This is part of our Humans of Cyber initiative, a series of in-depth interviews with key figures and leaders of the Canadian cybersecurity ecosystem.
This month, we feature Detective Constable Kenrick Bagnall, a cybercrime investigator with the Coordinated Cyber Centre (C3) of Intelligence Services with the Toronto Police Service. In his 15-year police career, Kenrick has worked in primary response, community response, and criminal and divisional fraud investigations – in addition to his six years in the cybercrime unit.
Kenrick shares the importance of security awareness and the integral role law enforcement plays in the cybersecurity ecosystem.
ISA Cybersecurity: In addition to your already busy schedule, I read the other day that you are a board member with “Hackers for Change”. Could you tell us a bit about the work that they do and how you’re involved?
KB: Hackers for Change is a really cool type of organization. It was founded by an incredibly bright young man who saw the need for providing information technology or information security services for non-profits. Non-profits, generally, are the custodians of pretty valuable personal information and financial information in terms of donations and sponsorships and different things like that. Yet, being a non-profit, they don’t necessarily have the financial means to implement a lot of really high calibre information and cybersecurity infrastructure, resources, training, doing pen testing, and all this other stuff that’s part of it. So he decided to put a group together where basically the structure is we would get (it’s all volunteer, first of all, 100% volunteer, and it is a non-profit itself, working for charities and non-profits) senior security engineers to volunteer and under each one, we would place juniors. Three to five, depending on the engagement, and they would go out and perform information security, pen testing type services for non-profits to help keep them secure, and the data that they are custodians of. Now there’s some “win-wins” here, because a lot of the juniors that we bring on board are people who are either just out of their formal education and don’t necessarily have a lot of hands-on experience. So working with Hackers for Change gives them the opportunity to actually engage in real-life work projects, and now have something more tangible for their resume in terms of work experience.
ISA Cybersecurity: So, when an incident is reported and investigated, what kind of interplay do you see between the victim, service providers like ISA, and police services?
KB: Well, generally, from an organization victim perspective, what happens a lot is that – whether they have an incident response plan or not – the remediation factor really kicks in: “Somehow someone got into our system. How did they get in? Are they still here? How can we fix this to make sure they don’t get in again?” So a lot of work that happens either happens with that organization’s internal information technology team and/or some sort of outsourced cybersecurity organization. And they go through all the artifacts, whether it’s logs on a firewall, or an intrusion detection, system access control. Maybe they would look at things in their Office 365 platform, they would look at artifacts in an Active Directory. They would look at all sorts of different technical pieces of artifact.
When law enforcement gets involved, the reality is that all of those things that are being looked at
are things that we need to see too – but we look at it as evidence from an attribution perspective. So we look at those breadcrumbs to try to follow a trail to see, not necessarily only how they got in, but who are they and where are they coming from. Understanding the general geographic distinctions of criminality, because we do know that there’s definite trends in terms of different areas of the world, where different things come from. Whether it’s state-sponsored, whether it’s fraud-related, whether it’s extortion-related, whether it may be related to some sort of organized crime or terrorist financing, there is a loose geographic correlation to these types of things. We would definitely communicate
with our law enforcement partners around the world to say, “Okay, we’re working on this case, we see these indicators of compromise. What have you seen? Have you seen this?” Just because it’s happening to a victim here, doesn’t mean that it’s not happening to a victim somewhere across the country or even around the world. So that communication is really key.
Download the full interview transcript here.