Elliott Peterson struggles a bit when asked to identify the most frustrating part of his job as an FBI agent fighting cybercrime.
"Actually, most of the time our job is awesome," he finally says. "We are often the only ones that can effect really permanent solutions in this space."
As a special agent in the FBI's Anchorage field office in Alaska, Peterson and his teammates are among those at the forefront of the US government's dogged battle against criminals in cyberspace. Heavily outnumbered and outpaced by their targets, small FBI cybersquads like the one in Anchorage have been quietly notching up major wins against online criminals operating out of home and abroad in recent years. At least some of the success is the result of efforts to build up partnerships with private industry and from cooperation with international law enforcement agencies.
Peterson's own team was responsible for investigating and bringing to justice the three-person operation behind the massive Mirai distributed denial-of-service (DDoS) attacks in 2016 that impacted Internet service provider Dyn and several others. More recently, Peterson led a major investigation that in December resulted in some 15 Web domains associated with DDoS-for-hire services being seized and the operators of several being arrested. The actions resulted in a sharp — but temporary — drop-off in DDoS activity early this year.
Such victories are a long way from chilling cybercrime, which by some accounts has become even bigger and more organized than even drug trafficking. But the arrests, the indictments, the seizures, and the takedowns are not going entirely unnoticed either.
"We see them talk about this stuff on forums and Discord chats," Peterson said in an interview with Dark Reading at Akamai's Edge World user conference in Las Vegas last week. "We've had a lot of wins in the areas we focus on."
Lessons from Mirai
Peterson's cybercrime-fighting career began as part of an FBI team that went after East European cybergroups stealing money from online accounts of US companies. The law enforcement efforts were so successful that for a brief period between 2013 and 2014, there was an enormous dip in cybertheft targeting US organizations.
"I remember thinking, 'Oh, we figured this out. This isn't hard,'" Peterson says wryly.
The Mirai investigation was something of an eye opener for Peterson and other members of the Anchorage cybersquad — not necessarily because of how sophisticated the malware was, but because of the sheer scale of the attacks it enabled. Mirai was the first malware tool designed to exploit weaknesses in ordinary IoT devices, such as home routers and IP cameras. It allowed attackers to quickly assemble botnets capable of launching DDoS floods bigger than anything seen up to that point. The sheer scale of the damage the malware could inflict surprised both the FBI and even the malware's own creators — Josiah White of Washington, Pennsylvania; Paras Jha of Fanwood, New Jersey; and Dalton Norman of Metairie, Louisiana.
"These guys underestimated the scale of manufacture of [IoT] devices and how widely placed they were throughout the world," recalls William Walton, supervisory special agent at the Anchorage FBI field office. "So when they developed the Mirai botnet, I think they inadvertently harnessed way more power than they set out to harness."
What Mirai showed was how drastically the threat landscape had changed as a result of more devices coming online constantly. "The interconnectedness of the Internet's architecture became readily apparent," Walton says.
DDoS and botnet activities continue to be a core focus of the Anchorage cybersquad. But business email compromise scams and enterprise ransomware attacks are vying for attention as well.
Tapping Private Industry
As threats have evolved, so has the FBI's understanding of how best to approach them. One area where the agency has made a lot of improvement is in scoping requests for data from service providers when carrying out investigations.
"We have gotten better at getting the right evidence from service providers," Walton says.
Instead of hitting them with blanket requests and then having to wade through lots of data in the hope of finding something useful, the focus these days is on first gaining a technical understanding of how particular crimes are carried out.
"We try and understand the types of things we can and should be asking for," Walton says.
Helping them in a major way is the private industry. Over the past several years, the FBI has been working with researchers and engineers from within the security industry to try and understand new and emerging threats and trends. The informal interactions and relationships have been key to the FBI's ability to hunt down and dismantle criminal networks on the Internet.
One example is the role Akamai played in the Mirai investigation. Researchers from the company reverse-engineered Mirai's command-and-control (C2) infrastructure and built a tool that helped the FBI and others keep track of the botnet, says Tim April, principal architect at the content delivery network services provider. When the massive DDoS attacks on Dyn began, Akamai researchers were able to quickly point the FBI to the exact C2 that issued the attack command, he says. The company's information played a big role in the FBI's ability to definitively attribute the attacks to Jha and his pals.
"We try to keep close tabs on what's going on, and we update [the FBI] whenever we see something new or novel" on the threat landscape, April says. The interaction is mutual, voluntary, and beneficial to both sides.
Peterson himself calls in to meetings at least once a week with security researchers from companies like Akamai. The meetings are an opportunity to hear what everybody is doing and to provide updates on cases the FBI might be investigating. He finds such exchanges to be more useful, at least from a purely investigative standpoint, than formal information-sharing groups.
"ISACs absolutely have their place. They are super-important," he emphasizes.
But it's the researchers and other contacts on the frontlines who usually have the information needed to move quickly on investigating new threats.
"People really move their schedules around to do them because it is so useful to hear what the government is seeing and what all these different private entities are seeing in this space," Peterson notes. "That visibility is really not something we had a few years ago."
The interaction with private industry has also helped the FBI prioritize investigations better. The process typically involves looking at the scope of existing damage caused by a threat or group and the potential for future damage.
"We rely on private industry partners to give us a sense of the scale of what we are facing," Walton says.
The Anchorage office is able to prioritize some threats locally using available agents and bandwidth. Sometimes the task involves having to work with headquarters to identify where the bureau has the best resources to put up against a particular threat.
The FBI's efforts at building relationships with its international law enforcement counterparts are helping as well. Walton and Peterson often travel to other countries in pursuing cybercriminals operating out of the direct reach of US law. On some of those trips, the two agents have taken US prosecutors along with them to meet prosecutors in other countries. In other cases, they have hosted law enforcement agents from other countries on US soil.
For the Mirai case, for instance, a team from France flew to the US to observe and sit in on interviews with the suspects in an example of what Peterson describes as an almost unprecedented level of cooperation on cyber matters between the two sides. British and Polish teams have visited the US in connection with other investigations, too.
Such interactions have given the FBI a better understanding of the legal and time constraints under which law enforcement in other countries operate. Importantly, they have also enabled a better understanding internationally about how US law enforcement conducts cybercrime investigations.
"There is a growing understanding and appreciation for what matters in terms of gathering evidence and the speed at which that has to occur," Walton says.
Even so, international investigations still take longer than ideal. The speed at which the FBI was able to pursue the Mirai operators and with which they were prosecuted was helped by the fact the attackers were based in the US. The time lag is a whole lot longer in an international setting.
"For me the most frustrating thing is the ability to match the pace of cybercriminals as we pursue them," Walton says. Legal process takes time, developing relationships with private industry takes time, and working internationally takes time. "All of those time constraints aren’t really a factor for cybercriminal operations," Walton says.
At the end of the day, fighting cybercrime requires broad cooperation, Peterson says. Everybody has an interest in an Internet that is safer and more secure, so people and organizations need to find ways to work together and make that happen.
"If your company is an island, you are not contributing to all of us trying to solve the problem," he says. "Team up. Find a way to help. That's the only way to get ahead of this."
- Insecure Home IoT Devices a Clear and Present Danger to Corporate Security
- Wicked Mirai Brings New Exploits to IoT Botnets
- 7 Recent Wins Against Cybercrime
- Mirai Authors Escape Jail Time – But Here Are 7 Other Criminal Hackers Who Didn't