Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/2/2020
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Why Threat Intelligence Gathering Can Be a Legal Minefield

In new guidance, the Department of Justice says security researchers and organizations run real risks when gathering threat intelligence or dealing with criminals in underground online marketplaces.

Organizations that collect threat intelligence from Dark Web forums and other criminal online sources where cybercrimes are planned and stolen data is traded are walking into a legal minefield. Even small mistakes in how data is collected from these venues or how it is handled can end up landing them in deep legal trouble, according to newly released guidance from the US Department of Justice.

The DoJ's report, "Legal Considerations When Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources," highlights several issues that security researchers and threat intelligence firms need to be cognizant about when pursuing criminals on online forums. It considers practices that security practitioners and researchers commonly use to gather adversary intelligence, retrieve stolen data, or obtain new vulnerability and malware information.

The document is designed to help organizations engaged in these activities to identify potential legal issues. "[But] it does not — and cannot — comprehensively address all the legal issues that practitioners may face in every circumstance, particularly because minor changes in facts can substantially alter the legal analysis," the DoJ said.

One of the key takeaways from the report is that threat intelligence gatherers can relatively easily fall afoul of US federal criminal law if they are not careful. For example, there's little legal risk in passively collecting information from a Dark Web site or other online criminal forum by lurking quietly on it and not communicating with others or responding to any communications. But actively asking questions and soliciting intelligence on a forum about illegal activities could draw unwanted attention if law enforcement also happens to be on the same site.

Such activity is an indication that a crime may be occurring on the site. "Exchanges with others on the forum that appear to involve discussions of criminal conduct could implicate the practitioner in a criminal investigation of the forum or its members," the DoJ guidance noted.

Similarly, while it's legally OK to use a fake identity or a pseudonym for accessing an illicit forum and communicating with others, it is not all right to use stolen credentials or someone else's actual identity without explicit permission. Legal consequences — both civil and criminal — can result, depending on the actual person that is being impersonated and the actions that were taken under that identity, the DoJ said.

Numerous Pitfalls
There are many other potential pitfalls. Security researchers and threat intelligence gatherers often try to establish their credibility and trust in underground forums. To prove their bona fides, they might be asked to offer specific information, tools, or services. Providing such information — especially if it can be potentially used to commit a crime — can put such individuals at risk of being viewed as aiding and abetting a federal crime. Even in situations when providing such information on a forum may not be illegal, security researchers might run the risk of breaching federal criminal conspiracy statutes.

Even organizations that assume it's OK to negotiate with criminals to retrieve their own stolen data need to be careful. While there might be little legal risk in purchasing one's own data from a criminal entity, potential complications can arise if the seller accidentally includes other stolen data along with it — especially data such as stolen intellectual property. If the stolen data includes credit card numbers or intellectual property, the transfer of such information might be prohibited. Also, if the criminal entity happens to be labeled as a terrorist outfit or is classified under export control regulations, any organization that negotiates with it — even to get their own data back — could potentially find themselves being investigated.

The two rules that organizations and researchers need to follow when engaging in such activities is to avoid becoming an unintentional perpetrator or a victim, the DoJ said. It's always a good idea to get professional legal counsel before embarking on a private threat intelligence mission. Where possible, stakeholders should cultivate relationships with the local FBI and US Secret Service field offices and keep them apprised of any operations that might involve contact with online criminal forums and actors, the DoJ said.

Organizations should have clearly crafted rules of engagement that spell out legal responsibilities and protocols that clearly articulate what constitutes acceptable and unacceptable behavior when engaged in threat intelligence gathering. Documented rules can also be useful in situations where an organization might face civil, criminal, or regulatory action. Security researchers and the organizations they work for should also be aware of and understand that some of their legitimate threat intelligence gathering activity could receive investigative scrutiny from investigators unable to immediately distinguish between criminal and legitimate parties, the DoJ said.

"There are very high stakes for getting these rules of engagement wrong," threat intelligence firm Recorded Future said in response to the new guidance. "It is worth highlighting that not only can individuals be liable for large criminal fines but may also be imprisoned for up to 20 years," under relevant federal statutes, Recorded Future said.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Prevent an AWS Cloud Bucket Data Leak."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13768
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
CVE-2020-13849
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
CVE-2020-13848
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2020-11682
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
CVE-2020-12847
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...