John Watson - RCIPS Cyber Crime and Digital Forensic Unit

foreign everybody uh welcome to my talk um I'm the thing standing between you and lunch so you're either going to have an early lunch or a late one depending on how many questions you ask at the end um we detectives call that a hint as to how many questions you should actually be asking at the end eating in to your own time um as the introduction said uh I've moved from a round building in Cheltenham where there's five thousand people working on a daily basis with a team of about 70 to a very small team some of whom are sat in the front row today they were they were the ones whipping and hollering um thank you for the Applause you might

not want to upload at the uh at the the end of this so I lead a small team we mostly do digital forensics but we also investigate cyber crime as it's committed across the island and for those of you who work with um are in companies you'll probably recognize that the weakest link to any um cyber security measure is the is the individual so I thought I'll show you a representation about what it's like when you're trying to tell somebody to not click the link I know it's easy for your mind to wander

it often feels like that's what we do when we try to sell somebody to not click in the link their attention just goes monkey plays symbols in the head even the monkey eventually says listen to what you're being told so our day job is the extraction and Analysis of electronic devices the assisting the investigation of cyber-enabled crime so those are crimes that can be committed on the street um not necessarily just with a computer so frauds um that type of thing we assist the Cyber investigators with it uh we investigate cyber dependent crimes those are crimes that can only be committed by the use of a computer so that'd be hacking uh Etc um this is a marvelous machine we use

for all our investigations this was purpose built designed by ourselves very high spec system it's a glorified gaming machine if you like because of the data processing we have to do it has to be high quality stuff we get our exhibits to come in through a chain of custody we have to ensure that the the chain of custody is correct um and these are just very quickly for those who weren't at the workshop yesterday um some of the software we use to extract data this one's from phones um we use Tableau devices which are read only because we need to ensure the uh the quality and the Integrity of the evidence foreign

to go through investigations we've actually done so these are these were actual investigations uh hopefully with somebody from data protection in the audience hopefully I've redacted all the details um that are personalized so this came in from our colleagues in the Cayman Island Bureau of financial investigation so this particular victim thought he was on a trading platform ffxtrader.com he was told his account would reflect the Investments he had made um screenshots were provided which I'll show you um the website was in fact controlled by a fraudster and figures shown within user accounts corresponds to real world Investments so there was a lot of money going through this web page um and my colleagues from Cayman Islands

Bureau of financial investigation Pacific followed where the cryptocurrency was going and I concentrated on the web page itself so this was the victim's screenshot showing the amount of money he'd invested in this company so that's a lot of money it's certainly a lot of money to me and this is one of the things he got um sent from them um showing the profit he had made that day which of course wasn't profit so what we do with that is we take the information that's given on there and investigate to see if we can find out who's responsible for this particular website Alex Larson PhD well that's pretty impressive isn't it he must be a good guy he's got a PhD

although most people with PhD call themselves Dr Alex Larson rather than PhD so we looked to see if we could find anybody who is Alex Larson if online setting is just not going to achieve a great deal if you're putting Dr Alex Larson you get a lot of doctors all over the world so I didn't go on to use by the some of the tools that lamb was talking about yesterday simply because I have no idea who this person is and it would be really difficult to trace after them and follow through there seven New Gate Street however we did check up on its uh a premises where you can register your company at and that's it

the telephone number itself we looked into and it's everybody has this telephone number used in various different frauds um I think it was an O2 number it was a mobile number this company FXX trading which is dealing in hundreds of thousands if not millions of stolen funds daily use a mobile phone highly unlikely and when I looked at the page cells itself uh the webpage sorry the page is pulling down stuff from tradingview.com basically that was live market feeds that the company were pretending with theirs in fact they were just bringing it down from another company another legitimate company uh these were the times and conditions so the company is registered in the Marshall Islands which is another

offshore um Financial operation operated by Bond local Consulting from Bulgaria neither of these places a law enforcement friendly so there was little Point going after them uh I did a check at company's house with a company found this particular company as you can see it's been dissolved the the gentleman who was the director was Bulgarian he was born in 1958 and that was the only data I could get um and that was the the final notice um so the graduated for the company it's quite common before us does the register a company um and after the first year when they don't file reports then companies have strike them off um but the financial conduct Authority

