There are many reasons to report a successful cyber attack to your local police force.
Arguably, Det. Const. Doug MacRae of the cybercrime section of Ontario’s York Regional Police has the best:
“Your tax dollars pay our salary,” he told infosec pros at a conference last month, “so use us.”
MacRae was one of six members of a panel of Canadian and U.S cybercrime law enforcement specialists who told the recent Toronto Cybersecurity Conference that regardless of the kind of attack or where the attacker is, police want to hear from victims.
Not all Canadian police departments have the ability to handle cybercrime. But, the panel said, in both Canada and the U.S., local cops know of a regional or national force that can.
“The reality today is today there is interagency collaboration,” said Det. Const. Kenrick Bagnall of the Toronto Police Service‘s Co-ordinated Cyber Centre, “and when you report to your local agency, you’re not just reporting to the local, municipal, provincial or even Canadian law enforcement. You’re reporting into a global network of cyber investigators.”
For example, Insp. Lena Dabit, head of the RCMP’s cybercrime investigative team, pointed out, the RCMP is a member of Europol’s J-CAT (Joint Cyber Action Taskforce). It also shares information with the U.S., the U.K., Australia and New Zealand as part of the Five Eyes intelligence co-operative.
“The challenge we face,” Bagnall said, “is that most groups and individuals feel, ‘If I approach my local law enforcement what good does it do, because I know who did this is halfway around the world.'”
That’s why, Dabit said, cybercrime is “grossly underreported.”
Organizations think there is a stigma with being hit, she said, but “there are companies or entities being targeted every day. There’s no shame in it.” In fact, she argued, threat actors are betting organizations won’t report cyberattacks.
“We still have trouble getting co-operation” from victim organizations, she said. “That’s damaging all of us in the end.”
For example, after the RCMP seized cryptocurency held by Canadian Sebastien Vachon-Desjardins, an affiliate of the Netwalker ransomware gang, it tried returning the funds to Canadian victims. Some organizations refused to acknowledge being hit, she said.
“We could have given them their money back,” Dabit said later in an interview, “but they didn’t want the publicity.”
“You control the [public] message” about a cyber attack, she says to organizations. “Be the first one out the gate — ‘We got hit, these are the steps we took, this is how we helped law enforcement.’ So spin it.”
Use some judgment before calling law enforcement, added Det. Sgt. Vern Crowley, outreach manager of the Ontario Provincial Police cybercrime investigation team. Don’t call if you can handle an attempted intrusion. Do call if it’s a breach of security controls involving sensitive data or affecting the organization’s ability to operate.
Any call must go to a police department’s non-emergency line, said McRae. At York Region, if you can’t get a cyber technical officer on the phone, a front-line officer will take a report and relay it.
“Never, ever hesitate to contact us, even if it’s for questions,” he said. “We will happily share our knowledge.”
Cybercrime is also under-reported in the U.S., said Special Agent Patrick Wilhelm, manager of cyber threat intelligence at the Department of Homeland Security.
Law enforcement won’t report your firm to a regulator, added Special Agent Tanner Hubbard of the U.S. Secret Service. “If we show up, we’re there to help you, not point a finger.”
Depending on the agency, help can range from advice on remediation to installing backup data.
Police will want at least some basic information about your systems. The more you can give — copies of log files, images of images from impacted hosts, IP addresses used for communications by attackers — the better.
However, if you want to prosecute, police will want original data, possibly including hard drives.
Panel members stressed that while police may not be able to arrest the crooks, they aren’t powerless.
Armed with information from victim organizations, police and intelligence agencies have been increasingly able to dismantle the infrastructure of a number of criminal threat actors — although some victories are temporary if hackers regroup.
For example, last year Europol’s European Cybercrime Centre helped other agencies around the world take down the botnet distributing the Emotet malware. But by the end of the year it had bounced back.
On the other hand, Bagnall noted that after a ransomware attack was reported to his force by a “well-known Canadian victim,” Toronto police were able to decommission an exfiltration server used by the attackers that was halfway around the world. The victim was spared paying a $4 million ransom.
Patrick urged IT and cybersecurity leaders to start making contacts now with local or regional police who they might be calling. You don’t want to meet someone the first time during a crisis, he said.
Even better, Crowley said, is that infosec pros should consider themselves part of the team. “I hereby deputize you all to look after your organization and your employees,” he told conference attendees.