James Coker asks how law enforcement can use cyber-threat intelligence more effectively in their efforts to bring more cyber-criminals to justice...
Strengthening cyber-defenses remains the primary focus of the infosecurity community, and understandably so. Yet, amid surging levels of cybercrime thanks to COVID-19, should more emphasis be placed on taking the fight to the cyber-criminals? After all, if law enforcement can regularly identify those responsible, disrupt their activities and ultimately bring them to justice, the digital world will be a much safer space. As the sporting mantra goes, perhaps ‘attack is the best form of defense.’
There is also a powerful moral case to consider, given the increasingly devastating real-world impacts of cyber-attacks. In one particularly heartbreaking tale, the death of an infant was linked to a ransomware attack on a US hospital due to monitoring equipment being unavailable to medical staff.
One can only hope that stories like this increase the motivation to bring cyber-criminals to account for their actions. However, this is far easier said than done, with the process of identifying and locating cyber-criminals filled with complexities. Unlike in most ‘traditional’ crime, cyber-criminals “can be located anywhere and target people in any country, so they’re not limited at all by geopolitical boundaries whereas law enforcement typically is,” notes David Emm, principal security researcher in the global research and analysis team at Kaspersky.
This applies even to international law enforcement agencies that have well-established relationships with national police forces worldwide, such as INTERPOL and Europol. Brian Honan, CEO of BH Consulting, points out that many of the current legal frameworks for sharing data of this nature are based on physical crime.
“Unfortunately, in cybercrime, the evidence is much more ephemeral and doesn’t last as long in the physical world, so time is the enemy of law enforcement agencies,” he explains. “If they have to use a traditional means of obtaining evidence from partner or international law enforcement agencies, by the time they get that information, the criminals are gone, and it’s too late.”
Despite this, there have been several successful law enforcement operations recently. In one example from this year, members of the FIN11 (Clop) ransomware gang were arrested by the Ukrainian police in conjunction with INTERPOL and law enforcement from the US and South Korea.
However, such successes remain too few and far between considering the sheer scale of global cybercrime. As such, law enforcement’s ability to receive and share cyber-threat intelligence rapidly must be enhanced. “Having information and threat intel that can be shared in a quick, efficient and legal way is extremely important in our fight against cybercrime,” observes Honan.
What types of collaborations can help facilitate intelligence sharing, and what hurdles must be overcome in this process?
Agreements with Private Companies
A rich resource of cyber-threat intelligence data is held in the private sector, particularly by cybersecurity companies. With cyber-criminal gangs becoming increasingly sophisticated and targeted in their approach, Kaspersky’s Emm notes, “What becomes important is very early detection of what’s going on, so looking for activities that stand out is really important. That’s conditioned by threat intelligence that organizations like Kaspersky can offer.”
Perhaps unsurprisingly then, there have been a number of formalized data-sharing agreements between law enforcement and private companies in recent years. For example, Kaspersky and INTERPOL entered their threat intelligence agreement in 2014, while telecoms company BT and INTERPOL signed a similar deal in 2017. Kevin Brown, managing director at BT Security, believes these agreements are in the interest of all parties: “We share the same objective as INTERPOL of wanting to tackle online criminality and make the internet a safer place – so our partnership with them is about the sharing of overall threat intelligence data to support this.”
“We share the same objective as INTERPOL of wanting to tackle online criminality and make the internet a safer place"
This is why INTERPOL developed the ‘Project Gateway’ framework, designed to facilitate information sharing with private companies. Bernardo Pillot, assistant director, cybercrime operations at INTERPOL, says this initiative has become integral to the agency’s ability to disrupt cyber-criminal activities. The partnerships are managed and nurtured by its capacity building and outreach unit, which then passes the data provided to its cyber-threat unit that analyzes the information to determine if it is actionable. Finally, it’s sent to the operational unit that Pillot works for. “We look at the intelligence that comes in and share it with member countries and coordinate operations that are meant to track and disrupt this cyber activity,” he outlines.
There are currently 13 companies involved in Project Gateway, and Pillot admits he would like to see more participation. Unfortunately, he believes some organizations are becoming more reluctant to share intelligence data amid an increasingly dangerous threat landscape. “They want to look from within, and they tend not to share,” he says. “When that happens, rather than closing off, it’s better to share data, and what better way to do it than with an organization that has a global reach with 194 members.”
Quality Over Quantity
With speed being of the essence in cybercrime investigations, it is vital that threat intelligence data received by law enforcement is immediately actionable. Former director of GCHQ and chairman of BlueVoyant, Robert Hannigan, says, “The biggest challenge of all in cyber-threat sharing is not so much producing or sharing it, as knowing what to do with it. More threat information is not what over-stretched cyber-teams need. What they want is better quality, relevant, timely, clearly actionable and prioritized cyber-threat intelligence.”
Honan believes private companies need to have the right motivation to ensure the data they share is targeted and actionable, rather than being sent across without due care and attention. “A lot of cybersecurity companies, particularly startups, look at threat intelligence as a way of marketing their product or themselves,” he outlines. “Sharing threat intelligence with law enforcement should be with the goal of putting those responsible for cybercrime into jail, or at the very least disrupting their operations.”