in London had already put out warnings about them so they were on the radar in the UK but they weren't here um oh so I've got to go back one the the basics of this was we we didn't get very far in finding out who the Cyber criminals behind it were so the alternative and what we do a lot of is disruption so I had the web page taken offline so nobody else could fall victim to this particular fraud um I think the financial Bureau managed to um get quite a lot the funds held and I think it's still going through the process of the victim getting that back but it's a long complex process because

of where they were held so the next one um this was an email sent to government employees yes unfortunately even government employees click the link that's why I showed the Homer thing to begin with um so info facts at gov dot KY pertaining to come from an internal address in fact as you can see it's SSD multi-state um audio0485 which is what the person was asked to play was in fact an HTML link it wasn't it wasn't an MP3 um so I looked at the the HTML document um ignored a bit in blue that was that was highlighted an error it's about I want you to look at is a bit with the yellow box around it

which is the the web page of the the link was going to go to generally speaking with this what I do is I copy and paste the URL put it into a browser and see what it actually is so I did that and got this which was just weird um this is a legitimate Microsoft site this is a legitimate Microsoft login so I had no choice but to click on the link itself to see where it was actually going to do um it wasn't on the government system before anybody starts to think it was uh it was on Cali I think I used it um but what I did when I was doing the password is I do I did a network capture

at the same time so I captured the network traffic from the web page as I was putting the password in um and this is where it turned up so the reason it was sending me to Microsoft login page is it already got the data itself and had an immediate sending out so if you see the Top Line which one's a pointer so this oh sorry this top line here where it posted my password but then immediately brought up the Microsoft page

and uh I hope you liked the password I used I'm not sure if the actors liked it too much um again there was very little we could do with this it was another and if you've been involved in any of these types of Investigation I wish that the pound for a dollar if for every time this was a GoDaddy registered namecheap held web page this one was as well they are very on law enforcement unfriendly so we can't send legal orders on them but my experience tends to be that they're not that good um hmm so this one this one with I this one really annoyed me you'll find out why in a moment so this was a company who were claiming

to assist people who'd been victims of a Ponzi scheme so these people had already lost money to a Ponzi scheme I think this one was dolphin trust which been dealt with about the German authorities so people had lost had already lost tens of thousands of dollars in this and this company is saying oh by the way we can get you your money back and we won't charge you for it now once you registered with them you got this second email which came was supposed to come from the fraud desk investigation department of the royal Cayman Islands police force we are not a police force we are a police service attached is a place to order for refund

and this is what was attached uses our badge signed by my commissioner thinks that that's not your signature and it states that the the money was being held in a an account in the Cayman National Bank um obviously it's not an actual account um when I spoke to the people involved um about the victims who'd gone a little bit further in them the the company says that okay so we're going to charge you about ten thousand for us to access this Cayman National Bank funds once we've got the ten thousand we'll return it to you um together with the money that you lost in the dolphin um dolphin which one was this there's two of them

uh yes sorry um and I knew we'd seen this one before and there was another one now this claimed to be for the rofx scam again that was another Ponzi scheme where people had lost money these criminals are talking to people who've already lost money and they were making quite a lot of money about from it so again we disrupted them and took the web page offline so there was no day I was gonna fall victim to this foreign [Music] signature but I've seen it often enough to know it wasn't um the people involved um in this and we got all the names they've got all the details um just no Trace number whatsoever the

company wasn't registered anywhere despite the fact it says that it also actually had a YouTube um page where there was all these nice Souls on there saying oh this is a great company except another actually mentioned them by name there was people who worked for them saying oh we're really good we're really brilliant at what we do um and then there was people who said oh I've used this company they were all Australian for some reason I could use this company and I got all this money back and they were really great but they never actually mentioned this company by name so they were fraudulently put in reviews on YouTube for people to think well this is a legitimate company

if I was also taken offline this is the one I've dealt with most recently um sorry go back to these so this was the related to that FFF Global and again the used um a mobile phone there's a contact details I do phone these numbers up and it's nobody ever answers um miter passage North Greenwich is actually a really poor premises and a contact with them but they didn't have a company registered at their address I was really shocked and surprised uh so this one is a little bit one of the more technical ones we did again it was a phishing email that came into government addresses studio um.com um the good news was if you know to

