How an Irish Computer Science Lab is Giving Police Forces the Tools and Training to Tackle Cybercrime
For an academic campus, University College Dublin seems unusually quiet on a sunny summer’s morning. Students are squirreled away preparing for exams or finishing dissertations. Tucked away out of sight in labs at UCD’s Computer Science building, the Centre for Cybersecurity & Cybercrime Investigation (CCI) carries out its mission.
The centre originally started by training Ireland’s national police force, An Garda Siochána, in digital forensics and investigating crimes where there is digital evidence. Word quickly spread, and in 2006, the CCI came into being. “We were the only group on the block doing this, so we started to get more requests from outside of Ireland to set up the centre more formally,” says Cheryl Baker, the CCI’s manager.
Tailored Cybersecurity Training
The CCI then developed a master’s degree course in forensic computing and cybercrime investigation, specifically tailoring the course content for the field of law enforcement. Its aim was to equip police forces with the training, tools and knowledge to investigate computer-related crime, and ultimately prosecute cybercriminals.
Through its education programmes – with distance learning subsequently added to the mix – UCD CCI has since helped to train more than 2,500 police officers from 60 countries ranging from Canada, Germany, Spain, the UK and the USA to Australia, Belgium, Latvia, Malta, Norway and Portugal. The centre has worked with forces including Interpol, Europol, the UN Office on Drugs and Crime and the Organisation for Security and Co-Operation in Europe.
UCD CCI has since helped to train more than 2,500 police officers from 60 countries.
Over time, the CCI expanded its activities from training police officers to include threat modelling and intelligence gathering. This evolution in its remit reflects the changes in cybercrime over this period. When the centre started, crimes like card skimming at physical ATMs featured prominently.
“As the landscape has evolved and broadened, there is an idea that you need to stay abreast or get ahead of the criminal, so it’s changed to more intelligence gathering, particularly now that most of the crime has moved online,” says Baker.
The Profits of Cybercrime
As more and more people flock to digital services with their credit card numbers and bank details in tow, criminals have followed the money. Cybercrime is a business, and business is good.
According to one independent study, illicit profits from cybercrime will amount to $1.5 trillion during 2018. That was the figure from Dr Michael McGuire, a senior lecturer in criminology at the University of Surrey in England, who presented this research on the cybercrime economy at this year’s RSA security conference in San Francisco. In 2017, FBI’s Internet Crime Complaint Centre received more than 300,000 complaints, and victims reported losses totalling more than $1.4 billion.
Illicit profits from cybercrime will amount to $1.5 trillion during 2018.
The scale and impact of cyberattacks and cybercrime is growing all the time. Europol identified the biggest cybersecurity events during 2017 including large-scale ransomware attacks, growing numbers of data breaches, rising payment fraud and continued use of the Darknet to enable a wide range of criminal activity.
Against this landscape, police forces face multiple challenges to tackle cybercrime effectively. Cybercrime is international in nature, but unlike law enforcement agencies and governments, criminals don’t need to observe protocol.
As it happens, one of the outcomes of the CCI has been the formation of informal networks of officers in different countries, who built relationships with their counterparts while studying at the centre. These unofficial channels have helped to speed up the pace of investigations that call for formal cross-border cooperation.
CCI has also addressed another obstacle for police forces: the high cost of commercial technology for investigating cybercrime. “Law enforcement agencies don’t always have the budgets to buy the expensive tools like EnCase that cost thousands for training, and for the licences,” says Baker.
In 2013, the CCI began a project to develop a free digital forensics tool for police forces. The initial two-year FREETOOL project received just under €1 million in funding from the European Commission which resulted in the development of six tools which are distributed to police at no cost through Europol’s electronic platform.
In 2016, the European Commission provided a further €1 million to support the implementation of FREETOOL v2.0. This next iteration saw the project extended to include the development of open source intelligence gathering (OSINT) tools.
One tool is specifically designed for first responders to capture vital evidence at the earliest possible stage of an investigation.
FREETOOL now encompasses a suite of 12 tools. One tool is specifically designed for first responders to capture vital evidence at the earliest possible stage of an investigation. “If there’s been a disturbance or they’ve been sent to do a search and seizure and they encounter a live machine, they have no technical experts – because they’re rare – so we would give the non-technical first responders a USB key with the tool on it, which they would put into the computer and it would do a lot of the automated work,” says Dr Ray Genoe, a cybersecurity/cybercrime analyst at UCD CCI, who manages the FREETOOL project.
This first responder tool can tell if a suspect computer is running encryption software like VeraCrypt or BitLocker. It also has a traffic light alert that prompts the first responder to act. A red signal is the cue to contact a technical expert who can guide them to seize what might be a vital piece of evidence, like a wireless hard drive that may be hidden in a suspect’s house.
Speeding Up Investigations
Another of the FREETOOL apps can quickly check multiple suspect laptops or smartphones, and it will tell investigators which device to prioritise and escalate to a commercial forensics tool if that device needs further inspection. “That’s been successful at clearing backlogs in a lot of countries, which has been a problem for computer crime units,” says Dr Genoe.
