Closing in on hackers

Increasingly powerful analytics engines are helping law enforcement agencies find cybercriminals hiding on the ‘dark web’.

Bill Searcy still remembers the days when catching an online criminal was pretty straightforward — follow the audit log to get the IP address, then trace that back through the culprit’s IP address to get their identity. Dispatch a police officer, and prosecute the offender for wire fraud or other related activities.

“That was back in the days when things were simple,” recalled Searcy, who recently left a career in US law enforcement — including a role as former assistant director of the US Federal Bureau of Investigation (FBI) — to continue the fight in the private sector. “You'd have one break-in, one agent and no problem. It didn’t take a lot of analytics or a lot of detail.”

These days, the situation is very different — cybercriminals lurk on the periphery of the internet, hatching plans and exchanging tools on the dark web, known as a harbour for seedy criminals of the cyber and the more conventional type.

Searcy knows it well — he was part of the team that brought down Silk Road founder Ross Ulbricht in 2013 after an extensive investigation that, Searcy said, was characterised by its massive complexity and the huge volume of information the investigators were collecting and analysing.

That information — more than 1 terabyte per day of traffic logs as well activities and details of suspects and clients of the Silk Road marketplace that Searcy calls “the Amazon.com of drugs” — created a massive investigational burden that highlighted the crucial importance of big data organisation and analytics engines to help pick out patterns of behaviour and previously unseen relationships.

Bill Searcy.

“The goal was not only to identify the individual who was hosting Silk Road, although he was the big fish,” explained Searcy, who is still helping catch criminals in his new role as vice president for Global Justice, Law Enforcement, and Border Security Solutions at Unisys. “We wanted all the other little fishes as well and sent out a lot of requests for collecting data to other agencies.”

“If you are collecting terabytes of data every day,” he added, “you’re not going to task an individual with going through each piece of information individually; that’s not happening. What you have to have is outstanding analytics with the capability to do link analysis, data reduction and all of those things.”

Greater awareness

Long accustomed to developing specialised systems to manage information collected during law-enforcement investigations, makers of specialised software — for example, Unisys’s U-LEAF (Law Enforcement Application Framework) tool as well as Wynyard Group’s Advanced Crime Analytics and Advanced Cyber Threat Analytics — are finding a new raison d’être by melding their proven organisational capabilities with the information-crunching capabilities of big data tools.

Those tools have helped reduce what Searcy calls the “time to awareness” — the gap between when an investigator finds something out and when it becomes broadly known to investigators.

“Just as DNA and fingerprints are important in the physical world, analytics are equally important when you’re working in the cyber world,” he said. “An agent might know about a particular item but until that information is brought back to our data system and placed in that system in such a way that it can be indexed, searched properly and categorised, then the FBI doesn’t know about it.”

The greater use of analytics is one of numerous capabilities formally adopted within guidelines for the protection of government information — encapsulated in Appendix III of the so-called OMB Circular No. A-130 — which in July were updated by the US government for the first time since 2000.

Finalised after a public consultation process that included thousands of inputs over more than a year, the new A-130 Circular — which offers important guidance around enterprise security that is as applicable in Australia as it is to the US government bodies for which it was intended — highlight the importance of real-time knowledge of the environment, proactive risk management and shared responsibility for the security and privacy of information.

The new guidelines are built around “the shift away from checklist exercises and toward the ongoing monitoring, assessment, and evaluation of Federal information resources”, the circular’s authors note.

Searcy agrees, noting that this type of proactive role has become the de facto expectation from government agencies both in protecting their information and in actively investigating data breaches.

Better tools

Many government organisations well appreciate the need for better security but are let down again and again by poor internal controls — such as giving outside parties privileged access to their internal systems — and poor monitoring and visibility of breaches.

Here, too, analytics is proving useful by helping individual agencies keep on top of the ongoing tsunami of security-related information they must deal with every day. “People can be their own enemies,” Searcy said, referencing the massive 2013 hack of US retailer Target. “Some things you just can’t protect against — but there are some things you can do to protect yourself that, quite frankly, if you don’t do them, they’re unforgivable. And people will lose jobs.”

Ever-improving capabilities, and some highly effective hacking tools — as discovered in the recent release of hacking tools stolen from the US National Security Agency (NSA) — reflect a law-enforcement fraternity that has come a long way from the early days when cybercriminals were often caught red-handed through simple IP matching.

Despite the early success of cybercriminals who leveraged the dark web to avoid detection by law enforcement, growing awareness of their tactics is helping investigators more readily accumulate massive troves of data that are, when properly massaged, often turning up nuggets of information that offer key evidence in increasingly complex, global online investigations.

“To solve these cases, every one of them always relies on good analytics,” said Searcy. “It's very difficult to stay completely dark and to go completely off the grid. You’re always giving yourselves away somewhere; it’s just a matter of us finding it. And that’s where the analytics comes in.”

Image courtesy Andy L under CC BY 2.0