1. Investigating Cybercrime in the UK
Sex, Lies & Cybercrime- A pragmatic perspective.
DI Eamonn Keane.
Cybercrime Specialist Crime Division
2. Agenda
Scottish , UK & Global Perspective!
The current threat landscape!
Incident Planning & Response!.
Prevention.
Scotland’s future.
Signposting.
3. Key questions that all CEOs and CISOs should
be asking this week?
• "Are we vulnerable to SQL injection, ransomware or
DDoS based attacks?“
• "What assurance activity have we done to confirm that
we are not vulnerable?“
• "If we were compromised, would an attacker be able to
gain access to unencrypted sensitive data?“
• "What assurance activity have we done to confirm this
position?"
• “What is our company posture on security?”
37. Reporting of Cyber Incidents
• Incident evaluation and early reporting.
• Police Scotland 101 – Incident No. & Action Fraud.
• Business continuity and impact our prime consideration.
• ICT response and mitigation. Scene preservation?
• Where possible preserve original copies of emails, attachments,
device images and logs.
• Is there a mandatory obligation to report?
• Report to Cert UK / GovCert UK .
• Report to Scottish Government if appropriate.
• Identify point of contact for law enforcement to facilitate enquiries
and evidence gathering.
• Submit attack details to CISP platform if appropriate share.cisp.org.uk
(can assist with mitigation and fix)
38.
39. Cyber Essentials &
Cyber Essential Plus
Cyber Essentials concentrates on five key controls.
These are:
1. Boundary firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management
40. Cyber Essentials is not a silver bullet.
However, it will prevent 80% of cyber
attacks.
• Having effective anti-malware means using more than
“signature based” detection. The news reports all state this
ransomware variant was too new for AV signatures. This means
that they were not using heuristics….
• Most, if not all, ransomware relies on systems missing critical
patches.
• In a nutshell, Cyber Essentials would have saved the Council
here. The worst that ransomware should do is a few hours
downtime for one user while you restore from backups.
Everything else means you’ve made major mistakes.
41.
42.
43. Scotland’s Response
• Cyber Policing Structure – NCCU - Regional Hubs
• Police Scotland Cybercrime Strategy
• European & Global Co-operation EC3
• Safer Virtual Communities
• Education
– The Cyber Academy - DFET
– SQA National Progression Awards
– SBRC – Supporting SMEs.
44.
45. Example – Tovar: Protect
• International operation targeting GameOverZeus and Cryptolocker
malware variants.
• These malware variants are estimated to have cost the UK £500
million in losses.
• Coordinated activity across 10 countries led to the botnet behind
the malware being taken offline for two weeks, allowing the public
to take steps to protect themselves (e.g. update anti-virus).
• Combined with extensive global media coverage
• 32% drop in GameOverZeus infections, estimated £100 million in
losses prevented
46. Example – Dermic: Pursue & Prevent
• UK investigation targeting the users of Blackshades, a Remote Access Tool
able to access users’ webcams.
• FBI intel - over 1100 UK-based purchases on Blackshades.
• NCCU coordinated a week of arrests, involving ROCUs, MPS & Police
Scotland, targeting 50+ individuals for Pursue action.
• 20 arrests across 10 Regions.
• Remaining individuals subject to Prevent activity – cease & desist letters,
visits by ROCU & NCA officers, media coverage
• Linked to a global day of action with over 100 arrests in the US, Australia,
Asia & Europe.
• An important test of coordination of UK law enforcement.
56. Thank you for listening
Any Questions?
Eamonn.keane2@scotland.pnn.police.uk
Editor's Notes
An introduction to the 4th space,
Revolutionised and transformed the way we communicate, the way we organise our social lives and conduct business.
According to the Office of national statistics in the year 2012, 42 million people in the UK, that is 85% of our adult population used the internet,
Of this total 33 million adults accessed the Internet every day which is more than double its use in 2006
Is this the reality of where we are and there has ben a subtle migration of crime into areas we just don’t have the visibility of due to our “life on Mars” policing tactics?
Police Scotland now have 14 divisions and national response to crime. I can well remember the difficulties we had trying to work collaboratively cross border between Scottish Forces. This was a challenge under different masters. However, how do we deal with crime when the borders are truly international and crime is being committed in cyber space? Keen to explore some of the challenges today.
The Internet of things – a recent picture of common household items that are now internet controlled and as a consequence exploitable by cybercriminals, we have investigated fridges sending spam attacks.
