New guidance from the Department of Justice warns threat intelligence companies to avoid breaking the law when gathering data from dark web forums and suspected cybercriminals.
The department’s cybersecurity unit last week published a 15-page memo meant to clarify prosecutors’ position on the collection of evidence from private companies.
Firms like Recorded Future, Digital Shadows and others often monitor known cybercriminal hangouts to gather information about possible data breaches, malicious software trends and emerging fraud techniques. Researchers rely on pseudonyms to build their reputations enough to encourage other members to inadvertently reveal information about themselves or their activities. Often, threat intelligence providers will detail their findings to law enforcement, or clients trying to fend off an attack.
“Information gleaned from those sources can be a rich source of cyber threat intelligence and network deference information about past, current, or future cyberattacks[,]” the guidance states. “But when private parties join or participate in these online forums to collect information for lawful purposes, the line between gathering threat intelligence and engaging in criminal activity can be hard to discern.”
Most urgently, the department encourages threat intelligence providers to develop a relationship with the FBI, and leave a paper trail in the event they come under investigation.
Police also are lurking on many of the same forums where threat intel researchers are trying to learn new information. If police observe a researcher, under the guise of a pseudonym, interacting with a legitimate forum member, that could result in an investigation into the researcher. While asking questions on an illicit forum isn’t illegal, the Justice Department guidance says, soliciting the commission of a computer crime could violate the Computer Fraud and Abuse Act.
It’s a fine line. Similarly, the Justice Department warns practitioners only to infiltrate these forums with an account that’s unique to them, rather than impersonating a specific individual or claiming to be a government agent. The guidance goes on to discuss the legality of purchasing stolen data and the sale of malware (in both cases, it depends).
Recorded Future applauded the guidance, saying it was “extremely encouraged” by the department’s update on the issue. Individual researchers told CyberScoop the guidance was helpful, if not particularly surprising.
This advisory comes as private security forces increasingly are coming into contact with police. Authorities in Iowa last year arrested two employees of Coalfire, a security firm, who had been hired to test security protocols in courthouses throughout Dallas County. Prosecutors ultimately dropped the charges in that case, roughly four months after the initial arrests.