Publishing research about hackers can boost a cybersecurity firm’s reputation but muddle the hard work of federal law enforcement agencies — and it appears that the problem is likely to get worse.
Some threat intelligence reports from cybersecurity companies are thorough enough (and public enough) that they can completely disrupt government-led cyber investigations, say industry experts, former law enforcement and intelligence officials. The issue comes up at least “every few months,” said James Trainor, a former assistant director for the FBI’s Cyber Division.
Trainor and other officials who spoke to CyberScoop declined to name specific companies or incidents, but they agree that the potential for trouble is only increasing.
“The industry isn’t privy to classified ops or government investigations, so this happens,” explained Synack co-founder and former NSA analyst Mark Kuhr. “They are asked to hold information sometimes if the government catches wind, but a lot of times the government simply doesn’t know or firms don’t want to listen.”
As fresh capital and intelligence community talent has flowed into the larger cybersecurity industry, so too has the capability to better track hackers. Several firms now boast the ability to conduct digital intelligence-gathering operations that rival U.S. government capabilities. But because there are no regulations or laws that otherwise guide when or if private firms disclose their research to law enforcement, there have been cases where public disclosure ultimately hampered an ongoing investigation, explained John Riggi, former FBI Section Chief for the Cyber Division Outreach section.
“It’s certainly happened,” Riggi told CyberScoop, “I wouldn’t say it happens all the time, but we’ve had occasions where uncoordinated releases of a particular white paper or intelligence report disrupted an ongoing investigation.”
Private sector cybersecurity firms vary widely in their motives, insight, customers and relationship to the federal government. To some degree, each factor influences a company’s decisions on disclosure and publication.
Nick Rossman, a senior manager for intelligence production at FireEye, said that the industry heavyweight takes three central questions into account before publishing any threat intel report: “will the report inform and influence the public, will it add intelligence value to other research and could it disrupt or otherwise negatively impact the ability of partners to track a specific actor.”
“Of course, there are competing equities at play here,” said Rossman, “and every company needs to go through their own decision-making process.”
Various entities know about FireEye’s reports before they’re published, he said.
“Obviously, generally speaking, no one wants to lose access to insight about a group they’re tracking,” Rossman said. “We do our best to inform and work with CERTs, governments, law enforcement agencies and other partners from around the world on these things.”
Hackers are often tracked — by both the government and private sector — based on the unique techniques, signatures and tools that they use. These distinct forensic characteristics, broadly known as indicators of compromise, can be sometimes leveraged by investigators to identify the past and recent activity of a specific attacker.
The hackers are well aware of it. Advanced groups — like those that targeted the Democratic National Committee in 2016 — regularly monitor relevant press reports and research published by cybersecurity firms as part of their counterintelligence activities, John Hultquist, iSight’s director of espionage analysis, previously told CyberScoop.
If the IOCs for a particular group are published in a threat intelligence report, it’s not uncommon for the named actor to “modify their code base [to] make the IOCs useless,” explained Jake Williams, co-founder of Rendition InfoSec.
“I have been involved in some of these discussions to resolve it … and sometimes I had difficult conversations,” Riggi said, referring to the conflicts that can crop up when a firm publishes an analysis that may help businesses but handicaps investigators.
Riggi also declined to discuss specific incidents.
“Some of the more responsible ones, the larger [firms], would at least give advanced copies to the FBI, saying ‘Have you seen this?’ basically just giving us a heads up,” Riggi said.
A fine line exists between cooperation with law enforcement in these cases and blindly publishing material, however.
Just about the only thing currently stopping firms from publishing a forensic analysis that could ultimately interrupt an investigation is a vague and nondescript network of informal, individual relationships between private sector cybersecurity employees and their contacts in law enforcement and the U.S. intelligence community.
“It’s all about relationships,” said Trainor, “that’s really all there is.”
Cybersecurity firms with federal contracts and a workforce comprised of former law enforcement and intelligence officials do tend to lean on the side of early notification, insiders tell CyberScoop. But that doesn’t mean it’s an industry standard nor that early notification ultimately results in a delayed release of certain research.
It’s not just the FBI
Alexandria, Virginia-based cybersecurity firm Mandiant rose to prominence in February 2013 after publishing a 74-page report concerning APT1, a professional cyber-espionage group believed to be based in China and likely funded by the Chinese government.
The widely hailed report by Mandiant — now a subsidiary of FireEye — contained highly detailed IOCs and provided an expansive overview of APT1’s hacking campaigns and operations. Less than one year later, the Justice Department indicted five Chinese military hackers for breaching U.S. computer networks. All five hackers remain in China.
While Mandiant notified the FBI of its APT1 report before publishing it, other private sector firms told CyberScoop that the disclosures negatively affected their own ability to track the Chinese threat actor. APT1 poses a threat to a bevy of different companies and governments, including non-FireEye clients.
“The group disappeared entirely once Mandiant published the report,” said Blake Darche, chief strategy officer for Area 1 and a former computer network exploitation analyst at the NSA, “and since then the attack group is gone.”
Before the APT1 report hit the newswire, multiple other firms were able to track the Chinese hackers. Those IOCs were fairly well known in the industry already, Williams said. Being the first to publish that research provided a realizable market advantage for Mandiant, he said, “in the sense that they were in a much better position to find new IOCs for the Chinese actors than any other firm,” Williams said.
Mandiant’s report undoubtedly helped raise the company’s profile and arguably that of the entire industry, but serves as an example of the competitive nature and sweeping impact that publishing active intelligence can have on operations.
“In a classic pawn sacrifice,” Williams said, “Mandiant gave up those IOCs, crippling other firms in the process.”