The value of CCI’s involvement in the project is that everything’s guided by the practical experience of expert investigators who meet regularly in Dublin to guide the development of the toolset. “In this room, we have 20 people from 12 different countries, sharing their experiences of what a tool should look like and what it should do, and then we go forward and implement that,” says Dr. Genoe.
“In this room, we have 20 people from 12 different countries, sharing their experiences of what a tool should look like.”
“There’s no point in developing these things unless you’ve got the experience. With this, we have two-year cycles and we’ll tailor the entire tool from the ground up to address law enforcement.”
Leaning on their technical background, the CCI staff have tried to help improve the coding skills and processes of the development team. “We’re now using our own instance of GitLab which has continuous integration that automatically tests software as we commit code, so our coding standards have improved…” says Dr. Genoe. “We want to encourage development and we want to make as many of our tools open source as possible.” The intelligence gathering tool, for example, is a framework with more than a dozen scripts, and developers can add code subject to review.
Beyond Police Forces
As well as broadening its activity beyond law enforcement training, the CCI has also begun working with sectors that are particularly at risk from cybercrime, like financial services and critical national infrastructure.
The centre provides threat modelling activity that allows those sectors to get a sense of the specific risks they face. To do this, CCI has been forging closer links with industry and academia, to gain a fuller understanding of how organised crime operates in the underground economy.
As Baker explains: “Everybody should have a cybersecurity strategy and obviously you need information, hard facts, and evidence to support your strategy. It’s about knowing what the criminal is doing and build a picture of the threat landscape.
“The way to do that is to gather open source intelligence and information on what’s happening. That intelligence could be IP addresses, malware samples, hashes of virus signatures, domain names. If you collect that information together, you can use it to build a picture.”
“It’s about knowing what the criminal is doing and build a picture of the threat landscape.”
The CCI developed an information sharing platform for financial services institutes that combines intelligence data from banks, and data from its own research such as scraping Darknet forums where cybercriminals gather.
“We’re always developing new technologies that will facilitate that and that will make it easier for us to collect and feed data into the platform that the banks can then interrogate to see indicators of compromise. And they can also use it in the longer term to inform strategy,” says Baker.
Just as CCI’s network reaches across Europe and beyond to more effectively tackle cybercrime, it encourages sector stakeholders to collaborate more closely and share information to improve security. “A bank building up a threat picture is one thing. A collection of banks building up that threat picture is much more enriched and a better picture,” adds Baker.
The centre also operates a malware threat analysis lab that examines financially motivated malware samples. It observes the evolution and behaviour of the malware over time, producing daily reports on changes in the malware sample, or changes in its network activity. It shares this information with the Cyber Defence Alliance, an information sharing forum for UK banks and law enforcement agencies.
“We’re trying to add value to information that’s already there. We don’t want to use a malware sample that you can find information about online. We’re looking for the unique pieces of malware which we source either from a participating bank or from our own sources,” says Baker.
She points out that, like the CCI itself, the Cyber Defence Alliance has Irish roots. It is modelled on the High Tech Crime Forum, which banks in Ireland set up in 2006 to share details of cybercrime risks facing them.
The CCI is keen to draw on the experience of industry, because it adds a crucial extra layer to the knowledge of law enforcement agencies and academics. “Security is a unique research area. The practitioners and those at the front lines are the ones that know what the problems are, and if you are not bringing them into research, then the research is not as relevant,” says Baker.
It’s hard to assess the true impact of CCI since it launched 12 years ago. Officials won’t discuss ongoing or recent cybercrime investigations. Having said that, it’s a matter of record that police forces have been more successful than ever in stopping cybercriminals, and much of it has hinged on close collaboration.
“The practitioners and those at the front lines are the ones that know what the problems are, and if you are not bringing them into research, then the research is not as relevant.”
In late April, authorities took down WebStresser.org, a popular marketplace for launching Distributed Denial of Service attacks that was behind attacks on seven of Britain’s largest banks in 2017. Dubbed ‘Operation Power Off’, this was a cooperative effort between the Dutch Politie and the UK National Crime Agency, with support from Europol and a dozen other law enforcement agencies.
Separately, a coalition of eight countries took down propaganda broadcasting infrastructure of the Islamic State. And, cybercrime teams from the Dutch Politie also seized Anon-IB, a so-called “revenge porn” forum in an investigation relating to criminal offences.
Meanwhile, back in the leafy south Dublin campus, the CCI’s mission continues.
When we say that cyber attacks come in all shapes and sizes, it might still be difficult to picture how obscure they can be. In 2010, Japanese file-sharing website Winny let slip Ika-Tako - Japanese for ‘squid octopus’ - a virus that replaced files on users’ hard drives with pictures of octopuses, squid and sea-urchins, with the original files sent to the hacker’s server.
The malware, which disguised itself in audio files, affected somewhere between 20,000 and 50,000 computers, before the hacker was identified and arrested. His justification for the attack? He wanted to see how much his hacking and programming skills had improved since the last time he was arrested, according to PCWorld. It’s not just financial information users have to be careful to protect, they also have to ensure they don’t wake up with a hard drive full of sea creatures and little else.
Illustrations by Kseniya Forbender
To contact the editor responsible for this story:
Margarita Khartanovich at [email protected]