understand what these terminology means three or two means that it didn't get there so I was quite relaxed already because the the web page didn't open in fact when you go on to it it says straight away that it was that it was closed this is a screenshot of the investigation we did where we took the um the host of the past one of the people who'd open the email we took the host put it onto a forensic system and downloaded it so I can find the actual email that was sent to the person um and from the email I can find the malicious link or the malicious file uh the the reason we do that is to see

what it does so I initially um in Linux just carted it to see where it was um it's JavaScript another knock knock joke about JavaScript but we'll probably leave the jokes for another time um not the easy thing to reverse Engineers it didn't bother a great deal the interesting thing for me was this part here so the first thing it was bringing down was a version of jQuery 1.9.1 I think jQuery is about 3.8.7 now so the actors were using such old script that they had to pull down an older version of jQuery to make the damn thing work and in fact it didn't work anyway the reason it didn't work is the JavaScript was was was

um was not enabled properly code the error code it relates to VBS script um and I think it was 2019 Microsoft banned VBS script from its systems so it was never going to work it was um a close Escape but it shows you the The Perils of being involved in these type of things are just going to catch up with my notes

oh so that's the types of Investigations we do because that's the type of crime we pick up on that's the type of crime that's reported to us I'm going to talk more about that in a moment and somebody asked Laura earlier about how many data breaches have been reported to the Ombudsman I can tell you how many have been reported to us and that's zero I know some I know that happened because I've read about them on the ombudsman's report but nobody ever reports on to us I don't know why them

so the world economic Forum has recently published it's 2023 risks at number eight in the next two years and in the next 10 years widespread cyber crime and cyber security are non-risks they're anticipated risks this is not some group who have got no idea what they're talking about this is a world economic Forum one of the most senior people in the in in the world determine what risks there are unsurprisingly in 10 years most of the bigger risks related to climate change what they said about cyber crime was alongside the Horizon cyber crime so it's going to happen attempts to disrupt critical technology-enabled resources and services will become more common quite a few risk threat companies are

saying for this year and probably next year we're going to see an increase a decrease in in ransomware attacks but an increase in really serious attacks designed to take down your infrastructure completely um technology risks are not solely limited to Rogue actors sophisticated analysis of larger data sets will enable the misuse of personal information so they're talking about the threat from soluble criminals they're also talking about Insider threats that's the thing that's going to be a threat in two years and in ten years we are almost uh war with cyber criminals and if anybody's ever had any military training you probably recognize the center of gravity it's been around since the 18th century um one of the best and most influential

journals of all time said it's the Hub of all power and movement on which everything depends so this talk is about looking at how the cyber security community of Cayman can work with law enforcement so it refers to those sources of strength and balance it is that characteristic capability or locality from which the force derives at Freedom of action physical strength although it will to fight it's a common practice in the military to say that the easiest way to take down an enemy is to take down the center of gravity and so the military tried to do that but they also tried to protect their own center of gravity so if we look at this in relation to

cyber criminals what characteristics do they have well the very money orientated and they really don't give a about who the Target and for what um if you think some of the some of the jobs I dealt with I dealt with or investigated when Hackney comes so we're ransomware then they were taken completely offline in the middle of the pandemic the effect on them and the community was huge cyber criminals didn't give Adam about that all he wanted was the money that's what characterizes them that's what they do capability well that's huge um they can get into most if not any infrastructure if they're determined to do so the locality the worldwide which for law enforcement makes it really difficult

because it's quite difficult for us to track them down if they're in law enforcement on law enforcement unfriendly countries where to fight they've absolutely got a wealthy fight and the reason for that is they're making a lot of money and they'll continue to make a lot of money so protection starts with the idea of attacking the enemy center of gravity while protecting your own there's three phases to it critical capabilities what are cyber criminal capabilities we just discussed that what are requirements what resources do they need but they've all must get limited resources now and the reason for that is because the amount of money they can get and the amount of money they can pay to

people and the amount of infrastructure they can get so the FBI run the thing called ic3 which is internet Center for cyber crime I think but they report figures so this is for the last five years and then obviously 2022 been the last one so this is the losses that have been reported to ICC and as I talked about earlier we all know there's a huge amount of Under reporting so I think this figure is nowhere near what the actual figure is not even close the interesting thing for me was the the number of complaints has actually dropped but the volumes have increased significantly the most costly one you'd be unsurprised to hear was um BEC business email compromise that

