chalabala - Fotolia

Engage early with police on cyber crime, business told

Businesses should approach law enforcement as early as possible about cyber crime, even before they are targeted, according to an expert panel

Businesses should engage as early as possible with law enforcement on cyber crime, an expert panel has told Infosecurity Europe 2016 in London.

“The sooner we can become involved the better,” said Garry Lilburn, detective inspector, cyber crime unit, Metropolitan Police.

Current reporting mechanisms are “clunky” and there plans to replace them, he said, but in the meantime, businesses can make direct contact with the cyber divisions of the National Crime Agency (0370 496 7622) UK-wide or the Met Police for cyber crime in London (0207 230 8129).

“Businesses can call us to discuss what is happening and get advice without having to officially report a crime and without fear of it leaking to the media or regulators,” said Lilburn, adding that some of the biggest cyber crime cases his unit has worked on have never been reported in public.

“If businesses contact us about cyber crime in action, we can advise them on how to mitigate the attack, preserve evidence, and how to communicate with cyber extortion gangs and even the media if necessary in the case of high-profile attacks,” he said.

However, Lilburn said businesses should engage with police even before they are targeted by cyber criminals.

“We offer a service of conducting table-top exercises with businesses so they can experience what it is like to work with the police in the event of an attack by cyber criminals and learn what kind of information we will need and the kind of questions we will ask,” he said.

Businesses should also develop plans for engaging with law enforcement before they are targeted by cyber criminals, and practice those plans in the same way they do fire drills, said Kurt Pipal, assistant legal attaché, office of the legal attaché at the FBI.

“Businesses should ensure they understand what law enforcement can do for them, what investigators are likely to ask for, and what they can do to help any investigation,” he said, adding that they should get their legal counsel involved because they are going to be one of the first points of contact with the police in the event of a cyber criminal attack.

“Many firms fear reputational damage and media exposure, but engaging early with law enforcement before anything happens often alleviates many of these types of concerns and makes them more comfortable in working with law enforcement when they are attacked,” said Pipal.

Police encourage information sharing

Rik Ferguson, advisor to Europol and vice-president of security research at Trend Micro, said businesses can be an important source of information for law enforcement about cyber crime, especially in the financial, hospitality and travel industries.

Just as security firms proactively engage with law enforcement about cyber crime trends and techniques they are observing, he said, ordinary businesses can provide valuable information to law enforcement to enable them to understand better how cyber criminals are operating. 

“We work regularly with other telcos and the police to ensure that our network is as secure as possible and to keep up to date with how cyber criminals are operating”
Tom Mullen, Telefonica

“Most businesses in the UK tend not to contact the police about cyber crime until after they are targeted by cyber criminals, but at the same time, law enforcement could be doing a better job in raising awareness about who businesses should contact when they are hit by cyber crime,” he said.

Business engagement with police is critical, especially when it comes to protecting sensitive data such as customer records, said Tom Mullen, head of cyber response and security operations at Telefonica (O2) UK.

“We work regularly with other telcos and the police to ensure that our network is as secure as possible and to keep up to date with how cyber criminals are operating,” he said.

Mullen said although reaching the right person within the UK police has taken time in the past, there has been marked improvement in the past 18 months.

“We are seeing more engagement from the police and we are getting more feedback than in the past about cyber crime trends, and what police expect from us and how we can help them with their investigations,” he said.

No international boundaries

Cyber crime is almost always international in nature, but that should not put businesses off reporting cyber criminal activities, even if they appear to be coming from overseas or conducted through anonymising proxies, said Lilburn.

“Although the attacks were worldwide, the UK led an international investigation into the DD4BC cyber extortion gang and arrests have been made,” he said.

Lilburn said that while international boundaries can be frustrating, they can often be bypassed by working with international partners.

“Just because cyber criminals are located in other countries or appear to be anonymous, businesses should not assume we will not be interested or that we will not be able to take action against those responsible,” he said.

Many of the recent botnet takedowns involving the FBI have been the result of international law enforcement agencies working together, said Pipal.

“While cyber criminals may be based in countries where we cannot reach them, they also like to go on vacation, and often they go to countries where we do have the ability to make arrests, so businesses should talk to law enforcement about the cyber criminal activities they are seeing,” he said.

Cyber criminals raise their game

Ferguson said commercial business has been the first sector to benefit from big data analytics, but cyber criminals are now using similar techniques to improve their operations too.

“Law enforcement should learn from this and also begin to find ways to collect information about bad actors that can be queried by law enforcement agencies around the world,” he said.

“Just because cyber criminals are located in other countries or appear to be anonymous, businesses should not assume we will not be interested or that we will not be able to take action against those responsible”
Garry Lilburn, Metropolitan Police

Businesses can do their part to help law enforcement, said Pipal, by ensuring that they understand their own IT networks and data assets, and by ensuring they do not do anything to destroy evidence such as logs before investigators are able to have a look.

“Most businesses are focused on restoring normal business operations, rather than preserving and collecting evidence and understanding the true nature and scope of the cyber breach before beginning mitigation and remediation processes,” he said.

Telefonica’s Mullen said a key part of any incident response plan should be collecting the right information for law enforcement and providing guidance for them on how the company’s IT systems work and how the network is structured.

Trend Micro’s Ferguson said businesses can help law enforcement and improve their cyber security at the same time by ensuring they have a contextual view of what is happening on their network and an ability to track the progress of criminal activity.

“And while it is important to have an understanding of the company network, businesses should also be mapping their third-party relationships so they can show law enforcement which third parties have access to their network and systems, because attacks are often conducted through third parties that may not have the same level of security as the target organisation,” he said.

Many of these third parties are small and medium enterprises that work as suppliers or partners to larger organisations, but these businesses typically do not have the same level of security awareness or resources as their bigger partners, said Ferguson.

“While large organisations have the resources to understand and respond to threat intelligence gathered through industry forums and the government-sponsored cyber security information sharing partnership (Cisp) and the national computer emergency response team, Cert-UK, smaller businesses do not,” he said.

Ferguson said it was important that this gap be addressed to raise awareness among smaller companies about how to engage with law enforcement, how to collect evidence and how to mitigate attacks so they don’t become a security risk for their business partners.

Read more about collaboration between business and law enforcement

Read more on Hackers and cybercrime prevention