5 steps for a successful public-private cyber crime fighting partnership

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Levi Gundert
 

Connecting state and local government leaders

By Levi Gundert

|

Leveraging private threat researchers' deep knowledge of the cyber underground gives government investigators information and perspective that can make a critical difference in solving cyber crimes and stopping future attacks.

Whether it’s a ransomware attack that temporarily halts newspaper deliveries, a cyber attack targeting gas pipelines or financial cyber crime attributed to North Korea, foreign attacks on U.S. industries are keeping the nation's law enforcement officers busy. Private cybersecurity and threat intelligence companies often work with law enforcement -- informally and formally -- to help with cyber-crime investigations because many of the agencies have limited budget and staff. This unique public-private partnership leverages private threat researchers’ deep knowledge of the cyber underground, including nation-states, and provides government investigators with information and perspective that can make a critical difference in solving cyber whodunnits and stopping future attacks.

As a former cyber investigator with the U.S. Secret Service and head of threat intelligence at a number of major security companies and research labs, I’ve been on both sides of this working relationship, and I’m actively involved in cases today. There is no official playbook for how this partnership should operate, but there are a few best practices that can help streamline the work and improve outcomes. Here are five steps for success:

1. Define the scope and goals

Law enforcement investigates such a wide range of cyber-crime activity -- from financial fraud to ransomware, data breaches, child pornography and physical crime nexuses like drugs and firearm sales -- that it’s important to define an investigation's scope so threat analysts know where they should focus their efforts.

Once focus has been narrowed, agencies must set goals for intelligence production and then work back from there. The goal could be to get ahead of unauthorized intrusions and keep attackers from accessing sensitive customer data. Or the mission could be to identify the source of stolen payment card data from a hotel chain breach that is for sale on the dark web.

To reach those goals requires a thoughtful sourcing and collection plan, which involves determinations around data source availability and possibilities for internet collection. For example, analysts may want to obtain data from a Russian underground forum that requires members to be vetted before they can buy or sell stolen data. To investigate a case of Chinese espionage, threat researchers may need telemetry data in the form of network traffic metadata from affected corporations or a forensic image of a hard drive from a compromised server. When victims proactively provide the forensic data, the investigation proceeds more quickly than if federal agents have to obtain a grand jury subpoena or Title III (wiretap) court order. Threat analysts may also need data from active internet scans (for example from the Shodan connected devices search engine) or from malware repositories like ReversingLabs.

Threat intelligence analysts not only collect the data for law enforcement, but they make it digestible for investigators, providing support and well-developed leads to establish successful criminal cases.

2. Establish a nexus and jurisdiction

The data collected by threat intelligence analysts is critical to establishing connection and causality for cyber-crime cases. The digital breadcrumbs leading from ground zero of the attack through numerous systems, all the way back to the criminal responsible for the attack, are used to determine which law enforcement agency will investigate and where the case can be prosecuted. The data can reveal where the victims and suspects are located as well as the location -- and thus district -- of the affected infrastructure involved in the crime. Locating the victim is relatively easy in comparison to pinpointing the location of the suspect, which is more difficult because there are many ways to hide digital tracks. For example, my team was able to identify the IP address of an actor in Europe who is believed to be behind the sale of stolen server credentials for a group of small companies in the same vertical. We didn’t know the exact infrastructure being used, but had high confidence in his location and affected victims. 

3. Create a centralized team

Just as the criminals and victims may be scattered around the internet, the agencies and investigators working the case may be dispersed as well. As a result, it’s important to centralize the operations and communications as much as possible, with one team managing the threat intelligence operations and farming leads out to other offices to focus on the investigations. One team attempting to do it all doesn’t scale, because investigators are easily overwhelmed with leads. When I was in the Secret Service, it was time consuming to create search warrant affidavits that can run up to 30-40 pages, write internal status reports and manage an intelligence gathering operation. It took several days to obtain a search warrant for a server, and after serving a subpoena to an ISP or content provider for data, we were lucky to receive the data within a few weeks. Cyber investigators need to be able to focus on opening and furthering criminal cases and not dealing with the threat intelligence collection, analysis and reporting.

4. Network, network, network

Good threat intelligence isn’t done in a vacuum. The more that threat information is shared between investigators and analysts, the more valuable it is. The same is true for law enforcement and the cross-pollination between the private and public sectors, as well. Investigators should be regularly attending conferences and events where they can improve their knowledge and skills and also rub elbows with others in the field to swap information, tips and best practices. These relationships are key when big incidents come up that the industry needs to deal with quickly. In a highly successful example, the security community rallied together to create the DNSChanger Working Group to figure out a way to protect computers from the DNS Hijacking Trojan that infected more than 4 million computers as part of an ad fraud campaign in 2011. Security companies developed tools designed to check if computers were infected, ISPs provided supplementary services and the FBI got a temporary court order to allow for the operation of replacement DNS servers so companies didn’t lose their internet access during the clean-up operation.

Information sharing is vital to successful cyber investigative work, and networking -- particularly face-to-face networking -- helps establish trust, which is the foundation of good research and investigations. Having a good rapport with sources and partners is crucial to getting reliable information that may not otherwise be readily available. Most information sharing is done via back channels as opposed to official channels, so the more networking analysts do the more access they have to people and information.

5. Close the loop

One of the most important tips I can give law enforcement officials working to improve their partnership with threat intelligence analysts is to make sure they provide feedback and updates on cases. Analysts benefit from knowing what information was useful for a case and what wasn’t helpful, which helps them improve their strategy and processes in general. I’m not suggesting that law enforcement should give a detailed update, but a general update indicating that the information was useful and they’re making progress on the case goes a long way with private-sector security professionals who are helping out alongside their regular responsibilities. This feedback loop is practical, increasing the chances of better outcomes in the future, and it improves the partnership. Private companies are trying to do the right thing for the overall community, and help catch the bad guys. If the information threat information analysts provide goes into a black hole, they miss out on important intelligence and can lose incentive and motivation.

Cyber criminals are growing in numbers and sophistication all the time while the security skills gap in government is increasing and deficient cyber budgets remain unchanged. The need for productive and efficient public-private partnership on cyber-criminal investigations is greater than ever before.

NEXT STORY: Voting security guidelines: Too little too late?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.