International collaboration and co-operation is driving progress in fighting cyber crime, according to a panel of UK, US and European law enforcement officers.
Co-operation with business in the private sector is also an increasingly important element in fighting crime, in terms of gathering evidence and disrupting cyber criminal infrastructure, claimed the panel.
“The cyber threats are the same around the world, and the criminals operating in the UK are also operating in Europe and the US,” Andy Archibald, deputy director of the National Crime Agency's National Cyber Crime Unit (NCCU) told Infosecurity Europe 2015 in London.
“Therefore, the response must be joined up. Our understanding of the threat and collection of intelligence and evidence must be co-ordinated,” he said.
Archibald said a co-ordinated response presents cultural, legal and intelligence sharing challenges, as well as a range of other issues, but he insisted that progress is being made.
FBI assistant legal attaché Michael Driscoll said information security professionals in the private sector often see the evidence of cyber-enabled crime far quicker than law enforcement.
He said it is important to engage with information security professionals as law enforcement becomes increasingly reliant on what they do on a daily basis for gathering the evidence they need.
Driscoll said private organisations can help broaden law enforcement’s view and understanding of cyber-enabled crime.
“Around 22,000 reports are made to the FBI’s internet crime complaint centre each month, but we think that is about 10% of what actually goes on. The volume is unbelievable,” he said.
Read more about collaboration between business and law enforcement
Public-private partnerships could be key in helping to overcome the difficulty of gathering evidence to investigate crime that is enabled by a community rather than a single organisation, said Wil van Gemert, deputy director operations and acting head of the European Cyber Crime Centre.
Europol consultant, cyber security expert and visiting professor at Surrey University Alan Woodward said because much of cyber-enabled crime is carried out by organised gangs, it means attacks are typically not coming from a single geographical location.
“Command and control systems might be in the UK or the US, while the money might be going to someone in Ukraine. It is so distributed, that the only way you are going to fight it is through international co-operation,” he said.
Co-ordinated law enforcement action by like-minded countries is one of the reasons that progress is being made against highly resourced, highly distributed criminal operations, said Woodward.
One of the biggest challenges to law enforcement, said Van Gemert, is the emergence of the cyber-crime-as-a-service model, which lowers the barrier to entry. This means many more, lower-skilled would-be cyber criminals are able to access powerful cyber crime tools at relatively low cost.
Woodward said evidence suggests that with the emergence of the crime-as-a-service model, there are 100 to 200 people who are the key enablers of cyber crime. “It is starting to be a strategy for law enforcement to go after this group to disrupt the infrastructure of lower level cyber criminals,” he said.
"Just as a relatively small group of people is creating the core technologies of the internet, there is a group creating the core technologies that feed the criminal world,” said Driscoll. “The problem is that those technologies are easily dispersed. For just a few hundred dollars they can buy tools that can take a company out in minutes.”
Archibald said it is important to look at a range of aspects of the cyber criminal infrastructure. “We are interested in those developing the cyber crime tools, we are interested in the ‘bullet-proof’ hosting services that are part of the criminal infrastructure, we are interested in those who provide counter antivirus services that allow cyber criminals to test the effectiveness of their malware, and we are interested those who launder the money from cyber crime,” he said.
Archibald said this means there are several opportunities open to law enforcement as part of a disruption strategy that can have a real impact on the cyber criminal business.
Putting cyber skills to good use
Another important strategy in tackling cyber crime is to focus attention on encouraging people with cyber skills to put them to good use, and not to become involved in cyber crime, either wittingly or unwittingly.
“Cyber criminals are looking for people with criminal skills who can complement their criminal business. In the same way that business may look on LinkedIn to look for people with the skills they need, cyber criminals are looking in online forums to recruit people as well, often using inducements or manipulation techniques,” he said.
Van Gemert said law enforcement is moving away from the idea of creating high-tech crime units to look at tackling cyber crime from a technical point of view. “It is clear that cyber crime has to be addressed with every investigative means available.
“The one positive thing to come from cyber crime is that is bringing more law enforcement organisations together. We are moving from bi-lateral co-operation into an era of multi-lateral co-operation in law enforcement to get a much broader picture of what is going on,” he said.
Van Gemert said despite the enormous challenges, there is starting to be progress through greater co-operation in law enforcement and with private enterprise.
Archibald said law enforcement has “come a long way” in international co-operation and around cyber crime in a relatively short space of time. “Some of the sharing I see now, I would not have believed possible 10 years ago,” he said.
According to Archibald, law enforcement has achieved “true co-operation” in the past two years, despite the challenges of cultural differences. “We need to build up and consolidate those relationships to create a coalition of trusted, like-minded countries that want to work together to tackle a common threat,” he said.
Driscoll advised information security professionals to ensure that their organisations establish lines of communication with law enforcement and government computer emergency response team.
“Don’t wait for the malware to shut you down, don’t wait for the ransomware to lock up your servers. I see the information they push out to their partners, and you can only benefit from that. Ensure that you are benefiting from what they are seeing and that they are seeing what you are seeing. If you wait for the attack, you will be way behind the ball,” he said.
Archibald said law enforcement is seeking to evolve its engagement with industry. “It needs be a relationship that goes beyond information sharing, to include things like mitigation of threats and disruption of criminal infrastructure,” he said.
Archibald said he believes the NCCU is now in a position to have a more mature conversation with businesses when they are victims of cyber crime. “We are now able to discuss options that will not expose business to risks such as loss of reputation. We can work together to find out what the best approach is for taking things forward,” he said.