An Executive Review of new USG Guidelines for Dark Web Intelligence Collection
In February, the Department of Justice’s Cybersecurity Unit published a document that focuses on the risks practitioners face when gathering intelligence from online sources like the Darknet and what the ramifications of certain actions are when performing intelligence collection. The publication highlights several hypothetical situations in which the practitioner may face legal consequences for missteps when interacting with Darknet sellers and obtaining information from these forums.
The US government and law enforcement recognize that Dark web information gathering can be fruitful in terms of cybersecurity and cyber threat analysis, therefore, the Department of Justice aims to educate practitioners of the risks that Darknet intelligence collection poses and provide guidance on how to avoid illegal actions that exist in this somewhat gray area. The document states that it was developed in response to critical questions that have been raised by the threat intelligence community about the legality of specific cybersecurity practices.
The publication was written under two main assumptions; the first being that the actions are conducted within the jurisdiction of the United States, subject to criminal law, and the second is that the practitioners’ only goal is to utilize the information for legitimate cybersecurity purposes and without any ulterior motives. The document focuses primarily on three different investigative practices that are commonly used for cybersecurity threat intelligence gathering, lurking on Darknet forums (i.e. viewing them without interaction, purchases, or false identification), using false personas to interact with Darknet sellers, and purchasing stolen data or information from the Dark markets.
When engaging in online intelligence collection, the DoJ recommends that organizations practice passive intel gathering, in which the practitioner uses a false persona that is completely fabricated and does not directly engage with Dark market sellers. The publication is very clear that a legal boundary is crossed when a practitioner assumes the identity of an actual individual without authorization. However, practitioners must not intercept the communications of a forum as this is illegal under the Wiretap Act (18 U.S. Code § 2511), which was enacted in 1978.
This portion of the publication states two clear boundaries that practitioners must abide to, otherwise facing legal problems: the false persona assumed by the practitioner(s) must not be an actual person, and passive intelligence collection is encouraged but communications interception is illegal. In this section, the DoJ also addresses the process of accessing these Dark markets though the TOR network as hidden services, with some being invite-only and others open to the public and reliant on the anonymity offered by TOR. The document states that the best method of entry in order to avoid legal issues is to use legitimate credentials that have been provided by forum operators.
Using stolen credentials to access the forum will likely result in violation of the Computer Fraud and Abuse Act (CFAA). Utilizing an exploit or another technique rather than authorized and intended means can also potentially violate the CFAA or raise legal issues about lawful access. Forums also frequently request proof that the user is not law enforcement or like agencies, seeking verification that the user has criminal intent. As discussed later, this includes multiple ramifications that could potentially land cybersecurity practitioners in legal trouble.
The DoJ recommends that companies engaging in information collection on the Dark web create “Rules of Engagement,” or a protocol that outlines acceptable methods and provides a guide for practitioners. The DoJ also states that practitioners should prepare to be investigated whether their actions are illegal or not, due to the fact that FBI investigations on the Dark web are frequent. The publication also recommends that companies gathering data on the Dark web build a relationship with law enforcement, namely the local US Secret Service Electronic Crimes Task Force, so that in the case of an investigation trusted lines of communication have already been established.
The next set of scenarios are listed as “Lurking in Forums to Gather Cyber Threat Intelligence,” “Posting Questions on Criminal Forums,” and “Exchanging Information with Others on the Forum.” When “lurking” on forums, the government suggests that practitioners refrain from interacting with others on the sites, stating that this practice will keep the practitioner free of federal criminal liability. However, the more aggressive practice of posting inquiries to gather more information about illegal activities can have legal ramifications, occurring when the practitioner’s comments seem to solicit the commission of a crime.
There is a high risk that a practitioner’s postings and exchanges could become the target of a federal investigation of the forum or its members, effectively entangling the practitioner in the probe. The DoJ recommends that cybersecurity researchers keep a full record of their online activities and how information was gathered and used to avoid scrutiny should an investigation occur. The last scenario describes how practitioners can be accused of aiding and abetting should they choose to exchange information with forum members if this information is used to further a criminal objective or commit a crime. In this instance, a practitioner offering a forum seller technical assistance regarding malware, for example, the practitioner could face charges for engaging in criminal conspiracy, illegal under the aiding and abetting statute.
