Article by Peter Yorke, Information Security Manager.
A compromised network requires a fast response. Understandably, your immediate actions will focus on removal of the threat and restoring normal operations. You may have met your SLA, but did you know that you’re missing an important step in the incident management process, one that has consequences beyond your team, your organisation and even your state? Let’s re-look at the incident management process and what the role of law enforcement might be.
You are an IT Manager in a large organisation. One of your employees, an administrator with a high degree of systems privileges, has just been fired for misconduct. He is asked to pack up his belongings and leave the premises, as per your account management process. But you don’t have time to revoke his access before he goes home and remotely accesses your corporate network, maliciously deleting important business documents.
This situation is quite common, where a disgruntled or aggrieved employee attacks the company out of spite and malice, yet rarely are the police informed. This scenario is common, whereby a technology related crime (cyber) has been committed, with the ex-employee accessing the organisation’s network and deleting files without authorisation. The perpetrator has caused harm to the business, but you don’t feel it’s necessary to call the police? Why not?
What if it wasn’t so obvious an attack? Would you feel like reporting a ransomware outbreak, denial of service or spear-phishing attempt to the police? You’d more than likely think it not important enough for the police to investigate and it would not be worth your effort. But this is where you’re wrong. There is a distinct lack of understanding in the community around the reporting of cyber incidents, especially in when you should inform law enforcement.
I’ve heard several common excuses in my career, such as, “The police won’t be interested in this — it’s way too small for them,” or “the offenders are probably overseas, so the police won’t have jurisdiction to do anything”. So, when is the right time to call the cops?
Engaging Law Enforcement
Calling the police as early as possible in the incident management process will mean you get the best advice on preserving any digital evidence artefacts discovered during that investigation. Furthermore, early notification offers the best opportunity to preserve that evidence to make it admissible in court. Successful, apprehension and prosecution of offenders along with subsequent media coverage can act as a significant deterrent to others wishing to participate in cyber crime activities.
Furthermore, it’s common knowledge that cyber crime is woefully underreported, not just in Australia but right around the world. The Australian Cyber Security Centre reported that between July 2015 and June 2016, CERT Australia has to respond to nearly 15,000 cyber security incidents, of which 418 were national security related or national critical infrastructure related. Yet in their annual report (cited below) they clearly state, “while the extent of cybercrime is a significant concern, ACSC notes that high levels of misreporting and underreporting make it difficult to assess accurately the prevalence and impact of cybercrime.” Thus, because we don’t notify law enforcement of all levels of cyber crime, it is underrepresented in parliament, which in turn means less government funding for police and investigative bodies to enhance their ability to combat cyber crime.
Reporting Cyber Crime – ACORN
ACORN is the Australian Cybercrime Online Reporting Network, created as a national initiative to help combat technology crime. This online portal allows victims of cyber crime to submit a full report of the incident, have it assessed and then forwarded to the appropriate law enforcement jurisdiction to follow up directly with the victim.
Police triage submissions then contact the victims with practical advice. Furthermore, they might ask for additional information or ask you to run through a series of activities so that a proper investigation can begin.
You can submit ACORN reports at https://www.acorn.gov.au/, but before you do so, several important considerations will help:
- Maintain what police call a running sheet. You should make notes of dates and times, record all actions taken, decisions made, and to whom you have spoken. The police will likely ask for this running sheet during their investigation, thus being prepared will help immensely.
- Preserve Logs. Digital artefacts produced by a system compromise, along with offenders’ actions, IP addresses and any other evidence relating to the nature of the attack will also help. Keep all of this information safe, make a copy, and store it offline (and where possible take a digital signature of the original data). Police will ask for log files and proof of integrity during their investigation.
- Decision maker. Sometimes businesses have their reasons why they don’t want law enforcement involved. It may be because the board is concerned about negative publicity or the CEO seeks to keep the investigation private. Whatever the case, ensure that whoever is making the decision (CEO, CIO, Director, Board Members) is fully briefed and contacted early, so they can choose the best course of action. Update your running sheet with all of these decisions thus keeping a record of who decided to do what.
Reporting cyber attacks on ACORN will ensure that law enforcement (and the government) get a better understanding of the scale of cyber crime in Australia. The reporting process will help your investigation since it poses several questions that assist you in obtaining the best information. ACORN not only gives law enforcement the best opportunity for a successful investigation and prosecution but means the government’s clearer picture of the current picture of cyber crime in Australia will hopefully lead to appropriate funding, legislative reform and public awareness.
References and Further Reading
Australian Cyber Security Centre Threat Report: https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf
Section 440A Criminal Code (WA) Unauthorised to a restricted access computer system.
Division 477 and 478 of the Criminal Code Act 1995 (Commonwealth) deal with offences relating to hacking, denial of service and other unauthorised access.
Submit ACORN reports at https://www.acorn.gov.au/
About the Author
Peter Yorke is a highly experienced Information Security Manager working for Kinetic IT. He previously was a Police Sergeant at the Technology Crime Services unit in Western Australia Police where he managed their online operations capability. Aside from being a security manager, Peter is also a keen technologist and ethical hacker.