Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/20/2019
08:20 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Inside the FBI's Fight Against Cybercrime

Heavily outnumbered and outpaced by their targets, small FBI cybersquads have been quietly notching up major wins against online criminals operating out of home and abroad.

Elliott Peterson struggles a bit when asked to identify the most frustrating part of his job as an FBI agent fighting cybercrime.

"Actually, most of the time our job is awesome," he finally says. "We are often the only ones that can effect really permanent solutions in this space."

As a special agent in the FBI's Anchorage field office in Alaska, Peterson and his teammates are among those at the forefront of the US government's dogged battle against criminals in cyberspace. Heavily outnumbered and outpaced by their targets, small FBI cybersquads like the one in Anchorage have been quietly notching up major wins against online criminals operating out of home and abroad in recent years. At least some of the success is the result of efforts to build up partnerships with private industry and from cooperation with international law enforcement agencies.

Peterson's own team was responsible for investigating and bringing to justice the three-person operation behind the massive Mirai distributed denial-of-service (DDoS) attacks in 2016 that impacted Internet service provider Dyn and several others. More recently, Peterson led a major investigation that in December resulted in some 15 Web domains associated with DDoS-for-hire services being seized and the operators of several being arrested. The actions resulted in a sharp — but temporary — drop-off in DDoS activity early this year.

Such victories are a long way from chilling cybercrime, which by some accounts has become even bigger and more organized than even drug trafficking. But the arrests, the indictments, the seizures, and the takedowns are not going entirely unnoticed either.

"We see them talk about this stuff on forums and Discord chats," Peterson said in an interview with Dark Reading at Akamai's Edge World user conference in Las Vegas last week. "We've had a lot of wins in the areas we focus on."

Lessons from Mirai
Peterson's cybercrime-fighting career began as part of an FBI team that went after East European cybergroups stealing money from online accounts of US companies. The law enforcement efforts were so successful that for a brief period between 2013 and 2014, there was an enormous dip in cybertheft targeting US organizations.

"I remember thinking, 'Oh, we figured this out. This isn't hard,'" Peterson says wryly.

The Mirai investigation was something of an eye opener for Peterson and other members of the Anchorage cybersquad — not necessarily because of how sophisticated the malware was, but because of the sheer scale of the attacks it enabled. Mirai was the first malware tool designed to exploit weaknesses in ordinary IoT devices, such as home routers and IP cameras. It allowed attackers to quickly assemble botnets capable of launching DDoS floods bigger than anything seen up to that point. The sheer scale of the damage the malware could inflict surprised both the FBI and even the malware's own creators — Josiah White of Washington, Pennsylvania; Paras Jha of Fanwood, New Jersey; and Dalton Norman of Metairie, Louisiana.

"These guys underestimated the scale of manufacture of [IoT] devices and how widely placed they were throughout the world," recalls William Walton, supervisory special agent at the Anchorage FBI field office. "So when they developed the Mirai botnet, I think they inadvertently harnessed way more power than they set out to harness."

What Mirai showed was how drastically the threat landscape had changed as a result of more devices coming online constantly. "The interconnectedness of the Internet's architecture became readily apparent," Walton says.

DDoS and botnet activities continue to be a core focus of the Anchorage cybersquad. But business email compromise scams and enterprise ransomware attacks are vying for attention as well.

Tapping Private Industry
As threats have evolved, so has the FBI's understanding of how best to approach them. One area where the agency has made a lot of improvement is in scoping requests for data from service providers when carrying out investigations.

"We have gotten better at getting the right evidence from service providers," Walton says.

Instead of hitting them with blanket requests and then having to wade through lots of data in the hope of finding something useful, the focus these days is on first gaining a technical understanding of how particular crimes are carried out.

"We try and understand the types of things we can and should be asking for," Walton says.

Helping them in a major way is the private industry. Over the past several years, the FBI has been working with researchers and engineers from within the security industry to try and understand new and emerging threats and trends. The informal interactions and relationships have been key to the FBI's ability to hunt down and dismantle criminal networks on the Internet.

One example is the role Akamai played in the Mirai investigation. Researchers from the company reverse-engineered Mirai's command-and-control (C2) infrastructure and built a tool that helped the FBI and others keep track of the botnet, says Tim April, principal architect at the content delivery network services provider. When the massive DDoS attacks on Dyn began, Akamai researchers were able to quickly point the FBI to the exact C2 that issued the attack command, he says. The company's information played a big role in the FBI's ability to definitively attribute the attacks to Jha and his pals.