Private firms can be of significant help in this respect by offering their expertise to law enforcement to help decipher the information at speed. Kaspersky’s Emm points out, “Unsurprisingly, the skills available in the private sector outweigh those available in law enforcement, largely because of the money that they have at their disposal. Therefore, if we can contribute to upskilling, then that’s got to be a benefit.”
Another potential barrier to effective data sharing is linked to the growth of data protection laws worldwide. In this landscape, organizations could be forgiven for being reticent about sharing information with law enforcement. Honan observes, “Some threat intelligence gathering could be deemed to be personal data and how you share, and who you share that information with, could come under the jurisdiction of regulations such as the GDPR or UK Data Protection Act.”
As a result, “the legal framework as to how you gather that information and who you’re sharing it with needs to be clearly defined and understood.”
This is something BT has carefully clarified in its partnership with INTERPOL. BT’s Brown says, “From the outset of our relationship with INTERPOL, we established that BT’s role is not around the attribution of specific individuals or providing personal information.”
Ultimately, growing trust on all sides is the crucial component for ensuring threat-sharing arrangements are effective. “If you’re sharing evidence of a crime with another party, do you really trust that other party not to disclose that evidence to somebody who shouldn’t know that information?” asks Honan.
“If you’re sharing evidence of a crime with another party, do you really trust that other party not to disclose that evidence to somebody who shouldn’t know that information?”
International Agreements
In addition to partnerships between law enforcement and individual organizations, there has been a notable rise in international agreements that include provisions to facilitate the sharing of cyber-threat intelligence across borders. For example, recently, the US and Singapore signed a partnership promising more cooperation in fighting cybercrime. Additionally, the UK’s National Crime Agency (NCA) entered a new arrangement with Europol that encompassed “the fast and effective exchange of data.”
These types of initiatives are critical, as information sharing across borders remains a major barrier to law enforcement’s efforts to tackle cybercrime. “A lot of the challenges with sharing information across borders is that different jurisdictions handle information differently,” says INTERPOL’s Pillot. This can even occur within a single country. Pillot, who is on secondment from the US Department of Homeland Security, points out that in the US, “you have a multitude of federal agencies, and we all have different methods of handling information and sharing so that’s a big challenge.”
Therefore, he warmly welcomes the growth of international agreements that include provisions for cyber-threat intelligence sharing. Pillot explains: “Our reach is across the national crime bureaus of each member country, so if a country enters into an agreement with the US, we can reach out to the national crime bureau in Washington DC to receive data that has been shared with the US. It works the same with any other member country that enters into a data-sharing agreement.”
This sentiment is echoed by former GCHQ director Hannigan, who has observed significant advances in this area: “Countries that have traditionally shared intelligence, notably the ‘Five Eyes,’ have a head-start in cyber-threat sharing: the legal frameworks, practical mechanisms and basic trust are already in place. The UK has also worked closely with cyber-agencies in France, Germany and elsewhere. Law enforcement networks have also got better at sharing.”
However, Professor Lisa Short, director and co-founder of Hephaestus Collective, is concerned that the motives behind such agreements tend to revolve around geopolitical interests, which can be to the detriment of tackling cybercrime activity. “I think the risk or challenge of the veracity and pragmatism of such arrangements are rooted in the ‘why’ and intended outcomes being sought by all parties. Singapore has different drivers to the US for wanting such an agreement [for example] and when there’s imbalance or disparity, motivation and outcome can be a difficult thing to attain.”
In Short’s view, this is a problem with the recently enacted trilateral security pact between the US, UK and Australia (UAKUS). “The new UAKUS security pact will purportedly include AI and other technologies but appears primarily focused on countering China, [rather] than actual intelligence sharing to proactively increase digital trust,” she comments.
Linked to this issue is the fact that for the foreseeable future, so-called ‘outlier’ nations such as Russia, China, Iran and North Korea are extremely unlikely to be involved in any intelligence-sharing agreements with the West. This is particularly concerning, given that many cyber-threat actors are believed to operate in these regions.
This issue was laid bare by the recent arrest of Ilya Sachkov, CEO of Russian cybersecurity firm Group-IB, on state treason charges. This was reportedly on suspicion of conspiring with foreign intelligence services, with Sachkov previously outspoken about Russia’s harboring of cyber-criminals within its borders. Commenting on this story, Rick Holland, chief information security officer and vice president strategy at Digital Shadows, says, “Cybercrime is borderless and global, so any actions like this that deter international cooperation further enables and emboldens cyber-criminals.”
From a law enforcement perspective, Pillot believes that “governments need to put aside political ideology as this is a situation that impacts countries globally. I don’t think there will be one country that will not be impacted as we all become more digital in the way that we work and go about our lives.”
The need to disrupt the activities of cyber-criminals, and ramp up the risks involved in launching attacks, has never been greater. Not only is the volume of attacks surging, critical services like healthcare are being increasingly targeted, with devastating consequences. Therefore, law enforcement agencies require more actionable intelligence data to bring cyber-threat actors out of the shadows, disrupt their activities and hold them accountable for their heinous acts. This requires more collaborations that facilitate intelligence sharing, which serve to tackle cybercrime and are removed from other interests. Recent tragic cases have laid down the gauntlet; is the world ready to pick it up?