It’s bad news: your organisation's website has been hit by a distributed denial of service (DDoS) attack.
Rather than sweeping the incident under a virtual rug and not reporting it to state police, there are various steps that can be taken by cyber crime units, according to one law enforcement expert. Speaking at SecureSydney 2012, New South Wales Police fraud and cyber crime squad Detective Inspector, Bruce van der Graaf, told delegates that every state in Australia has an equivalent cyber crime squad team while the Australian Federal Police (AFP) operate a high tech crime centre.
However, according to van der Graaf, some recent reports of DDoS attacks on online shopping websites that have been accompanied by extortion threats have gone unreported this year. “There were three unreported extortion attempts in 2012, not one single police officer in Australia was informed of these attempts,” he says. “That’s not good because there are some things we can do in these cases.”
Contacting the right agency
If the company subjected to a cyber attack is a major financial institution, in charge of critical infrastructure such as SCADA or is a victim of a copyright offence, they should contact the AFP, says van der Graaf.
“For every other form of cyber crime, come and see your relevant state jurisdiction,” he says,
How to report the threat
For AFP-related cyber crimes, these should be reported through the AFP website or by calling the High Tech Crimes Operation centre.
Within NSW, the Cyber Crime unit requires victims to visit their local police station.
“I know it’s not that easy to go into a police station and explain to the constable behind the desk that your company has just experienced a DDoS attack,” van der Graaf says.
“We don’t mind if you call us as we can walk you through the process of reporting the incident at the local police station--they will then refer the matter to us.”
In addition, he adds that organisaitons should contact CERT Australia due to their expertise in dealing with DDoS and other forms of attacks.
Making a police report
When filing a report to a state police cyber crime unit, the report should include full disclosure of everything that took place during the incident.
“For example, a victim of a cyber incident had a complaint with a former employee who walked off and got access to certain systems,” van der Graaf says. “There was a fairly nasty exchange of phone messages between them. To his credit, the victim showed us the entire exchange.”
According to van der Graaf, state police need to know this information at the start of the investigation rather than have the individual be “caught out” in the witness box by withholding information.
“Early on in the process we also ask for a documented incident report. It may be preliminary, as long as the report tells us what is going on. There are some people who think they can make a phone call to us and everything is going to happen after that,” he says.
In addition, investigators require “full and frank” access to any IT consultants that have been engaged to look at the cyber incident.
“For example, a certain agency had a website hack in NSW and wanted us to solve it,” he says. “We asked the organisation who they had engaged to solve the problem and it was one of the big four telcos who fixed the problem.”
According to van der Graaf, the cyber crime squad asked to see the report but was told that this was privileged information. The consequence was that police were unable to investigate the incident.
“Immediate access to security logs and third party providers is essential,” he says.
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow CIO Australia on Twitter: @CIO_Australia