[gnso-rds-pdp-wg] Why the thin data is necessary

[Neil Schwartzman]

I have no doubt that all those cybercrime investigators participating here being honorable and well-intentioned but the reality is that anyone can call him- or herself a cybercrime investigator and start publishing reports on whatever their agenda may be. 

Ultimately, all official cybercrime investigators are accredited by their respective governments: They are then called law enforcement. The other category of semi-official investogators would be private authorities that have been granted certain powers by law or statute, such as Jugendschutz.net <http://jugendschutz.net/> (in Germany) or LegitScript (in Japan only?).

Everyone else is merely attaching a label to themselves that may or may not be accurate


> why are private cybercrime investigators not accredited?  How can the global public trust them, or perhaps why?

I suspect it is for the same reason (former) government employees are not, or university professors are not. 

How can we be trusted? Nice! That’s the kind of FUD that one comes to expect in the era of Trump.

We are trusted if our findings are sound, by our employers, law enforcement, and the service providers with whom we interact.

that’s all that’s needed, that’s all that is wanted in our ecosystem. File spurious reports, people don’t hire you, accept future reports, or in the case of a blacklist like those run by, for example, Spamhaus, they don’t use their service.

First off, the vast majority of the work I do, and I’d hazard that is true of my colleagues in the network security arena doesn’t involve law enforcement. 

I work on an anti-abuse operations team for a mailbox provider as a … what’s my LinkedIn profile say this week? Oh right. A "Strategic Visionary Senior Consulting Technologist” ROTFLMAO. I’m a senior spamfighter In that capacity; I do spend time researching badguys behind attacks, but mostly dig into the attacks themselves, to identify, remediate and mitigate current and future incidents. 

In plain-speak, at my day job, I receive telemetry that tells me malicious activity has taken place, i check out the domain, originating IP, methodology, etcetera. I pivot on the data-points available to encompass as much of the totality of the attack (IPs, domains) as possible. Then I deploy blocking mechanisms to disallow further egress to our mail systems.

I also work on attributions, gathering multiple attacks into aggregated form, and research connective tissue to those behind them. 

If my final analysis meets certain criteria making it a viable case referral to law enforcement, I will write up a report with supporting documentation including all the data I based my recommendation upon,  and send it to the internal team that handles such things. Two important thresholds that must be met are a cooperative jurisdiction, and demonstrable losses/costs surpassing $500,000. That figure is generally what it takes for a national law enforcement agency to even ‘get out of bed’ to paraphrase Linda Evangelista’s infamous quip.

The real-world reality is that law enforcement agencies want a case referral to be ‘silver plattered’, One must show up with a substantive, thorough, detailed and accurate research report if you expect to be successful with it. 

That means every supporting datapoint becomes essential to convincing an agent to agree to go to her or his superiors who in turn assess the case merits and the information we submitted as part of the decision to devote precious resources. An investigation can involve a considerable number of people, and span many years before an arrest is made. Our data is not evidence. LE have the capacity to monitor activities, tap phones, subpoena messaging accounts, and so on, and must gather such data live during the course of the investigation, to help build an unassailable case for court. They must justify the tremendous expense internally to their organization, and eventually to a prosecuting attorney who is looking for a serious crime and a case s/he can win.

As I said, LE will build on anything we present to them (and re-do or review the data (which is not evidence in any legal sense)), but the better the submission, the more likely they are to undertake an investigation.Often times, we also have time, skill sets and resources they do not.

LE can issue legal instruments to various third parties (services providers like registrars, hosting companies, etcetera), as a victim company we have little ability to do so; (I am told there is a way in the U.S. wherein you file a John Doe civil lawsuit, then have a court issue subpoenas, but naturally, this tactic is awkward, difficult, and extremely rare, as the cost is prohibitive and a win extremely improbable; as well, courts frown upon using this technique to go on fishing expeditions for data otherwise unatainable, rightly so, and if you are found to do this frequently (file, subpoena, drop the case) there are potentially serious consequences.

Moreover, ‘public-private partnerships’ are increasingly common, these are usually in the form of a taskforce made up of law enforcement, and representatives of private companies who have skills and data law enforcement do no. Yes, we assist in investigations, to a degree. We’ve seen many successes stem from such initiatives, botnet take-downs such as Mariposa <https://www.m3aawg.org/news/fbi-agent-thomas-x-grasso-receives-first-jd-falk-award-for-establishing-dns-changer-working>, or one i participated in, the Adober Gang <https://www.justice.gov/opa/pr/three-defendants-charged-one-largest-reported-data-breaches-us-history> data-breach case. There are on-going cooperative efforts to train law enforcement investigaotrs and prosecuting attounreys (and even judges) in the complex technical aspects of ‘cyber-investigations’. There are discussion forums where cops and techies actively engage with one another, so they can know what matters are serious enough, and widespread enough to consider for investigation.

This is a long-winded way of saying that private companies cannot obtain court orders to gain access to data (and I personally believe that to be a good thing since data one can usually obtain in such fashion is exceedingly more sensitive than that currently in WHOIS), law enforcement do not have the resource to investigate ever security incident that occurs (in the 40 minutes it took me to write this, most major mailbox providers (gmail/hotmail/Yahoo! etcetera) each dealt with almost a billion inbound emails, 2/3rds of which were spam) and tying up legal resources to issue court orders is outrageously wasteful,laborious, onerous, and ultimately inane.

Asking security analysts and researchers to ‘get a court order’ is for all intents and purposes impossible, and expecting law enforcement to investigate every network attack magical thinking with no basis in reality.

Expecting there suddenly to be criteria for researchers to become accredited is also inane or for my, or anyone else's employer to require them, equally as silly. Or snide, which is what I suspect the intent of that comment was in actual fact.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170607/2977fb89/attachment.html>