Uncle Sam Provides Helpful Guidance on Threat Intelligence
March 2, 2020 • The Recorded Future Team
Recorded Future was extremely encouraged last week when the U.S. Department of Justice’s Cybersecurity Unit published guidance on “Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources.” It validated Recorded Future’s approach to threat intelligence gathering, and it was heartening to see the U.S. federal government so in tune with the realities facing many organizations today.
Before proceeding further, we want to reiterate that Recorded Future’s practices abide by all applicable laws and are in line with this guidance provided by the U.S. DoJ. This includes both U.S. intellectual property laws, and statutes governing unauthorized electronic access such as the Wiretap Act and the Computer Fraud and Abuse Act (CFAA).
Recorded Future regularly works with both internal and external subject-matter experts to review our practices and policies. We have also implemented several compliance programs to ensure that all our practices remain within the confines of law.
It is gratifying to see that the Department’s interpretation of the current law is very much in line with Recorded Future’s practices. We look forward to continuing to work with external stakeholders and our clients to provide the best possible threat intelligence that can be instrumental in protecting their infrastructure and data.
The guidance published is useful, as it outlines several activities that are generally permitted under U.S. law for threat intelligence purposes. These include:
- Accessing forums on both the open and dark web using credentials that are legitimately acquired via the forum operators themselves, or elsewhere, to gather threat intelligence information
- Purchasing breached data on behalf of the rightful owner
While these two activities are generally permitted, there are several caveats to keep in mind, including:
- It is not permitted to access forums using either stolen credentials or malware, or to commit a crime, as a prerequisite for joining the forum.
- Practitioners must be careful to avoid any sort of secondary offense when engaging in any of these activities (e.g., conspiracy or solicitation), even if they are not involved in the underlying criminal conduct itself.
- The exact content of the breached data may have its own set of specialized regulations (e.g., government-classified materials), as there are numerous types of information.
- Whenever purchasing data online, one must also beware of the seller to ensure not to violate any terrorism support or export control regulation.
- Purchasing and trafficking in vulnerabilities and other similar activities may also open up liability under the DMCA, CFAA, or other regulations.
As a reminder, there are very high stakes for getting these rules of engagement wrong. To give you some idea of the gravity of these issues, it is worth highlighting that not only can individuals be liable for large criminal fines (up to $1 million in the case of the Export Control Reform Act), but may also be imprisoned for up to 20 years under the CFAA and ECRA.
Beyond potential legal jeopardy, the DoJ’s guidance reminds us about other dangers as well:
- Do not become a predator, and do not become a victim.
- One must ensure that they are simultaneously staying on the right side of the law, and are not unwittingly putting themselves at further risk by engaging in these activities.
Given that threat intelligence can be risky, Recorded Future recommends only using reputable vendors. If you are engaged in these activities on behalf of your organization, we suggest you discuss these issues with an attorney to understand the exact boundaries of these laws and the potential liability involved.
It is certain that these issues, such as data breaches and electronic financial fraud, are not disappearing anytime soon. This sort of threat intelligence can be indispensable in understanding the exact vulnerabilities that are being used to target your organization and your infrastructure. Threat intelligence can also ensure you are alerted as soon as possible when proprietary data or credentials are being sold or leaked online, as well as many, many other use cases to help keep your organization safer online.
To assist you in making an informed decision regarding your threat intelligence vendor, here are some questions you may want to ask your potential intelligence providers:
- Do you have collection policies that are in line with all applicable laws, and do you train your practitioners accordingly?
- Have those policies been reviewed and validated by legal and other subject-matter experts?
- Do you utilize any illicit methods to gain access to forums or gather information?
- Do you have processes and relationships in place with law enforcement to escalate issues as necessary?
Again, we applaud the Department of Justice’s attention to this issue, and their pragmatic outlook on these activities. We look forward to continued discussions with the law enforcement community, our clients, prospects, partners, and others, as threat intelligence continues to evolve, and as we all continue to endeavor to keep our data safe online.