer trust after a data breach
Engaging law enforcement
Calling the police as early as possible in the incident management process means you get the best advice on preserving any digital evidence artefacts discovered during that investigation. Furthermore, early notification offers the best opportunity to preserve that evidence to make it admissible in court. Successful, apprehension and prosecution of offenders along with subsequent media coverage can act as a significant deterrent to others wishing to participate in cyber crime activities.
Furthermore, it’s common knowledge that cyber crime is woefully underreported, not just in Australia but right around the world. The Australian Cyber Security Centre (ASCS) reported that between July 2015 and June 2016, CERT Australia responded to nearly 15,000 cyber security incidents, of which 418 were national security-related or national critical infrastructure related.
Yet in their annual ASCS Threat Report 2016, they clearly state: “While the extent of cyber crime is a significant concern, ACSC notes that high levels of misreporting and underreporting make it difficult to assess accurately the prevalence and impact of cyber crime.”
Consequently, because we don’t notify law enforcement of all levels of cyber crime, it is underrepresented in parliament, which in turn means less government funding for police and investigative bodies to enhance their ability to combat cyber crime.
RELATED CONTENT: Cyber security awareness: Treat it like OHS
Reporting cyber crime – ACORN
ACORN is the Australian Cybercrime Online Reporting Network, created as a national initiative to help combat technology crime. This online portal allows victims of cyber crime to submit a full report of the incident, have it assessed and then forwarded to the appropriate law enforcement jurisdiction to follow up directly with the victim.
Police triage submissions then contact the victims with practical advice. Furthermore, they might ask for additional information or ask you to run through a series of activities so that a proper investigation can begin.
You can submit a cyber crime report here, but before you do so, here are three important things to consider:
1. Maintain a running sheet
Maintain what police call a running sheet. You should make notes of dates and times, record all actions taken, decisions made, and to whom you have spoken. The police will likely ask for this running sheet during their investigation, thus being prepared will help immensely.
2. Preserve logs
Digital artefacts produced by a system compromise, along with offenders’ actions, IP addresses and any other evidence relating to the nature of the attack will also help. Keep all of this information safe, make a copy, and store it offline (and where possible take a digital signature of the original data). Police will ask for log files and proof of integrity during their investigation.
3. Choose a decision maker
Decision maker. Sometimes businesses have their reasons why they don’t want law enforcement involved. It may be because the board is concerned about negative publicity or the CEO seeks to keep the investigation private. Whatever the case, ensure that whoever is making the decision, such as the CEO, CIO, Director, or Board Members, is fully briefed and contacted early, so they can choose the best course of action. Update your running sheet with all of these decisions thus keeping a record of who decided to do what.
RELATED CONTENT: 6 cyber security tips to work from home more securely
The bottom line
Reporting cyber attacks to the ASCS will ensure that law enforcement (and the government) get a better understanding of the scale of cyber crime in Australia. The reporting process will help your investigation since it poses several questions that assist you in obtaining the best information. It also not only gives law enforcement the best opportunity for a successful investigation and prosecution but means the government’s clearer picture of the current picture of cyber crime in Australia will hopefully lead to appropriate funding, legislative reform and public awareness.
About the Author
Peter Yorke is a highly experienced Information Security Manager working for Kinetic IT. He previously was a Police Sergeant at the Technology Crime Services unit in Western Australia Police where he managed their online operations capability. Aside from being a security manager, Peter is also a keen technologist and ethical hacker.