"We try to keep close tabs on what's going on, and we update [the FBI] whenever we see something new or novel" on the threat landscape, April says. The interaction is mutual, voluntary, and beneficial to both sides.

Peterson himself calls in to meetings at least once a week with security researchers from companies like Akamai. The meetings are an opportunity to hear what everybody is doing and to provide updates on cases the FBI might be investigating. He finds such exchanges to be more useful, at least from a purely investigative standpoint, than formal information-sharing groups.

"ISACs absolutely have their place. They are super-important," he emphasizes.

But it's the researchers and other contacts on the frontlines who usually have the information needed to move quickly on investigating new threats.

"People really move their schedules around to do them because it is so useful to hear what the government is seeing and what all these different private entities are seeing in this space," Peterson notes. "That visibility is really not something we had a few years ago."

The interaction with private industry has also helped the FBI prioritize investigations better. The process typically involves looking at the scope of existing damage caused by a threat or group and the potential for future damage.

"We rely on private industry partners to give us a sense of the scale of what we are facing," Walton says.

The Anchorage office is able to prioritize some threats locally using available agents and bandwidth. Sometimes the task involves having to work with headquarters to identify where the bureau has the best resources to put up against a particular threat.

International Cooperation
The FBI's efforts at building relationships with its international law enforcement counterparts are helping as well. Walton and Peterson often travel to other countries in pursuing cybercriminals operating out of the direct reach of US law. On some of those trips, the two agents have taken US prosecutors along with them to meet prosecutors in other countries. In other cases, they have hosted law enforcement agents from other countries on US soil.

For the Mirai case, for instance, a team from France flew to the US to observe and sit in on interviews with the suspects in an example of what Peterson describes as an almost unprecedented level of cooperation on cyber matters between the two sides. British and Polish teams have visited the US in connection with other investigations, too.

Such interactions have given the FBI a better understanding of the legal and time constraints under which law enforcement in other countries operate. Importantly, they have also enabled a better understanding internationally about how US law enforcement conducts cybercrime investigations.

"There is a growing understanding and appreciation for what matters in terms of gathering evidence and the speed at which that has to occur," Walton says.

Even so, international investigations still take longer than ideal. The speed at which the FBI was able to pursue the Mirai operators and with which they were prosecuted was helped by the fact the attackers were based in the US. The time lag is a whole lot longer in an international setting.

"For me the most frustrating thing is the ability to match the pace of cybercriminals as we pursue them," Walton says. Legal process takes time, developing relationships with private industry takes time, and working internationally takes time. "All of those time constraints aren’t really a factor for cybercriminal operations," Walton says.

At the end of the day, fighting cybercrime requires broad cooperation, Peterson says. Everybody has an interest in an Internet that is safer and more secure, so people and organizations need to find ways to work together and make that happen.

"If your company is an island, you are not contributing to all of us trying to solve the problem," he says. "Team up. Find a way to help. That's the only way to get ahead of this."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ToddS207
50%
50%
ToddS207,
User Rank: Apprentice
6/23/2019 | 2:41:14 PM
Fight against Cybercrime
It is about time, the Chinese Red team were being tracked in the 90s by an individual who provided this information to the FBI, they arrested him when he provided this information to the FBI, but later let him go. There have been other organizations and individuals who provided this information to the government, they were arrested and shuned. They stated this was a terrorist act and instead of working with the individual, they arrested them; I see why people are hesistant to provide information the feds because of their past track records.

The projects the feds have in place from now and in the past are Eschelon, Thinthread, Stuxnet, Trailblazer, Prism, Nitro Zeus, Stellarwind, X-Keyscore, and may others perform mass surveillance but that is not the way to address a specific problem (mass dragnet will not do it, but with a comprehensive team effort from companies like Akamai, Cisco, Juniper, IBM, Amazon working together where we centralize and share our findings amoung govt entitles and private sector, will we be more apt to handle terrorist activities than individually, but that will be a hard task because everone wants to be first or popular in the eyes of their constituents - human nature).

If in the beginning, we had worked together with the right intent in mind (the serve the good of the public), then we would be more advanced in the work to identify and thwart attacks throughout the globe. We need an IT Oversight team who encompasses members of different groups to do the right thing (we need people who have an open mind, high-moral standards and a willingness to listen to reason instead of following their own selfish intentions only then we will be able to address the needs of the world).

Todd
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.