The aim of IT forensics is to handle intrusions and incidents to minimise loss of valuable information and competitiveness.
Black market rising
Digital values are worth more than purely physical values at most companies these days. Criminals are switching to financial crime, industrial espionage, and card fraud – as new, lucrative markets in a world where the drug trade has become riskier and market growth has waned. Teaching at universities and research institutes has yet to catch up. They talk about what people can do to protect themselves but say nothing about the real threat. Focus is on what could theoretically happen, instead of what is actually going on, and the reason is simple: they do not know.
If someone has circumvented perimeter security and is inside the system, there are no warning bells and no one scrambles. Criminal networks know that no alarms will sound, and the police are not going to show up, investigate, and arrest the criminals. That is where we come into the picture: a digital monitoring company with international experience. A company that knows how to resolve the situation when it happens.
In cases of industrial espionage, the situation may involve a new design, new software code, a new molecule, and so on. Enterprises may need to protect a strategic business direction, customer databases, or price lists – anything that can provide a competitive edge. R&D involves substantial financial investments and staying on the forefront and creating competitive advantages. Enterprises must have a method or system that benefits them in the market. Documentation of the method or system is what is stolen, brokered, and sold to their competitors.
What do we do?
It is crucial to the victims that information about the incident is not leaked, so we maintain absolute secrecy. We have extremely rapid reaction time. Our customers span the globe from South America to the Arctic Ocean. We have contracts with leading corporations worldwide – companies that think and act for the long term. The cost of an intrusion would be so enormous for our customers that they want the capacity to react swiftly and effectively to contain losses – even if there is relatively little risk of an intrusion. If it does happen, we will have already built a relationship with the customer, which is vital in a crisis.
Customers’ first questions are: Who is coming? What are you going to do? What information do you need? We are fast, we have a structure, a system, and we know which data are the prime targets. We are among the few companies in the world certified to investigate card fraud for Visa, MasterCard, American Express, and other issuers.
We work with all industries and types of operations. Our business is based on trust and reputation. Our liaisons are often executives with wide networks, and they are our best marketing channel.
It is always an emergency when an incident occurs. We can be anywhere in the world within 24 hours. Because we already know each other, have already built a structure and have established liaisons, we can quickly start an incident team at the customer site. Whether you get the investigation started on day 1 or day 3 can make a difference in data loss worth millions to the customer.
We are onsite fast to activate emergency counter measures, collect digital evidence, and investigate. We work with world-leading attorneys specialised in IT law to ensure that we comply with the law, but we work across all borders. There are other companies in the same field, but we are unique in that we work in all three segments: industrial espionage, financial crime, and card fraud. This is essential to our effectiveness. A method used in one area is often applied later in another. Our broad understanding is a major competitive advantage for us and our customers.
Why not call the police?
It takes too long. The police are overworked and understaffed and do not prioritize IT crime. Their focus is on violent crimes against persons and child pornography in the digital area. It is difficult for the police to work via their usual channels. IT crime is everywhere – and that means dealing with Interpol and foreign laws and authorities.
The police may also have problems with leaks, and our customers do not want to end up on the front pages the next day. First and foremost, we have varying targets. The police want to catch the criminals, while our main objective is to reduce our customers’ losses and production disruptions.
How did you get interested in forensics?
Engineering is a creative profession but not always a thrill a minute, so to speak. The thought of combining excitement and action with the art of engineering appealed to me. I got my MS in Engineering, Information Technology at the Linköping Institute of Technology and my specialisation at the Swiss Federal Institute of Technology (ETH) in Zurich – one of the top three universities in the world in cryptography and information security. The market was fairly small when I started. I did a degree project at Siemens on secure access to the company’s resources where I met a consultant from Nexus, which was then the only private sector alternative where I could work in my chosen field. The public sector alternatives were the Swedish National Defense Radio Establishment and the Swedish Security Service.
While I was in school, I was also freelancing, investigating intrusions. At one point, I had 18 computers at home that simulated various servers so I could check out new intrusion patterns and track what people were doing, what they were after, and so on. Alarms sounded in the middle of the night: my partner was not amused …
It takes a particular kind of mindset to like the investigative life and sudden emergency situations. And solving problems becomes a way of doing business. The key is to try and understand how criminals thinks, to understand their conceptual world. When you do, you can trace the frauds. There are various organised networks, usually of one to five people, who are working in a structured way with IT crime, card fraud, and data intrusion – often segmented according to type of operation. They exploit national borders to reduce risk of being tracked down. There are black markets trading in credit card numbers, corporate information, and research information.
Fences take orders for jobs or sell information. Back in 2000 when I started getting seriously interested in this, I was studying in Canada. At the time, there was a boom of virus, trojan, and worm hackers who wanted to be “king of the hill” and prove who was the most sophisticated. These were people with tremendous capacity in malware. They were creative, analytical, talented software developers who knew more about operating systems, file management, and IP communication than the manufacturers. The view these days is that “anything is business,” and the black markets are growing because there is very big money to be made in IT crime.