This statute is violated when a practitioner provides any information that is true, accurate, or useful regarding illegal matters that could advance crimes inevitably planned by those on Dark web forums.. Therefore, the DoJ recommends that cybersecurity employees establish connections with their legal department before communicating with others on the Dark web and that practitioners are deliberate and careful in their commentary and posts on the Dark web to avoid violating the aiding and abetting statute.
The last situation discussed in the publication is when cybersecurity organizations with lawful intent purchase stolen data and vulnerabilities from Dark Markets, whether it be to use it for cybersecurity purposes or if it is part of a customer’s security breach investigation. This can end in one of many ways: the seller may not provide the data promised; they may sell copies of the data to other purchasers; may use the proceeds to fund more crimes; or intent to compromise the purchaser’s systems with a trojanized version of the data.
Regardless of outcome, the DoJ states that purchasing one’s own stolen data or the data of an authorizing party may warrant significant legal concerns. To avoid legal consequences, the practitioner should examine whether the stolen data is the type of information whose transfer or possession is prohibited by law (i.e. stolen payment information or trade secrets), and whether the seller could be someone who is restricted from transacting business under federal law. Legal scrutiny may be evoked if the information purchased by the practitioner includes a trade secret.
Accidentally purchasing a trade secret is permitted if the practitioner reaches out to law enforcement, but receiving, buying, or possessing a trade secret knowing that it was stolen violates the Theft of Trade Secrets Act and will be met with legal prosecution. Furthermore, companies should make efforts to verify the identity of the seller to avoid violating IEEPA, which prohibits economic transactions with groups deemed to be terrorist organizations.
The OFAC has provided tools to help companies identify Specially Designated Nationals and Blocked Persons who are subject to US Sanctions. Practitioners should also exercise extreme caution when purchasing vulnerabilities that are for sale on Dark Markets, such as malware variants. This may be of interest to cybersecurity companies as they can be used to patch vulnerabilities or prevent them from being exploited, however, certain malware can be designed to intercept electronic communications and therefore violating the Wiretap Act.
The publication offers cybersecurity companies the tools and guidelines necessary for intelligence gathering on Dark Markets and forums, and companies should be wary of the inherent risks of interacting with and performing information gathering processes on Dark forums. Although it can be rewarding, certain missteps could land cybersecurity companies in legal trouble. The key to remaining free of legal suspicion is establishing a connection with local federal law enforcement representatives in order to create a trusted line of communication in the event that a legal investigation involving the practitioner does occur. This element is critical to practitioners’ information gathering tactics as it serves to vouch for the practitioners’ intent. Another tactic described in the document that helps practitioners in the case of legal inquiry is to keep a detailed document of communications on the Dark Web as well as actions taken, forums accessed, how they were accessed, and any data or vulnerabilities purchased.
For businesses, this document provides critical guidelines as well as strong recommendations for how companies should operate when gathering intelligence in areas that can have legal implications if missteps occur. Companies should heed the government’s warnings, taking necessary precautions when collecting intel. It can be easy to make rash decisions when a practitioner feels it is close to obtaining targeted information, but the document serves as a warning to all practitioners who frequently access Dark Web forums. The document also proves law enforcements’ activity on these forums as they are supervised and often investigated for criminal actions. The Dark Web’s forums that are harder to access often are more likely to include sensitive information, and obtaining access to these markets can have ramifications for practitioners even when there is no criminal intent on behalf of the practitioner.
- Establish a connection with local law enforcement
- Keep detailed records on information gathering practices
- Create a company protocol for intelligence gathering
- Assume the identity of a real person
- Offer factual information that could be used to further crimes
- Purchase malware variants or vulnerabilities on the Dark web
- When purchasing stolen data from Dark markets
- When interacting with Dark forum sellers/members
- When accessing a forum expect potential law enforcement investigations