In this article, Stefan Rothenbühler, InfoGuard's Senior Cyber Security Analyst, reports on how to cooperate with the authorities during a cyber incident, and why it is worth filing a criminal complaint early on.
The first hurdle – the criminal complaint
In many of our incident response operations, at a relatively early stage the issue of whether or not it makes sense to file criminal charges comes up. Companies often have to consider the following questions: What will happen if I file a criminal complaint? Does this entail me calling the police to come onto my company premises? In the course of a criminal investigation, whether or not it is a good idea to file criminal charges comes up relatively early. Companies often have to think about what will happen if a criminal complaint is filed. Should the police be called to the company premises? Could this be damaging to my image? Will the investigators turn up at my premises and take away my servers? What are the legal implications of filing criminal charges? Let's be honest – who of us really enjoys dealing with the police? Most of the time it is a fairly negative scenario, like getting stopped and checked by the police while driving, or getting a parking fine because you didn't put any money into the meter when doing a bit of shopping. What I can say clearly and unequivocally, based on my own experience of working with the investigating authorities, is that it is always worthwhile filing a criminal complaint at an early stage. This is often done in a very straightforward manner at a police station, and is done and dusted in an hour. InfoGuard regularly cooperates with criminal investigators, so we “know each other well” and exchange information in a very professional manner. This removes the fear that servers will suddenly be confiscated. The authorities know the quality of our CSIRTs work, and they let us carry out our forensic investigations with due consideration for our business processes.
The advantages of cooperating with the investigating authorities
Criminal charges are increasingly being filed in cyber incidents, hence it has now become almost “routine” for the police, and this means that they can give you some valuable tips right from the get-go about questions like: Is it worth negotiating a ransom payment, or is it reasonable to request that the data on an IP address be handed over to Russia? After the criminal complaint has been created, providing the client is happy for us to do so, our cyber analysts and the investigators often directly exchange information with each other. In the process, they clarify the identification of the attacker and the potential course of action required for criminal prosecution. IP addresses and owners are swapped, and take-down requests are issued for phishing sites and stolen data. We often get valuable information from the authorities, and this helps us immensely to process the client's case faster.
Data has just been uploaded, and a few hours later it is gone
In a recent case, a large Swiss company's data was encrypted by the ransomware REvil. The perpetrators also threatened to publish the stolen data on a well-known file-sharing platform. Our forensic investigations had already revealed the location of the data before it was published, and we asked the police to clarify the situation and report it to the file-sharing platform. Soon after the data was published, it disappeared again. The police had already intervened with the file-sharing provider and made them block the attacker's user account.
Federal level cooperation
In the course of our interventions, at the client's request not only do we communicate with the cantonal authorities but we also report to the NCSC (https://www.ncsc.admin.ch). All information on all cases occurring on Swiss soil is collected there. This way, we receive valuable information for solving a case from the federal authorities, and in return we are also able to share valuable information to protect other companies. This was the case, for instance, in summer 2019 when we worked on a case where information was exchanged with MELANI. Reporting to the NCSC enabled us to identify another company that was under attack by the same attacker. The information that was obtained in this way enabled us to identify the attacker more swiftly in the systems, and to ultimately lock them out.
What can be done to stop this from happening in the first place?
Infoguard’s Incident Response Retainer offers you the services of our incident responders at a reduced hourly rate. Additionally, all questions regarding cooperation with authorities, notifications regarding GDPR and eventual press coverage are all clarified in advance. This ensures that you are well prepared for any emergencies and can call on an experienced InfoGuard team in the event of an urgent incident.