Whether it’s a ransomware attack that temporarily halts newspaper deliveries, a cyber attack targeting gas pipelines or financial cyber crime attributed to North Korea, foreign attacks on U.S. industries are keeping the nation’s law enforcement officers busy. Private cyber security and threat intelligence companies often work with law enforcement — informally and formally — to help with cyber-crime investigations because many of the agencies have limited budget and staff. This unique public-private partnership leverages private threat researchers’ deep knowledge of the cyber underground, including nation-states, and provides government investigators with information and perspective that can make a critical difference in solving cyber whodunnits and stopping future attacks.
As a former cyber investigator with the U.S. Secret Service and head of threat intelligence at a number of major security companies and research labs, I’ve been on both sides of this working relationship, and I’m actively involved in cases today. There is no official playbook for how this partnership should operate, but there are a few best practices that can help streamline the work and improve outcomes. Here are five steps for success:
1. Define the scope and goals
Law enforcement investigates such a wide range of cyber-crime activity — from financial fraud to ransomware, data breaches, child pornography and physical crime nexuses like drugs and firearm sales — that it’s important to define an investigation’s scope so threat analysts know where they should focus their efforts.
Once focus has been narrowed, agencies must set goals for intelligence production and then work back from there. The goal could be to get ahead of unauthorized intrusions and keep attackers from accessing sensitive customer data. Or the mission could be to identify the source of stolen payment card data from a hotel chain breach that is for sale on the dark web.
To reach those goals requires a thoughtful sourcing and collection plan, which involves determinations around data source availability and possibilities for internet collection. For example, analysts may want to obtain data from a Russian underground forum that requires members to be vetted before they can buy or sell stolen data. To investigate a case of Chinese espionage, threat researchers may need telemetry data in the form of network traffic metadata from affected corporations or a forensic image of a hard drive from a compromised server. When victims proactively provide the forensic data, the investigation proceeds more quickly than if federal agents have to obtain a grand jury subpoena or Title III (wiretap) court order. Threat analysts may also need data from active internet scans (for example from the Shodan connected devices search engine) or from malware repositories like ReversingLabs.
Threat intelligence analysts not only collect the data for law enforcement, but they make it digestible for investigators, providing support and well-developed leads to establish successful criminal cases.
2. Establish a nexus and jurisdiction
The data collected by threat intelligence analysts is critical to establishing connection and causality for cyber-crime cases. The digital breadcrumbs leading from ground zero of the attack through numerous systems, all the way back to the criminal responsible for the attack, are used to determine which law enforcement agency will investigate and where the case can be prosecuted. The data can reveal where the victims and suspects are located as well as the location — and thus district — of the affected infrastructure involved in the crime. Locating the victim is relatively easy in comparison to pinpointing the location of the suspect, which is more difficult because there are many ways to hide digital tracks. For example, my team was able to identify the IP address of an actor in Europe who is believed to be behind the sale of stolen server credentials for a group of small companies in the same vertical. We didn’t know the exact infrastructure being used, but had high confidence in his location and affected victims.
3. Create a centralized team
Just as the criminals and victims may be scattered around the internet, the agencies and investigators working the case may be dispersed as well. As a result, it’s important to centralize the operations and communications as much as possible, with one team managing the threat intelligence operations and farming leads out to other offices to focus on the investigations. One team attempting to do it all doesn’t scale, because investigators are easily overwhelmed with leads. When I was in the Secret Service, it was time consuming to create search warrant affidavits that can run up to 30-40 pages, write internal status reports and manage an intelligence gathering operation. It took several days to obtain a search warrant for a server, and after serving a subpoena to an ISP or content provider for data, we were lucky to receive the data within a few weeks. Cyber investigators need to be able to focus on opening and furthering criminal cases and not dealing with the threat intelligence collection, analysis and reporting.
4. Network, network, network
Good threat intelligence isn’t done in a vacuum. The more that threat information is shared between investigators and analysts, the more valuable it is. The same is true for law enforcement and the cross-pollination between the private and public sectors, as well. Investigators should be regularly attending conferences and events where they can improve their knowledge and skills and also rub elbows with others in the field to swap information, tips and best practices. These relationships are key when big incidents come up that the industry needs to deal with quickly. In a highly successful example, the security community rallied together to create the DNSChanger Working Group to figure out a way to protect computers from the DNS Hijacking Trojan that infected more than 4 million computers as part of an ad fraud campaign in 2011. Security companies developed tools designed to check if computers were infected, ISPs provided supplementary services and the FBI got a temporary court order to allow for the operation of replacement DNS servers so companies didn’t lose their internet access during the clean-up operation.
Information sharing is vital to successful cyber investigative work, and networking — particularly face-to-face networking — helps establish trust, which is the foundation of good research and investigations. Having a good rapport with sources and partners is crucial to getting reliable information that may not otherwise be readily available. Most information sharing is done via back channels as opposed to official channels, so the more networking analysts do the more access they have to people and information.
5. Close the loop
One of the most important tips I can give law enforcement officials working to improve their partnership with threat intelligence analysts is to make sure they provide feedback and updates on cases. Analysts benefit from knowing what information was useful for a case and what wasn’t helpful, which helps them improve their strategy and processes in general. I’m not suggesting that law enforcement should give a detailed update, but a general update indicating that the information was useful and they’re making progress on the case goes a long way with private-sector security professionals who are helping out alongside their regular responsibilities. This feedback loop is practical, increasing the chances of better outcomes in the future, and it improves the partnership. Private companies are trying to do the right thing for the overall community, and help catch the bad guys. If the information threat information analysts provide goes into a black hole, they miss out on important intelligence and can lose incentive and motivation.
Cyber criminals are growing in numbers and sophistication all the time while the security skills gap in government is increasing and deficient cyber budgets remain unchanged. The need for productive and efficient public-private partnership on cyber-criminal investigations is greater than ever before.