The limits of data recovery and information sharing in crime investigations
International laws don’t necessarily help when it comes to prosecuting criminals because that requires evidence, warrants and other systems to go ahead. And they don’t include a legal obligation for countries to fully cooperate within a prosecution, including something like the Budapest Convention, explains Alana Maurushat, professor of cybersecurity and behavior at Western Sydney University.
That said, Maurushat says cybercrime investigations are done as much by private organizations as they are by law enforcement organizations. A private entity can’t use the Budapest Convention to preserve data; it can only be done by a designated entity such as the police. “But law enforcement agencies are recognizing this and getting better at cooperating,” Maurushat says.
Prosecuting cyber criminals operates in a different framework and requires mutual assistance treaties. “But these can take 10 years to negotiate and they’re done country to country,” Maurushat says. Even so, prosecution isn’t even the end goal for organizations. It’s typically data recovery and funds retrieval.
And with some investigations, if a case leads back to a certain jurisdiction, it’s just a no go. “You’re never going to get anywhere because the corruption is so bad in those countries, you’re not going to get cooperation. And that’s the case whether it’s a government-to-government or a private investigation,” she says.
And even with cyber-crime laws, certain jurisdictions can operate as havens for cyber criminals and launching pads for cybercrime. Such as criminal syndicates that ‘specialize’ in certain kinds of cybersecurity attacks from some countries with the right conditions.
Launching sophisticated ransomware attacks or other cybercrime activities to net significant targets requires a certain level of infrastructure, technical sophistication and a sizeable amount of funds. Something like this can cost as much as $100 million to build, Maurushat estimates.
At this level, it is the sophistication of the country’s technical infrastructure more than cyber-crime laws that determines if they become safe havens for launching cyber-attacks.
International frameworks can’t solve attribution
In general, criminals take advantage of the right conditions in targeting victims and operating in nation-state where officials may be less than willing to cooperate with cybercrime investigations. And international agreements like the Budapest Convention and others can’t solve one of the hardest parts of recovering from a cyberattack–identifying the culprit.
Maurushat says finding out who’s responsible for cybersecurity attack can be incredibly difficult. “It’s the attribution,” she says. But the old maxim applies: follow the money to find those responsible. “There are some jurisdictions where the money flows from each and every time. That never changes and never will change. Look at tax havens, chances are good illicit funds are flowing through those regions,” she says.
“Criminals always go for either the ripest target, or the easiest target. As long as you’re not the easiest or the ripest, you’re probably going to be okay. That means thinking about how you spend your budget and your planning is important. The problem is that often you run out of money for the things that matter in terms of training and behavior. So, you can get all the tools in the world, if you don’t have the people who can learn the tools, it’s kind of useless.”
Day agrees, noting that attribution is hard for several reasons. “All too often, the victim hasn’t either gathered or maintained the evidence required,” he says.
In addition, adversaries have built several techniques to obscure their identities, using publicly compromised systems as middle points, having communication points (command and control) that re-configure themselves on a regular basis, or leverage middle-wear digital mules just to name a couple of techniques.
They will also often use secure communications between themselves to make it very tricky to truly find the source. “All too often, attribution comes when criminals, like all humans, make mistakes. Either they leave markers they didn’t intend to leave, brag, or make simple mistakes such as using the same alias in a completely different, more public and open forum,” he says.
Cyber laws are more than just the actual statutes themselves. It’s the sum of all that a robust cyber-policy framework facilitates. This includes cybersecurity and cybercrime legislation, workforce development strategies, cyber information-sharing (threat intelligence), digital forensics, computer emergency response teams (CERTs), cyber diplomacy, and bilateral agreements, among other facets. “These cyber capabilities along with technology advancements have made us much better at cyber-incident attribution,” says Niel Harper, who’s part of the professional standards working group with the UK Cyber Security Council, member of the board of directors at ISACA, and World Economic Forum Cyber risk working group.
CISO’s playbook: Using frameworks to develop cyber policies
Organizations need to adopt and ‘live’ the right cybersecurity frameworks. “Policies and cyber insurance alone won’t cut it. Executive management and boards need to get smarter so they can ask the right questions about cyber risks and associated economic drivers, business leadership must encourage systemic resilience and collaboration, and ensure that organizational design and resource allocation supports cybersecurity,” Harper says.
For CISOs, everything needs to be framed around cyber-risk management and business strategy alignment, but external collaboration is critical. Public-private partnerships, especially as it pertains to critical national infrastructure protection, are crucial in the fight against cybercrime and so are sectoral and cross-sectoral CERTs and information-sharing mechanisms. “Collaboration allows for organizations to stay ahead of emerging threats and be more proactive on their cyber resilience,” he says.
Cybereason’s Day believes that for each CISO, there should be three key goals. “Make sure you keep your cyber hygiene and prevention capabilities current. Cyber security is evolving as fast as the threats it’s aiming to mitigate,” he says. “Have a resilience plan for when you are compromised. How do you contain the blast radius of the attack? How do you ensure the business keeps functioning? Test these plans regularly!”
And get better at being able to capture and analyze forensic data. “Most are good at being able to see what the attack did, but many are not nearly as strong in being able to see what the human adversary did once they had successfully breached the business,” he says.