Personally I draw the line at an internet toilet…I think some things are better left analogue!
Policing as I joined and how we tackled OCG’s as we knew it: The Krays, Godfathers and our versions of the Richardsons’, Daniels’ etc. Our response has become more sophisticated but still predicated upon the same model of organised crime.
Excellent quote from Q in James Bond, truly reflects the impact that one person can have.
Slide gives you a global picture of the extent of cyber attacks
Organised crime as we knew it, local influence and impact. Position of strength reinforced by local control.
Organised Crime Groups recruiting these skillsets
Individuals often working internationally with different groups – skills for hire
International law enforcement working together to identify core nominals
Their share of the profit dependent on their skill and contribution
UK strategy to break the chain by removing core parts - example
Refer to slide
Caliphate Cyber Army – worldwide
Announced merger of capability April 2016
Ongoing online war with Anonymous Group
Extensive use of social media to recruit from overseas
20,000 recruited from overseas last year - according to a US expert
Massive change in methods used by AlQueda
Imagine the online threat…ripple effect again
Anonymous declared their fight with ISIS after the Charlie Hebdo attacks in Paris
Offshoot known as ”Ghost Security Group” reportedly in league with the US Govt to provide ISIS related information for cash – criticised by the main group as this is a step towards the invasion of online privacy they hold dear.
Most common reference to this is Bitcoin
1 Bitcoin = £300
Extensively used by criminals online to pay for goods and services
Peer-2-peer network system used to move payments
Online public transaction record but only identifies source and destination wallets
Lose the digital wallet, lose the Bitcoins!
Refer to slide
Refer to slide
Who are you employing – do we really know everyone
Security vetting?
Do you operate strict network security policies? Use of USB devices on networks..
Is there a way for your people to report any suspicious activity?
Remote system access policy?
Highly relevant in today’s world of increased terrorist threat
An introduction to the 4th space,
Revolutionised and transformed the way we communicate, the way we organise our social lives and conduct business.
According to the Office of national statistics in the year 2012, 42 million people in the UK, that is 85% of our adult population used the internet,
Of this total 33 million adults accessed the Internet every day which is more than double its use in 2006
Refer to slide
Over 100 companies/organisations registered in Scotland, including majority of local authorities and Police Scotland
Re-invigoration of the Scottish node – will be championed by RBS and re-launched in July 2015
ECHR and Privacy – Edward Snowden
National legislation of cyberspace in individual countries – some more lenient than others
Legal barriers in some countries to access user data – some countries won’t co-operate with LE outside their own countries and this can lead to a breeding ground fro criminality – can sometimes depend on the political relations between the UK and other countries. Some large online organisations can also be less than helpful with the provision of LE data.
ILOR’s and time delays frequent – what activity happens between now and then? Are we too late?
Effective use of Europol / Eurojust to streamline European requests
Can anyone tell me where the place on the left is – Isle of Yell in Shetland – most remote place in British Isles.
Male on right is Jake Davies, known as “Topiary” as part of hacking group known as Lulzsec. He attacked and took down websites operated by SOCA and the FBI while he stole hundreds of thousands of personal details online to finance activity.
He was arrested at his croft in Yell – I believe this is the clearest example of the borderless nature of Cybercrime - it can come from anywhere and impact on anywhere.
Partnerships – International and local (Interpol, Europol, UK Govt, Scottish Govt, academia, finance sector etc)
Develop Capacity & Capability – need to develop our understanding of the threats and develop our infrastructure and people to prevent and detect
Detect & Prosecute Offenders – develop intelligence capability nationally and internationally across all threat areas – work hand-in-hand with other law enforcement agencies to enhance reach and bring offenders to justice
Education & Awareness – huge piece of work underpinned by SG Cyber Resilience Strategy and our own Police Scotland Cybercrime Strategy. Education of people of all ages but particularly children and the elderly – businesses and importantly, our own staff.
UK Government announced £1.9 billion investment
Active Defence Programme – working with Internet Service Providers within the UK to prevent access to restricted sites and content
New National Cyber Centre at GCHQ
Scotland in discussions about creating our own multi-agency Cyber Centre to offer advice and support
? The pace of change online is so fast that it is difficult to predict the future.
Direct recruitment?
Cyber specialist volunteers (already being done by MoD)
Competing sectors – everyone looking to have the best people
Retention of skills / cost of training
Vetting essential