CHAPTER 1
Introduction

CYBER-ATTACKS AGAINST businesses and individuals have been occurring for decades. Many have been so successful they were never discovered by the victims and only identified while the data was being exploited or being sold on criminal markets. Cyber-attacks damage the finances and reputation of a business and cause significant damage to those whose data has been stolen and exploited.

From the criminal's perspective, the current cyber environment effectively gives them a free pass when it comes to attacking their target. They can do whatever they like to an individual or business online, cause immense damage of a professional or personal nature, and make large sums of money safe in the knowledge the complainant will rarely report the matter to police. In fact, this is a strange anomaly about cybercrime: a company has millions of dollars of intellectual property (IP) stolen from them, has all the personally identifying information (PII) of the staff and clients stolen, and the action of reporting it to police or investigating who is behind the attack is rarely considered or undertaken unless forced by local legislation. Consequently, from the criminal's perspective, there is little to no downside to being a cybercriminal. They operate on a high-financial-return, low-risk model.

Due to the high volume and complexity of cyber-attacks, should a victim decide to refer a complaint to police they cannot always rely upon them to be available to undertake an investigation and locate the offender. Police resources are stretched and skilled cyber investigators in law enforcement are few and overworked. This means organizations subject to a cyber-attack that wish to find information about who is behind the attack will need to hire an experienced cyber investigator (scarce and very expensive) or investigate the matter themselves. Alternatively, they will not conduct an investigation and instead focus on increasing security.

The decision by victims to not investigate a cybercrime is made for many reasons, including the time and money to be expended on an investigation, the focus of the business being directed on the investigation, the internal disruption it causes, and the reputational harm caused when the community finds the company security has been breached and all the data entrusted to them stolen. Also, directors would not look forward to the day that they stand before a public annual general meeting and explain to the shareholders that all the company data was stolen on their watch and that they have made no effort to recover it or identify who took it.

To the members of an incident response (IR) team or the cyber investigator, responding to an attack is often an inexact science as the attackers' motives and skill levels vary. Whereas an attack against a single desktop computer may be easily contained and investigated, an attack against a complete distributed corporate network will require significant resources and an experienced response team to protect the company, their data, and clients. As the attack methodologies vary, the investigation strategy will not necessarily follow the exact same path each time.

Investigating a cyber-attack may be a critical part of the continuation of the business. When the attack is discovered, a mixture of panic, stress, anxiety, and fear is seen among staff, and those tasked to mitigate and eradicate the attack may feel the future of the company rests upon their shoulders. Many employees will be concerned as to their personal future, as they will be familiar with the many stories of businesses hit by a cyber-attack that no longer exist six months later. Staff members of the organization being interviewed as a part of the incident response may also feel that they are being held responsible and that the interview is a method of laying blame at their feet.

So why conduct an investigation and gather evidence? Why should a company start investigating the cybercrime and try to track down the offender? With the proliferation in the instances of cybercrime, there is an expectation among the community that those who are entrusted with their PII take their responsibilities seriously and ensure their data is secure.

Shareholders of companies who find that the value of their shares and/or dividends is affected by a breach may demand efforts by the company to identify and prosecute the attacker. In the initial aftermath of the attack, there may be the possibility of locating the suspect and the digital property taken and recovering it before it is exploited. It may be argued that the duties and responsibilities of a director include trying to recover the stolen corporate data before it is exploited.

Outside of law enforcement and several large businesses, such as the major accounting companies, there are few options for those who want to have an investigation into a cyber-attack conducted. The IR team may find evidence pointing to a suspect, but it is generally not their job to prepare a case for referral to police or lawyers. A cyber investigator is a very specialized position and is roughly the equivalent of a police detective conducting a criminal investigation, as the rules of evidence the court demands are the same whether you are an experienced detective or a civilian investigator.

The cyber investigator is viewed as the person who is tasked with finding evidence of the person behind the attack, and in some cases preparing a referral to police or commencing a civil prosecution. While many attacks originate from overseas and are hidden behind multiple legal jurisdictions, anonymizers, bots, or other technology, people have their own motivations to commit crimes—and these people may include current or former employees residing within your local jurisdiction.

The role of the cyber investigator is an extension of the digital investigator. For the benefit of this book, the digital investigator is the person who conducts a forensic examination of a device or network and produces a report on the evidence seized and identified.

This book is intended for the person assigned the task of investigating the cyber event with a view to gaining a full understanding of the event and where possible recovering the IP/PII before it is exploited. They may also be tasked with finding evidence to support an action in a tribunal (e.g., employment court) or a potential prosecution in a civil or criminal court should the attacker be identified. It will also be of benefit to the manager/executive/lawyer who is tasked to review an investigation to understand the actions of the investigation team and why certain decisions were made and to gain an understanding of the evidence available from a cybercrime scene and the follow-up investigation. This is not a book that describes how to technically respond to and mitigate a cyber-attack, as there are many books covering this topic in great detail. There are also many courses offered by organizations that teach the many aspects of responding to a cyber-attack from the technical perspective.

Although this book makes some references to material from third parties, it is not intended to be an academic book. This is because much of the material is not from academic literature or web sources, but from the experience of the author as a cybercrime investigator. The major exception to this is Chapter 12, which relies on evidence from the author's doctoral thesis on cybercrime investigation in a cloud-computing environment and where academic references from a literature review are noted. Where explanations are provided, as in the glossary, they are largely kept at a low-level technical definition to allow those new to this field of work to understand the material and its relevance without having to learn a whole new language called technology.

Due to the dynamic nature of evidence, advances in technology, and the evolution of legislation/court decisions, this book is not intended to be an exclusive guide in every legal jurisdiction or to cover every potential cyber event. Where material in this book conflicts in any way with the laws of your jurisdiction, the legal environment(s) you operate in will always take precedence. The book intends, however, to provoke critical thinking among management, IR team managers, and investigators facing a complex legal and technical environment should a suspect be identified and subsequent evidence need to be presented to a tribunal or court.

This book contains many of the steps a cybercrime investigator will undertake, from the initial identification of a cyber event through to considering a prosecution in court. There are many lists of things the investigator may consider. These are not exhaustive lists and are provided to expand the thinking as to what to do, where evidence may reside, and how to legally obtain and manage it. Use this book as a prompt and not as a definitive step-by-step template, as each cyber investigation is different and each jurisdiction has its own legal requirements.

The lists in this book provide a handy point of direction in each stage of the investigation. As you will discover, at each stage there are many things to be done and no one can remember them all every time. So, the lists are provided as a memory prompt of things to consider and apply as the circumstances, legislation in your jurisdiction, and your experience dictate. Not all items in the lists will be relevant in all instances. The explanations are in plain language and technical terms are kept to a minimum to assist your understanding of new concepts.

In Chapter 2 we provide an introduction to the cybercriminal and a series of offenses an investigator may be called...