Cybersecurity Evidence Considerations

What constitutes “enough evidence” in Cybersecurity Evidence Considerations? And how can you know what constitutes sufficient evidence in the eyes of law enforcement?

Regardless of the setting of the crime, law enforcement will always want “more evidence,” and they will also want better evidence. Most officers have gone through all levels of Court, from Inferior to Superior, and I know that a defence team will try to muddy the waters just enough to get a not-guilty verdict or a lighter punishment.

At the very least, in a hacking case, you are looking at aspects of the crime from the Crimes Act such as;

Section 478.1(1) of the Criminal Code—unauthorized access to or modification of restricted data; (1) A person commits an offence if:

(a) the person causes: I any unauthorised access to data stored in a computer; or (ii) any unauthorised alteration of data stored in a computer; or (iii) any unauthorised impairment of electronic communication to or from a computer; and

(b) the unauthorised access, modification, or impairment is the result of a carriage service; and

(d) the person intends to commit or aid the commission of a serious offence against a Commonwealth, State, or Territory law (whether by that person or another person) as a result of the access, modification, or impairment.

Essentially, you must be able to demonstrate all of those characteristics. Some are easier to verify than others, for example, how can you prove someone’s knowledge?

Was there a point of contact for cybersecurity law enforcement needs to provide guidance on what proof is required?

As a security professional or any officer, I’ve used my knowledge of the judicial system to determine how much evidence I have or need, any mitigating circumstances, evidence processing processes with hashing and data storage (including cloud storage), anti-tampering, and so on.

I’ve seen folks handle incident response on their own, and their major goal is to lessen the threat to the client. In rare cases (especially when the threat actor is readily available), the client will seek criminal or civil prosecution. Mitigating the threat is still critical, but so is gathering enough information to support a conviction or termination without bringing anything back on the client (wrongful dismissal etc).

If you are in that circumstance, it is better to get guidance from the Police Cyber Unit or someone with that background.

Consider an insider threat exfiltrating credit card data from a POS to an external server in Russia, China, Iran or Cambodia, knowing that getting assistance from those Law Enforcement or the server host is nearly impossible. Would you let the data run for a while to capture enough evidence, or would you shut it down immediately and lose the potential for enough evidence of who was involved?

Can you clarify the disputes you’re referring to?

Simply the scenarios mentioned above. You as a cyber security officer may be required to make decisions in these situations.

I recently conducted a combined “incident response/cybercrime investigation” in which a potential insider threat altered an email to the person who grants password access. The email requested a new password for a new accounting employee to have access to the banking account. This level of access was perfectly fine for the new employee. The freshly constructed password was then used to get access to the banking system via an international VPN, and a mobile phone port was performed on an employee to obtain the 2FA. Many indicators pointed to the new employee being the offender, but also to another internal threat attempting to conceal their involvement and make the new employee appear to be the offender. Furthermore, it appeared as if an external threat actor had compromised the system.

As a cybersecurity contractor, I had to advise HR and IT Managers on how to conduct a criminal investigation and interview the employee, as they were in a position to potentially “catch initial evidence” of the employee committing the crime or exonerate the individual. Because the CEO wanted the criminal prosecuted, IT needed to collect evidence from systems and networks and begin their incident response without notifying other potential insider threats. It can easily become pretty complicated.