was 2.7 billion in 2022

and critical vulnerabilities what are cyber criminals vulnerabilities those aspects are components of critical requirements are deficient or vulnerable to attack or indirect attack I'm not sure they've got that many to be honest with you um when I worked for the ncsc we did take down a lot of infrastructure we took down trickbot twice I think and it still came back um because they're not that vulnerable and and we are not allowed to attack them technically so what's my team's center of gravity so we have the ability to disrupt to protect the community I think most people in here probably from companies that'll probably get really good cyber security you've got really good infrastructure behind you

and a lot of people the people out there the people who are losing money don't and it's my job to protect them as best we can so we do disrupt where we find I think from memory I think we took down 25 fake wealth management websites last year I think it was up at 25. um we have the resources and capacity to disrupt and as I said have done so quite successfully so far critical vulnerabilities intelligence is our critical vulnerability we don't know what's happening out there because no one tells us no one says by the way John we had this fishing attack this is what we did about it I don't know is it reputational damage

or it's just no cyber crime happening on this island at all I would like to think it's a second I think it's more the first as I've shown we can take these websites down in fact if you've got enough money you can subscribe to a company called Netcraft and they'll do what I do for you because it is time consuming it does take a while um what I can get done quite quickly now is when we get some fishing links and I can normally get that page flagged as malicious quite quickly and then work to get it taken down a little bit later so the visual representation of what the center of gravity actually looks like

and this is important because this is where you're likely to be attacked if you like these are the things that are most likely to cause your organization to fall it's where the Cyber criminals are going to attack us so it's I'll explain how it is in cyber security because it is militaristic leadership for me personally leadership means the government systems so I work very closely with the um the office of the Seesaw in the government um Palm Green to investigate incidents that happen to them with a view to protecting them because if the government system goes down we're in trouble I guess if your system goes down you're in trouble as well so leadership is

really um your network if you like rather than the individuals themselves system Essentials uh the software that you would use to protect your system attack that you're very near the center of the attack infrastructure we look at the infrastructure and came on um we desalinate water is there a computer involved in that operation cuc we import a lot of stuff I think I saw Leon here is um we we import Goods what happens if the supermarkets lose the ability to import Goods what does that do to our national infrastructure population is where it says field and Military uh are probably you guys you guys ever see seesaws are involved in cyber security you're actually at the

outside of the Ring they consider that attacking you is probably not really going to do a great deal because if they if they attack you they'll just get another one that's what it means on the battlefield killer Soldier another one comes along one of the vulnerabilities I talked about was um nobody tells us anything and I appreciate it's not that easy to report stuff like this to us so working with the office of the sea so this is going to be coming out very soon it's in beta at the moment and we've got a few more tweaks but it's the ability to report a cyber incident to his direct to come straight into my office

now that could be uh uh uh text you get could be a phishing email you get it doesn't really matter send it to us and we'll take the infrastructure down I know a lot of people aren't that I.T friendly um but I just need somebody who is ID friendly to use the form and report it to us and then we can protect the vulnerable people out there who are not I.T friendly I can get that link flag is malicious really quickly so if anybody does click on it there's nothing bad going to happen to them in addition to that um some of the other things we've got planned for this year is we're going to

reform the cset um we can't call it that because Hazard management have copyrighted the terms out for here and then personally I would like to thank Hazard management for the alert this morning I had to turn my phone off in the end Aubrey said you know there's another I'm fed up acknowledging and it's still going off um so we are we're going to get some critical people together to do that to support that we've reached out to the ncsc and they've agreed to help us do exercising and we're hoping to expand that wider to the community we're looking to get on the NCS these early Warner system that's providing them with um critical infrastructure IP addresses

which they can keep an eye on and say oh by the way we've seen this bad thing on this IP address it's not going to work as well as it does in the UK because of how our system works but it's better than nothing uh we're also going to be working with ncsc's active cyber defense team and I mean know these guys at their conference in in Belfast haven't worked there I know the capabilities and it's something I'm you know I don't mind I do reach out to my old colleagues wherever they are so I'm going to work for dartry some of the work for some other places I've got a really good network of people who can

