Catching a cyber-criminal

Peter Cooper of the GWA Group has an extensive history as a senior information security professional. One morning a few years ago some strange things were being noticed at a warehouse at the company worked for. Nothing that looked too severe but the sort of thing that looked like an innocuous anomaly.

That moment of insight lead him and his team on a journey that lasted just a few days shy of two years. That journey included meticulous reviews of data, complex forensic investigation and ultimately a court case that resulted in the successful prosecution of a cyber-criminal. At the time, only one other similar case had progressed to the courts and been successfully prosecuted.

The operation of a large warehouse is an exercise in balance and automation. When it works correctly, everything from the customer order, through picking to packing and dispatch works perfectly.

“What were seeing was when people went to take an order and get some stuff from the shelf it was supposed to be in, the order they had was actually higher than it should have been, and the inventory was lower than it should have been,” explains Cooper.

Although the issue wasn’t operational interruptions, it was raised as a Severity 2 issue. That meant it was treated as a serious issue from the outset that warranted further investigation.

Through the investigation, Copper and his team went through a number, of what Cooper called, “ah ha moments”.

Stock levels were changing in a uniform way, system performance was slower than expected with one of the programs they relied on altering data in tables it ought not have been accessing. And one of the programs in the system, despite having the correct version number was the wrong size, indicating something was amiss.

At this stage, Copper’s incident team made a copy of the anomalous executable, put it aside, and restored a copy of the original file.

“That was all working OK”.

However, there was an operational impact. As warehouse data is constantly changing because of the dynamic nature of operations, the only way to correct the data was to undertake a full stocktake of the facility – a massive undertaking, especially as the warehouse had to continue operating.

“At the end the stocktake took two weeks to complete. There were thousands of man-hours lost”.

Cooper’s team loaded the bogus program on a test server to find out what it actually was doing. Having determined that the program was the cause of the data issues in the warehousing systems, Cooper took this information to his manager who wanted to know what should be done. As a result, Cooper engaged external forensic support, using Vectra - a company he had worked with before.

A three week investigation revealed a piece of software that had been worked on by a past staff member who had left the previous month was the source of the problem. This was escalated to the senior management of the company and it was decided to take the matter to the police.

Working with the police and using the report generated by Vectra, Cooper and his team were able to put together a case that included 12 witnesses and a solid body of evidence that a crime had been committed.

Once all of this was assembled, Cooper notes it took some time before everything came together and a trial could commence. Incredibly, from the time the incident commenced, it took 542 days until the trial commenced.

The alleged offender pleaded not guilty to the charges. His barrister’s defence started by systematically trying to tear down the systems and processes Cooper’s company had in place for incident management, remote access and other controls. This was to counter the defence’s initial posture that “in large companies stuff sometimes just happens”.

By not only having well documented procedures but by also demonstrating some of the tools the company used in court, the prosecution was able to thwart that strategy.

The trial was scheduled for three days. With just four hours left in the scheduled time, there were still witnesses that had not testified and the report that detailed exactly how the alleged offence took place had not been analysed in court. At this stage the prosecution’s confidence of a guilty verdict would come during the scheduled time was starting to wane. If the case wasn’t resolved, another trial would need to be set.

Following a series of recesses and discussions over the next couple of hours, the defendant changed his verdict to guilty, resulting in a successful prosecution.

It took another three months for sentencing. The judge took a dim view of the defendant’s initial guilty plea and sentenced him to maximum custodial sentence of two years with a non-parole period of 12 months. This was appealed with the defendant, having had his career destroyed and employment prospects seriously harmed had that reduced to 250 hours of community service.

This was 695 days after the incident was detected.

Cooper made special mention of the commitment of his management team. He also noted that had he known this would consume almost two years of his life he suspects he might not have pursued the matter.

He discussed what was discovered and the long road it lead him down during AusCERT 2015.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Incident responseinformation securityGWA Group#Auscert2015cyber-criminalPeter Cooperthreat detectionCompany SecurityCSO Australiavectra

More about CSOEnex TestLabGWA Group

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place