Search & Destroy: The Importance of Cyber Threat Sharing in Defeating Cybercrime
The American criminal justice system is most effective when citizens work in partnership with law enforcement organizations, reporting crimes and suspicious activity in a timely manner. When a burglar crashes through a window and robs a home, most victims report the incident to local police, who gather the evidence necessary to catch the thief. As members of a community, we report a crime because we understand the central role active communication with law enforcement plays in maintaining a safe environment for our neighborhoods, schools, and businesses. These observations provide law enforcement organizations with the insights they need to identify and eliminate potential threats and prevent future criminal activity.
While many victims don’t hesitate to report criminal activity, victims of data breaches or similar cyber-attacks are far less likely to share these incidents with law enforcement. Most people place blame for data breaches or other high profile cyber-attacks squarely on the shoulders of the affected organizations without considering the actions of the criminal who launched the attack. Responsible organizations go to great lengths to protect their networks, yet cyber threats are ever evolving in sophistication and prowess. Cybercriminals can victimize even the most hardened IT environments. As members of the cyber community, it’s critical that we understand the inherent cyber risks companies face in the digital age and resist the urge to shame companies that fall victim to cyber theft.
As one of the few federal information security officers with a background in law enforcement, I’ve come to appreciate the importance of cyber threat sharing during my 20+ years of service with the United States Postal Inspection Service, the federal law enforcement arm of the United States Postal Service. In the early 2000s, I led a team of Postal Inspectors in investigating sophisticated cybercrime schemes operating out of Eastern Europe. One investigation led to the arrest of cyber criminals connected to hundreds of cybercrime attacks.
By sharing threat intelligence and reporting successful breaches, organizations empower law enforcement to seek out attackers and eradicate ongoing cybercrime
Central to the success of this investigation (documented in Misha Glenny’s 2011 book, Dark Market) was a commitment to threat sharing between several public and private sector organizations. Cases like this demonstrate the critical role that proactive and sustained threat sharing plays in limiting the effectiveness of cybercriminals, from amateur hackers sending out phishing emails to nation states engaging in international cyber espionage.
As long as companies hoard knowledge of cyberattacks for fear of public shaming and loss of business, our understanding of the motivations, patterns, and tactics of cybercrime will continue to suffer. Threat sharing allows law enforcement organizations and the companies they protect to approach cybercrime from a holistic perspective. By combining the insights of private companies, dedicated nonprofits, and law enforcement, we can piece together a fuller picture of cybercrime and stop cybercriminals before they strike.
The Postal Service leverages law enforcement partnerships as a critical component of its overall network security strategy. We exchange cyber threat intelligence with trusted allies across the government, including our colleagues at the Postal Inspection Service and FBI. These relationships allow us to connect seemingly disparate threads and one-off leads into a more comprehensive view of cybercrime in the mailing landscape. These organizations often have knowledge and insights that enhances our understanding of the criminals launching attacks against our network, allowing us to stop would-be intruders and better secure the mail system for the American people. We encourage organizations of all sizes to maintain an open dialogue with law enforcement on the topic of cybersecurity. More often than not, cyber-attacks against a single organization are not isolated incidents. By sharing threat intelligence and reporting successful breaches, organizations empower law enforcement to seek out attackers and eradicate ongoing cybercrime.
In addition to working with law enforcement, an organization should take advantage of the resources provided by public-private partnerships in the threat detection space. Foremost among these is the National Cyber-Forensics & Training Alliance (NCFTA), a non-profit cyber threat research and analysis institution based in Pittsburgh, Pennsylvania. NCFTA aggregates threat intelligence data from a range of contributors to identify, mitigate, and neutralize cyber threats. The work of the NCFTA, in partnership with its public and private subject matter experts, has led to the successful prosecution of hundreds of criminals worldwide – a tangible representation of the genuine benefits of cyber threat sharing. The Postal Service also supports efforts by industry-specific forums, like the Financial Services-Information Sharing and Analysis Center (FS-ISAC), to circulate valuable cyber threat information to members of a particular industry.
Cybercriminals are increasingly organized, armed with rapidly-evolving technology that threatens to outpace even the most advanced cybersecurity defenses. Experience has shown that organizations are better equipped to detect and mitigate cyber-attacks when threat intelligence is shared with law enforcement organizations and credible research institutions. I encourage your organization to contribute to the cyber threat intelligence community and help us in our efforts to police cybercrime.