Incident & Breach Response , Security Operations
Cybercrime Victims: Please Come ForwardPolice Stress Need for Cooperation at Infosec Europe Conference
Has your organization been the victim of a cybercrime? If so, promptly contact police to learn all of the options that are available to help you, law enforcement officials and security experts advised during a panel at the Infosec Europe conference in London.
See Also: Datto RMM: A Security-First Solution
The session was devoted to improving how businesses and law enforcement agencies engage with each other when dealing with "connected crimes."
Speed is of the essence, panelists stressed. "When I [investigated] murders, we called it the 24-hour golden period: You could solve so much of the crime in that 24 hours," said Garry Lilburn, a detective inspector with London-based Metropolitan Police Service's cybercrime unit, which handles "the most serious and complex breaches," including distributed denial-of-service attacks, phishing attacks, and ransomware campaigns. "Cyber is the same. The quicker we get involved, the quicker we can do something."
Lilburn, who serves on the Met Police task force called Falcon - for fraud and linked crime online - said that calling police doesn't mean that victims, or anyone assisting them, need do anything more (see London Police Retool for Cybercrime). "I keep saying to companies: Speak to us. If you speak to me as a police officer, you're not obliged to report that crime," he said. Rather, the initial conversation tends to be devoted to setting expectations, including what sort of information and cooperation police would require, as well as what the victim can expect in return.
After that conversation, "you might say, 'Thanks for that, I'm going to step away,'" Lilburn said. "I get it. Your bottom line is different from what I want to achieve. But the point I try and get across: You've heard of cases that my unit has dealt with - TalkTalk, Carphone Warehouse - but some of the bigger ones, you've not heard a thing about, because we've successfully kept it out of the media."
Lilburn said police advise on all manner of online-related crimes, including hack attacks, online fraud and DDoS extortions. "We've had other cases [involving] blackmail for $8 million in bitcoins. We can bring in our negotiating teams, people who ... know about when to communicate, and what point to communicate ... and they give top advice and you will get that service."
Of course, some cases do go to court, but Lilburn said victim organizations shouldn't shy away from related publicity. "By then, it's usually a positive spin," he said. "It's a good thing for your company; it shows how your company's protection managed to achieve this result and got someone arrested."
Information Sharing Improvements
When it comes to reporting cybercrime to police, panelist Tom Mullen, head of security operations for Telefónica (O2) UK, said he's recently seen significant improvements. "There's more engagement from law enforcement, more intelligence on how to protect their customers' data, what's happening around the world ... and I think we should push this a lot further and work closer together."
Lilburn said that of the cybercrime cases that have been reported to Falcon - meaning victims have come forward - 75 percent have resulted in a "judicial outcome."
Falcon currently has 249 officers, and it's slated to grow to 500, which represents a significant allocation of policing resources to battle serious fraud and cybercrime.
Lilburn urged any U.K. organization that suffers a cybercrime to call the National Crime Agency, or if in London, him directly. He warned that if organizations instead file a report with Action Fraud, which is the U.K.'s national center for fraud reporting, it can take a week before it crosses his desk, due to "clunky computer systems," although he said funding for related improvements has been lined up. Likewise, if cybercrime victims call local police, they may not get accurate advice on how to proceed, he warned.
UK: Suffered a breach? Call cyber officer at NCA: 0370 496 7622 or in London:— Mathew J Schwartz (@euroinfosec) June 9, 2016
0207 230 8129 #infosec16 pic.twitter.com/rjXNy5j3ux
Outside the United Kingdom, security experts on the panel recommended reporting cybercrimes to Interpol, Europol or nations' computer emergency response teams.
Investigators Crave Logs
Kurt Pipal, an assistant legal attaché in London for the FBI, noted that too often, businesses don't know - and can't always provide - even basic technical information about a security incident. "I have yet to respond to a company that can tell me their outward-facing IPs right when I walk through the door, which is surprising," he said.
Pipal said if he can get "logs, outward IPs, where the attack is coming from," then the bureau could use its relationships to help trace the attack back as well as aid victims, particularly if similar attacks had been seen.
One ongoing challenge for many cybercrime investigations has been suspects who reside in countries that don't have extradition agreements with Western Europe or the United States. But Lilburn said that one of the members of his cybercrime unit regularly communicates with law enforcement agencies around the world to help, and the FBI has similar relationships that can see overseas suspects get arrested (see How Do We Catch Cybercrime Kingpins?).
When that doesn't work, law enforcement agencies can wait for suspects to make a wrong move. "As our director says, cybercriminals generally don't live in nice places, and they like to go on vacation," Pipal said.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.