Why Law Enforcement Needs Threat Intelligence from the Cybersecurity Industry

Law enforcement agencies have scored notable successes against the scourge of international cybercrime in recent months. These are result of lengthy investigations and can only succeed with the input and cooperation of a large number of public and private entities.

Operation Cronos is one of the most high profile global law enforcement actions of 2024 and saw the takedown of the prolific LockBit ransomware gang in February.

Among the outcomes of this operation, led by the UK’s National Crime Agency (NCA), the FBI and Europol, was the seizure of LockBit’s data leak site and affiliate panel, the seizure 34 servers operated by LockBit and the closure of 14,000 “rogue accounts” involved with data exfiltration or the group’s infrastructure.

Additionally, LockBit’s bespoke data exfiltration tool, known as Stealbit, was also seized.

LockBit was reportedly responsible for more than a quarter of all ransomware attacks globally from January 2022 to September 2023, according to recent data from ZeroFox.

Therefore, Operation Cronos represents a major boost in the fight against surging international cybercrime.

Other notable law enforcement successes include disrupting the infrastructure of the ALPHV/BlackCat and Qakbot ransomware gangs.

Many of the actors involved in such Ransomware-as-a-Service (RaaS) groups are likely to reform or shift their activities to other gangs in time unless they are arrested. However, these law enforcement operations can still reduce attacks in the short term and help victims recover through the use of decryption keys.

These operations do not happen in a vacuum – law enforcement requires a wide network of cooperation and intelligence to build towards such actions.

This is where cybersecurity firms, rich in threat actor telemetry, can play a vital role in creating a more secure world for all.

During the Infosecurity Magazine Spring Online Summit 2024, Ivo de Carvalho Peixinho, Head of the Cybercrime Unit at the Interpol Cybercrime Directorate, delivered a keynote presentation on Interpol’s strategy for combatting international cybercriminal groups.

He said that tackling cybercrime is particularly challenging, given the globalised and fragmented nature of this criminal industry. For example, the victims of a cyber-attack may be in one country, while the threat actor in another, and a third country contains the infrastructure of the groups.

“It’s very hard for just one country to open an investigation because other components are abroad, so we usually get the countries together, we provide platforms for the countries to share information and conduct global operations,” explained Peixinho.

Sharing Threat Intelligence

Much of the information needed is threat intelligence – such as evolving techniques, attribution and locations of attackers. While agencies like Interpol have a wealth of data obtained from forensic investigations of incidents such as ransomware, Peixinho emphasized that this is not enough to be able to eventually launch operations like Cronos.

“Forensics are not enough to do an investigation, and we need to jump more on the intelligence side,” he noted.

Threat intelligence is an area many cybersecurity vendors specialise in and are likely to have the resources and skills to carry out this type of work on a regular basis.

This is for the purposes of defence, with a greater understanding of threat actor motives, targets and behaviours organisations can drive a more proactive security strategy, such as prioritising alerts and patching strategies.

However, it is also critical to give law enforcement a chance to meaningfully disrupt cybercriminals. Cybercrime is unique in its speed and lack of geographical barriers. As a result, traditional means of obtaining evidence from partner organisations tends to be too slow and insufficient to tackle threat actor groups.

Providing Actionable Data

Cyber-threat intelligence comes in many forms, from analysis of cybercrime forums to technical details like indicators of compromise (IOCs). As a result, law enforcement requires data from a wide range of sources who specialise in these different areas.

Interpol ‘Project Gateway’ initiative facilitates information sharing with private companies. This data is collated and used internally and sent to member countries’ law enforcement agencies to facilitate global operations.

It is also vital that the information gathered is relevant and actionable for law enforcement. Sending large swathes of data is not helpful to law enforcement officers who are under pressure and face time restrictions.

By offering their skills and expertise to decipher complex and large datasets at speed the private sector can help law enforcement.

Currently there are 13 private partners who have signed up to Project Gateway and Interpol is keen to expand this programme.

Many private companies are reluctant to engage in data sharing agreements with law enforcement due to the wealth of data protection legislation emerging globally. This is coupled with the complexity of different jurisdictions operating under different data protection rules.

However, steps have been taken by authorities to ensure that such data sharing can be conducted in compliance with laws like the General Data Protection Regulation (GDPR). For example, data can be anonymised, preventing personal information from being shared.

Peixinho emphasised that such issues can be resolved by engaging with agencies like Interpol, and building legal frameworks around how data is gathered, who it is shared with and how it is used by law enforcement.

He said that trust is the “glue” for developing effective intelligence sharing relationships between law enforcement and private companies. Ultimately, everyone should have the same end goal – making the online world a safer place for all.

“We will not solve this issue [cybercrime] without trusting each other,” Peixinho added.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?