Organizations that collect threat intelligence from Dark Web forums and other criminal online sources where cybercrimes are planned and stolen data is traded are walking into a legal minefield. Even small mistakes in how data is collected from these venues or how it is handled can end up landing them in deep legal trouble, according to newly released guidance from the US Department of Justice.
The DoJ's report, "Legal Considerations When Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources," highlights several issues that security researchers and threat intelligence firms need to be cognizant about when pursuing criminals on online forums. It considers practices that security practitioners and researchers commonly use to gather adversary intelligence, retrieve stolen data, or obtain new vulnerability and malware information.
The document is designed to help organizations engaged in these activities to identify potential legal issues. "[But] it does not — and cannot — comprehensively address all the legal issues that practitioners may face in every circumstance, particularly because minor changes in facts can substantially alter the legal analysis," the DoJ said.
One of the key takeaways from the report is that threat intelligence gatherers can relatively easily fall afoul of US federal criminal law if they are not careful. For example, there's little legal risk in passively collecting information from a Dark Web site or other online criminal forum by lurking quietly on it and not communicating with others or responding to any communications. But actively asking questions and soliciting intelligence on a forum about illegal activities could draw unwanted attention if law enforcement also happens to be on the same site.
Such activity is an indication that a crime may be occurring on the site. "Exchanges with others on the forum that appear to involve discussions of criminal conduct could implicate the practitioner in a criminal investigation of the forum or its members," the DoJ guidance noted.
Similarly, while it's legally OK to use a fake identity or a pseudonym for accessing an illicit forum and communicating with others, it is not all right to use stolen credentials or someone else's actual identity without explicit permission. Legal consequences — both civil and criminal — can result, depending on the actual person that is being impersonated and the actions that were taken under that identity, the DoJ said.
There are many other potential pitfalls. Security researchers and threat intelligence gatherers often try to establish their credibility and trust in underground forums. To prove their bona fides, they might be asked to offer specific information, tools, or services. Providing such information — especially if it can be potentially used to commit a crime — can put such individuals at risk of being viewed as aiding and abetting a federal crime. Even in situations when providing such information on a forum may not be illegal, security researchers might run the risk of breaching federal criminal conspiracy statutes.
Even organizations that assume it's OK to negotiate with criminals to retrieve their own stolen data need to be careful. While there might be little legal risk in purchasing one's own data from a criminal entity, potential complications can arise if the seller accidentally includes other stolen data along with it — especially data such as stolen intellectual property. If the stolen data includes credit card numbers or intellectual property, the transfer of such information might be prohibited. Also, if the criminal entity happens to be labeled as a terrorist outfit or is classified under export control regulations, any organization that negotiates with it — even to get their own data back — could potentially find themselves being investigated.
The two rules that organizations and researchers need to follow when engaging in such activities is to avoid becoming an unintentional perpetrator or a victim, the DoJ said. It's always a good idea to get professional legal counsel before embarking on a private threat intelligence mission. Where possible, stakeholders should cultivate relationships with the local FBI and US Secret Service field offices and keep them apprised of any operations that might involve contact with online criminal forums and actors, the DoJ said.
Organizations should have clearly crafted rules of engagement that spell out legal responsibilities and protocols that clearly articulate what constitutes acceptable and unacceptable behavior when engaged in threat intelligence gathering. Documented rules can also be useful in situations where an organization might face civil, criminal, or regulatory action. Security researchers and the organizations they work for should also be aware of and understand that some of their legitimate threat intelligence gathering activity could receive investigative scrutiny from investigators unable to immediately distinguish between criminal and legitimate parties, the DoJ said.
"There are very high stakes for getting these rules of engagement wrong," threat intelligence firm Recorded Future said in response to the new guidance. "It is worth highlighting that not only can individuals be liable for large criminal fines but may also be imprisoned for up to 20 years," under relevant federal statutes, Recorded Future said.