Law Enforcement Ups Its Game In Cybercrime

It may still be a frantic game of catch-up for law enforcement, but new data quantifies anecdotal evidence that law enforcement has scored some big cybercrime busts and made inroads in detecting and investigating data breaches.

Law enforcement officials worldwide detected five times as many breaches in 2011 as in 2010, according to new data released today in Trustwave's 2012 Global Security Report: Some 33 percent of organizations with data breaches were alerted to their fate by law enforcement, up from 7 percent in 2010. According to Trustwave, that is mostly due to work by the U.S. Secret Service, Interpol, the Australian Federal Police, and the U.K.'s Serious Organised Crime Agency (SOCA).

"Law enforcement agencies have really stepped it up from a data-notification standpoint. They are apprehending criminals in possession of [stolen] data and doing a better analysis of what's happening," says Nicholas Percoco, senior vice president and head of Trustwave SpiderLabs, which based its data on more than 300 data breach investigations and 2,000 penetration tests performed by SpiderLabs worldwide in 2011.

Why the increase in law enforcement activity around the globe? "A lot of breaches popped up in 2010 and put pressure on law enforcement to do more," Percoco says.

Cybercrime investigators in several countries are becoming more proactive in reaching out and collaborating on cases, which most often crisscross multiple geographic regions and legal jurisdictions. There's still no silver bullet for standard international cybercrime investigations -- and not all countries would cooperate, anyway -- but there have been several high-profile cases that have bolstered continued multinational intelligence-sharing and teamwork.

INTERPOL has reaffirmed its support of facilitating collaborative cybercrime investigations among police worldwide. The organization plans to set up a secure online presence for law enforcement to work together around the world as part of its upcoming INTERPOL Global Complex that's under construction in Singapore and scheduled to open in 2014.

Michael Moran, director of cybersecurity and cybercrime for INTERPOL, says the key to fighting cybercrime is for these organizations around the world to share information. "The increased flow of data is indicative of the increased flow of data from private-sector security companies and industry, in general. A good example of this is the Microsoft Digital Crimes Unit and NCFTA on the law enforcement/task force side," Moran says. "INTERPOL supports this increase in information flow as it is difficult to fight a problem if you can’t define it."

And it turns out that if it weren't for law enforcement or other sources, most organizations wouldn't have learned they had been hacked: According to Trustwave's report, only 16 percent of victim organizations were able to detect they had been hacked last year. The other 84 percent didn’t find out until outside entities, such as law enforcement, regulatory bodies, or a public venue, alerted them. In those cases, attackers had been resident inside the victim organization's network for an average of 173.5 days before they were spotted by the outside entity.

Trustwave SpiderLabs' Percoco says his organization often helps facilitate information-sharing among different law enforcement agencies around the world. "We have one client that has a location in Australia and in the U.S., and we were able to work with that client to share that information with other law enforcement agencies that could then be connected to a specific case," he says.

Law enforcement officials around the globe increasingly are reaching out to one another. "International cooperation is a great resource for solving cases," said Cristian Tancov, an intelligence cybercrime investigative officer in Romania, who spoke at the Kaspersky Security Analyst Summit last week in Cancun. He pointed out that the U.S. Secret Service and FBI have worked on cases with Romanian authorities. "Romanian cybercriminals don't really go after Romanians -- mostly [victims in] the U.S. and lately Asia, Australia, and Russia," Tancov said.

[2011 was a busy year for cybercrime investigators, with attacks from Anonymous, LulzSec, and others. See The Most Notorious Cybercrooks Of 2011 -- And How They Got Caught.]

The wave of recent botnet takedowns, meanwhile, demonstrate how cross-border cooperation can help. Take the Bredolab botnet case, where Dutch authorities led the dismantling of the botnet and ultimate arrest of the botmaster. It was a big botnet, with 30 million bots in its army used for pushing fake antivirus and phony pharmaceuticals, spreading other Trojan malware, and stealing the victim machine's financial information.

Peter Zinn, senior cybercrime adviser for the Dutch National High Tech Crime Unit, last week at the Kaspersky summit recalled the events that led up to the wipeout of the botnet and the arrest of the mastermind behind it. It was a multinational effort that included help from law enforcement and private organizations in the Netherlands, the U.S., France, and Germany.

At one point when the Dutch police were in Russia dismantling the Bredolab botnet, the botnet operator behind it, a 27-year-old Armenian man, suddenly began DDoS'ing it with another botnet he controlled in France after assuming one of his competitors was trying to wrest away control.

"We had access to the French DDoS botnet but were not allowed to press the button because it was not our jurisdiction. Criminals have no borders, but we do," Zinn said. Zinn and his team contacted the French authorities, which then stepped in within 30 minutes and stopped the DDoS, he said. "We had the botnet."

And Dutch authorities took an unusual tack: They used the botnet's C&C domains to notify its victims via a pop-up message that informed them that their machines were infected. The victims then were directed to a page where they could log in and get information of how to clean up.

Zinn said the big takeaway from the Bredolab botnet takedown and subsequent arrest was that cooperation among public and private organizations around the globe can work. "We can do it," he said.

But, overall, law enforcement still faces major geopolitical and jurisdictional roadblocks in investigating these cases. "It's always a chase," Percoco says. He predicts that this year will be an even bigger year for law enforcement wins: "In 2012, you are going to see some very large apprehensions [of cybercriminals]," he says.

Meanwhile, among other findings in Trustwave's new report, available here for download: The food and beverage industry tallied the most breach investigations by the firm last year, at 44 percent, and more than one-third of all breaches it investigated last year were at franchise businesses.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.