<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div dir="auto" class=""><p class="">I have no doubt that all those cybercrime investigators participating here being honorable and well-intentioned but the reality is that anyone can call him- or herself a cybercrime investigator and start publishing reports on whatever their agenda may be. <br class=""></p><p class="">Ultimately, all official cybercrime investigators are accredited by their respective governments: They are then called law enforcement. The other category of semi-official investogators would be private authorities that have been granted certain powers by law or statute, such as <a href="http://Jugendschutz.net" target="_blank" class="">Jugendschutz.net</a> (in Germany) or LegitScript (in Japan only?).<br class=""></p><p class="">Everyone else is merely attaching a label to themselves that may or may not be accurate</p></div></blockquote></div></div></div><br class=""><blockquote type="cite" class="">why are private cybercrime investigators not accredited? How can the global public trust them, or perhaps why?</blockquote><div class=""><br class=""></div><div class="">I suspect it is for the same reason (former) government employees are not, or university professors are not. </div><div class=""><br class=""></div><div class="">How can we be trusted? Nice! That’s the kind of FUD that one comes to expect in the era of Trump.</div><div class=""><br class=""></div><div class="">We are trusted if our findings are sound, by our employers, law enforcement, and the service providers with whom we interact.</div><div class=""><br class=""></div><div class="">that’s all that’s needed, that’s all that is wanted in our ecosystem. File spurious reports, people don’t hire you, accept future reports, or in the case of a blacklist like those run by, for example, Spamhaus, they don’t use their service.</div><div class=""><br class=""></div><div class=""><div class="">First off, the vast majority of the work I do, and I’d hazard that is true of my colleagues in the network security arena doesn’t involve law enforcement. </div><div class=""><br class=""></div><div class="">I work on an anti-abuse operations team for a mailbox provider as a … what’s my LinkedIn profile say this week? Oh right. A "Strategic Visionary Senior Consulting Technologist” ROTFLMAO. I’m a senior spamfighter In that capacity; I do spend time researching badguys behind attacks, but mostly dig into the attacks themselves, to identify, remediate and mitigate current and future incidents. </div><div class=""><br class=""></div><div class="">In plain-speak, at my day job, I receive telemetry that tells me malicious activity has taken place, i check out the domain, originating IP, methodology, etcetera. I pivot on the data-points available to encompass as much of the totality of the attack (IPs, domains) as possible. Then I deploy blocking mechanisms to disallow further egress to our mail systems.</div><div class=""><br class=""></div><div class="">I also work on attributions, gathering multiple attacks into aggregated form, and research connective tissue to those behind them. </div><div class=""><br class=""></div><div class="">If my final analysis meets certain criteria making it a viable case referral to law enforcement, I will write up a report with supporting documentation including all the data I based my recommendation upon, and send it to the internal team that handles such things. Two important thresholds that must be met are a cooperative jurisdiction, and demonstrable losses/costs surpassing $500,000. That figure is generally what it takes for a national law enforcement agency to even ‘get out of bed’ to paraphrase Linda Evangelista’s infamous quip.</div><div class=""><br class=""></div><div class="">The real-world reality is that law enforcement agencies want a case referral to be ‘silver plattered’, One must show up with a substantive, thorough, detailed and accurate research report if you expect to be successful with it. </div><div class=""><br class=""></div><div class="">That means every supporting datapoint becomes essential to convincing an agent to agree to go to her or his superiors who in turn assess the case merits and the information we submitted as part of the decision to devote precious resources. An investigation can involve a considerable number of people, and span many years before an arrest is made. Our data is not evidence. LE have the capacity to monitor activities, tap phones, subpoena messaging accounts, and so on, and must gather such data live during the course of the investigation, to help build an unassailable case for court. They must justify the tremendous expense internally to their organization, and eventually to a prosecuting attorney who is looking for a serious crime and a case s/he can win.</div><div class=""><br class=""></div><div class="">As I said, LE will build on anything we present to them (and re-do or review the data (which is not evidence in any legal sense)), but the better the submission, the more likely they are to undertake an investigation.Often times, we also have time, skill sets and resources they do not.</div><div class=""><br class=""></div><div class="">LE can issue legal instruments to various third parties (services providers like registrars, hosting companies, etcetera), as a victim company we have little ability to do so; (I am told there is a way in the U.S. wherein you file a John Doe civil lawsuit, then have a court issue subpoenas, but naturally, this tactic is awkward, difficult, and extremely rare, as the cost is prohibitive and a win extremely improbable; as well, courts frown upon using this technique to go on fishing expeditions for data otherwise unatainable, rightly so, and if you are found to do this frequently (file, subpoena, drop the case) there are potentially serious consequences.</div><div class=""><br class=""></div><div class="">Moreover, ‘public-private partnerships’ are increasingly common, these are usually in the form of a taskforce made up of law enforcement, and representatives of private companies who have skills and data law enforcement do no. Yes, we assist in investigations, to a degree. We’ve seen many successes stem from such initiatives, botnet take-downs such as <a href="https://www.m3aawg.org/news/fbi-agent-thomas-x-grasso-receives-first-jd-falk-award-for-establishing-dns-changer-working" class="">Mariposa</a>, or one i participated in, the <a href="https://www.justice.gov/opa/pr/three-defendants-charged-one-largest-reported-data-breaches-us-history" class="">Adober Gang</a> data-breach case. There are on-going cooperative efforts to train law enforcement investigaotrs and prosecuting attounreys (and even judges) in the complex technical aspects of ‘cyber-investigations’. There are discussion forums where cops and techies actively engage with one another, so they can know what matters are serious enough, and widespread enough to consider for investigation.</div><div class=""><br class=""></div><div class="">This is a long-winded way of saying that private companies cannot obtain court orders to gain access to data (and I personally believe that to be a good thing since data one can usually obtain in such fashion is exceedingly more sensitive than that currently in WHOIS), law enforcement do not have the resource to investigate ever security incident that occurs (in the 40 minutes it took me to write this, most major mailbox providers (gmail/hotmail/Yahoo! etcetera) each dealt with almost a billion inbound emails, 2/3rds of which were spam) and tying up legal resources to issue court orders is outrageously wasteful,laborious, onerous, and ultimately inane.</div><div class=""><br class=""></div><div class="">Asking security analysts and researchers to ‘get a court order’ is for all intents and purposes impossible, and expecting law enforcement to investigate every network attack magical thinking with no basis in reality.</div></div><div class=""><br class=""></div><div class="">Expecting there suddenly to be criteria for researchers to become accredited is also inane or for my, or anyone else's employer to require them, equally as silly. Or snide, which is what I suspect the intent of that comment was in actual fact.</div><div class=""><br class=""></div></body></html>