help us

so the key questions

the key questions I want everybody who works in cyber security in here to consider is um this isn't a machine I must have added it yesterday um so the US finds itself Finds Its center of gravity in the fight against Ransom but I didn't think of this the the US has of course have already done it and they have formed the ransomware task group and their job so this is about ransomware but I think the message is behind it are equally valid for what we're doing now victim support ensure the victims of ransomware incidents receive the necessary report support to restore services and minimize damage I can tell you uncategorically oh sorry I can tell you categorically

that if you if your systems are hit by ransomware you are going to have to call in a Circ um computer incident response team because we haven't got the capability to properly investigate that because these guys are very intrusive these attacks are huge and I've never dealt with the series ransomware attack and I've dealt with a lot of them and these are major companies even semantic and softballs had to bring in the cir company because that that's what they do because if you don't get rid of the actor they're still going to be doing you so we do want to to provide victim support and that's one of the reasons we're forming the cset as well to look

at individuals um around the cyber security Community who can respond quite quickly in those early days that's not going to negate the need to do uh a ciar company unfortunately collecting data and metrics will improve the cyber cyber Securities communities Collective understanding of ransomware and as I said it's not just ransomware it's cyber attacks in general but we work in silos books we work in silos we get the stuff that comes in you get fishing emails I know you get targeted people try to go at your vulnerabilities I know they do that that's just life online if you don't want that there's a little plug at the back of it with a blue or a

yellow cable just pull it out and you'll be fine you won't be getting any more cyber attacks until then you're gonna get them um but where's the data collected so a lot of the regulatory bodies um have got licenses for our threat intelligence company that we upload and speak to each other we're hoping to extend that further out partner engagement that's what I'm trying to do I'm trying to engage partners and say hello um continuous Improvement learning from lessons intelligence and integration I'm going to run through this quickly because I'm running out of time uh campaign coordination so the US have decided that this is their center of gravity but to protect companies and businesses in the US

it's a presidential LED campaign because it was Mr Biden who started it foreign as a community what is our center of gravity and this is what I want you to consider for your own organizations what are your critical capabilities and more importantly for us as a community what are our capabilities to work together what are requirements what resources and means exist to enable a community critical capability to become fully operational while the stumbling blocks doing it and what are our vulnerabilities um I think having talked about water food electricity um I personally have a view of what our most greatest vulnerabilities are so we have to look at capabilities and you might say John is there even a problem does a problem

actually exist and to do that you have to do a capability audit which is test the measures to the current system against the problem a threat I've explained what this writer is what capability audits do you do and if you carry out a capability audit you end up thinking the problem is bigger than we thought it's getting bigger than we would like our current answer to the problem is getting smaller and the timeline is shorter longer than the plan for I can tell you that if you do get hit by ransomware if you do have a data breach the problem is much bigger than you thought imagine going into work tomorrow to your to your offices to your businesses

wherever and you do not have a computer system at all I spoke at this last year and I think I told this story the one of the very first conference calls we held with Hackney Council um they said oh it's great we've got we've got a plan for this where's your plan oh God it's on the computer took the month to restore the services month so this is where we sit with our little balance of center of gravity it won't take much to ruin the center of gravity and if we think it's not local this is this is um some kits and Nevis who were hit by ransomware in January this year they said we can't afford to pay the

ransom and they probably couldn't and didn't and they couldn't run their essential government services because it was a government Network that was taken down and that's why I do what I can with the Seesaw to try to protect the government's Network our leadership but you guys can fill into that by providing it with intelligence that's right so we really understand what is happening because this is real two weeks ago the data appeared on the dart web and there's a lot of it and it's named tells you exactly what the files are I don't know if they have I don't know if they've got data laws Laura but I think they might be having to reported

to their own movement so in closing to go back over the center of gravity refers to those sources of strength of balance it is our characteristic capability or locality from which the force derives its freedom of action physical strength or will to fight what is our will to fight against cyber attack to help protect the Cayman Islands thank you any questions or suggestions I'm open to suggestions and hope the suggestions probably it's lunchtime but I've got the big red sign that says time's up but thank you very much for your attention hopefully it's been educational if nothing else foreign