The Legal Ramifications of Cyber Security Threat Intelligence Gathering
IT teams that access dark forums for cyber security intelligence are urged to use caution and practice transparency
While dark markets and the dark web can provide valuable information for cyber security professionals, organizations and individuals need to follow laws and regulations and maintain open lines of communication with law enforcement to avoid major investigative scrutiny.
That’s what the DOJ is saying in a recently published report outlining the intricacies of accessing the Dark Web. The paper is a response to businesses asking law enforcement what is and is not permissible when their IT and cyber security teams monitor and sometimes communicate on dark market forums.
There’s a large amount of cyber security intelligence to be gathered on the dark web and dark markets. Online forums are rife with stolen data, conversations about malware, and vulnerabilities for sale that can be easily exploited by cyber criminals for profit.
Proactive cyber security intelligence researchers often access these black markets to search for threats to their organization and customer data that may have leaked unbeknownst to the company. Analyzing dark markets can help companies assess their own security and give them an idea of the malware and ransomware trends.
The drawback to threat intelligence performed on the dark web is the possible scrutiny such activity could render from federal criminal agencies such as the FBI. There are very few legal protections in place for cyber security professionals and investigating threats in legal gray areas like the dark web could open up individuals and organizations to lengthy and costly investigations.
Considerations when gather cyber threat intelligence
The DOJ understands how valuable the dark web can be for organizations searching for stolen intellectual property or customer data, malware samples, and possible security patches. However, companies and security professionals who access forums and dark markets are subjecting themselves to a legal minefield that they must take seriously.
Transparency is key when accessing dark forums
The paper strongly encourages active communication with local branches of police and federal law enforcement. There are also helpful reminders about how cyber security professionals should interact on dark forums. For instance, while it is completely legal to monitor communications on a dark web forum through an anonymously created profile, it is illegal to imitate a real person without their permission, use stolen credentials, or hack into the website.
Moderators on dark web forums can ask new members for proof of the criminal intent, often requesting users to provide stolen information as evidence of their hacker bona fides. The DOJ is reminding threat investigators that this kind of behavior is criminal, no matter how innocuous a theft may be.
Threat hunters and intelligence gatherers could face legal scrutiny
The DOJ is attempting to clear the air when legitimate companies access dark markets in order to keep their business secure and investigate possible leaks. That makes some of the information in the report obvious, though the report also hints at more complicated and nebulous areas of the law.
For instance, how does your company respond in a scenario where customer information stolen as a result of a data leak is purchased by your IT team on the dark web? The practice is routine in cyber security. A company’s data is leaked without their knowledge, then the information is purchased to record what was stolen and find clues into how the breach occurred.
If the information purchased goes to known criminal organizations, companies are opening themselves up to investigative scrutiny, even if the sale is completely legal. While paying a criminal for data is not illegal, an investigation into the facts may be costly and require substantial legal fees.
Furthermore, if the data purchased contains IP or customer information from another company or companies, businesses open themselves up to criminal and civil investigations if the proper steps aren’t taken right away. That includes contacting the company whose data is in your possession as well as federal law enforcement.
Contact legal counsel before investigating cyber security threats
While dark forums can provide useful cyber security information, protocols should be discussed, planned, and implemented before accessing dark markets. Companies that are organized and transparent in their attempts to access and communicate on dark markets will be prepared for possible investigation into their activities, saving time and money should federal law enforcement agents come calling.
Train your cyber security staff
If your organization is building a threat intelligence team, eLearnSecurity can help. Our online, self-paced training courses provide in-depth learning related to threat hunting and intelligence gathering, while certifications offer credentials and a corporate dashboard allows you to monitor progress.