Catching a cyber-criminal

Peter Cooper of the GWA Group has an extensive history as a senior information security professional. One morning a few years ago some strange things were being noticed at a warehouse at the company worked for. Nothing that looked too severe but the sort of thing that looked like an innocuous anomaly.

That moment of insight lead him and his team on a journey that lasted just a few days shy of two years. That journey included meticulous reviews of data, complex forensic investigation and ultimately a court case that resulted in the successful prosecution of a cyber-criminal. At the time, only one other similar case had progressed to the courts and been successfully prosecuted.

The operation of a large warehouse is an exercise in balance and automation. When it works correctly, everything from the customer order, through picking to packing and dispatch works perfectly.

“What were seeing was when people went to take an order and get some stuff from the shelf it was supposed to be in, the order they had was actually higher than it should have been, and the inventory was lower than it should have been,” explains Cooper.

Although the issue wasn’t operational interruptions, it was raised as a Severity 2 issue. That meant it was treated as a serious issue from the outset that warranted further investigation.

Through the investigation, Copper and his team went through a number, of what Cooper called, “ah ha moments”.

Stock levels were changing in a uniform way, system performance was slower than expected with one of the programs they relied on altering data in tables it ought not have been accessing. And one of the programs in the system, despite having the correct version number was the wrong size, indicating something was amiss.

At this stage, Copper’s incident team made a copy of the anomalous executable, put it aside, and restored a copy of the original file.

“That was all working OK”.

However, there was an operational impact. As warehouse data is constantly changing because of the dynamic nature of operations, the only way to correct the data was to undertake a full stocktake of the facility – a massive undertaking, especially as the warehouse had to continue operating.

“At the end the stocktake took two weeks to complete. There were thousands of man-hours lost”.

Cooper’s team loaded the bogus program on a test server to find out what it actually was doing. Having determined that the program was the cause of the data issues in the warehousing systems, Cooper took this information to his manager who wanted to know what should be done. As a result, Cooper engaged external forensic support, using Vectra - a company he had worked with before.

A three week investigation revealed a piece of software that had been worked on by a past staff member who had left the previous month was the source of the problem. This was escalated to the senior management of the company and it was decided to take the matter to the police.

Working with the police and using the report generated by Vectra, Cooper and his team were able to put together a case that included 12 witnesses and a solid body of evidence that a crime had been committed.

Once all of this was assembled, Cooper notes it took some time before everything came together and a trial could commence. Incredibly, from the time the incident commenced, it took 542 days until the trial commenced.

The alleged offender pleaded not guilty to the charges. His barrister’s defence started by systematically trying to tear down the systems and processes Cooper’s company had in place for incident management, remote access and other controls. This was to counter the defence’s initial posture that “in large companies stuff sometimes just happens”.

By not only having well documented procedures but by also demonstrating some of the tools the company used in court, the prosecution was able to thwart that strategy.

The trial was scheduled for three days. With just four hours left in the scheduled time, there were still witnesses that had not testified and the report that detailed exactly how the alleged offence took place had not been analysed in court. At this stage the prosecution’s confidence of a guilty verdict would come during the scheduled time was starting to wane. If the case wasn’t resolved, another trial would need to be set.

Following a series of recesses and discussions over the next couple of hours, the defendant changed his verdict to guilty, resulting in a successful prosecution.

It took another three months for sentencing. The judge took a dim view of the defendant’s initial guilty plea and sentenced him to maximum custodial sentence of two years with a non-parole period of 12 months. This was appealed with the defendant, having had his career destroyed and employment prospects seriously harmed had that reduced to 250 hours of community service.

This was 695 days after the incident was detected.

Cooper made special mention of the commitment of his management team. He also noted that had he known this would consume almost two years of his life he suspects he might not have pursued the matter.

He discussed what was discovered and the long road it lead him down during AusCERT 2015.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Copyright © 2015 IDG Communications, Inc.

The 10 most powerful cybersecurity companies