How Law Enforcement Agencies Fight Cyber Crime


Posted on by Tony Kontzer

cybercrimeInformation security professionals have a plethora of technological tools at their disposal to fight would-be attackers—and more are on the way. The traditional prevention, detection and response technologies are soon to be augmented by innovative new tools that can do things such as spoof entire network topographies on the fly to deceive attackers.

Yet a panel of federal law enforcement officials told attendees at the RSA Conference Thursday that perhaps the most effective weapon in their arsenal is threat intelligence from outside sources.

None made that point more definitively than William Noonan, deputy special agent in charge of the criminal investigations division of the U.S. Secret Service. Noonan said the agency has taken the "secret" out of Secret Service on this topic by sharing the findings of its investigation with the larger information security community.

"We've had a lot of success with prevention because we're sharing the information with industry," he said. And he offered up an example of that success.

After finishing the investigation of a recent attack, the Secret Service shared its findings about how the attack was launched. That information helped UPS deduce that it had already been victimized by the very same attack, and the company was able to take steps to prevent an encore.

The U.S. Department of Justice is taking a similar approach.

"We're trying to take what we're learning from our cases and push that out when we can," said John Lynch, chief of the DOJ's computer crime and intellectual property section.

Lynch said the department is looking for opportunities to provide guidance along the lines of the UPS example, as well as answer questions and even take in outreach itself so it can make better decisions. For example, Lynch said the DOJ shared its best practices for working with law enforcement on cyber crimes, such as the kinds of questions prosecutors and investigators are likely to ask a victimized company.

Keith Mularski, supervisory special agent with the FBI, said that such coordination has proved critical in attempts to get ahead of today's increasingly sophisticated attackers.

"If you look at cases during the last five years, we never could have done it without private industry," Mularski said.

That said, Lynch also stressed that even coordinated, multi-organization responses won't always prove effective.

"One of the things you learn after doing this for a while is that we're not going to capture everybody," he said.

Which is why Noonan strongly recommends that companies form relationships with law enforcement now rather than later. Waiting until a breach happens to approach a law enforcement agency is a strategy that could come with a hefty price tag for the target organization.

"It speeds up the response if you already have the relationship," he said, pointing to the 2014 Target breach, which wasn't discovered until two weeks after the attack. "Those two weeks of badness could have stretched much longer without information sharing."

And it's safe to assume that there's not a security executive in the world who wants to endure more badness.

law

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community