For federal agents investigating cybercrimes, gathering open source intelligence is a lot like going undercover. They establish fake identities to gain the trust of the bad guys, and gather information on criminal activities. They just do it all from a keyboard.
“To simplify it, you’re basically just trying to make yourself look like a bad guy, right?” Michael Ray, inspector in charge of cybercrime and analytics at the U.S. Postal Inspection Service, told Federal News Network. “And there’s a lot of different methods and tactics and practices behind that. But it’s how do you do that in a very effective, timely manner?”
The challenge is that the internet has now been around for a long time. Both the good guys and the bad guys are capable of looking into the history of a user or a vendor on a particular marketplace.
“There’s a whole internet history that we have to take a look at, to really understand,” Ray said. “So when it comes to doing online undercover work, our biggest challenge is — since our program is fairly new, going back to 2014 — trying to establish that long term persistence and that long term identity and in enabling the visibility of the user identity over a long period of time to build that reputation, build the street creds, if you will. Because you don’t have that face to face interaction, because the bad guys are going to apply the same principles and tactics do their own assessment.”
Both law enforcement and criminals look at the same information: How long has a vendor persisted on a marketplace? What kinds of prior interactions does a user have? They’re making the same assessments, such as, “Is this someone I’m willing to engage with? Do I have this conversation, make this transaction?”
Here at least, Ray said the criminals have a leg up on law enforcement. They entered into the marketplace from the very beginning with sincere bad intentions.
“Basically the dark web, it’s a series of different marketplaces. So think of it as an e-commerce platform out there,” Ray said. “Just as what we commonly know as your Walmarts, your Targets, your eBays, your Amazons, it’s a marketplace to enable e-commerce transactions collectively to be done by many different users of that particular marketplace.”
And just like with those legitimate marketplaces, users and vendors get reviews and ratings. There are reputation assessments. And building that reputation is a challenge.
But law enforcement has certain advantages as well.
“I would argue that the advancement of the blockchain technology … has actually helped with our ability to follow the money,” Ray said. “So when you had face-to-face transactions, you didn’t have a public ledger, you didn’t have open source information. You had to go through [the Treasury Department’s Financial Crimes Enforcement Network] and get suspicious activity reports. You had to look at bank records that were subpoenaed, under course of legal process. Now, I think with the advent of cryptocurrency, certain types of cryptocurrency are posting those in blockchain ledgers. And now if you know the wallets and all of that, you can take a look at that. And you can follow the money to a certain extent.”
To be sure, it can be more complicated than that. But Ray said on the whole, access to those ledgers without the necessity for legal processes like subpoenaing records actually saves law enforcement time and effort, getting the data into the hands of investigators and analysts more quickly and efficiently.
That also opens up new avenues for hiring, Ray said. Because of the nature of the investigations, his cybercrime analysts don’t necessarily need a technical foundation, like the ability to do forensic network analysis. Instead, he’s looking for more practical experience in these realms, such as cryptocurrency analysis, or undercover identity creation and management. Can this person follow a bad guy through multiple identities and marketplaces?
That can also involve certain soft skills, Ray said, like behavioral and psychological assessments.
“The folks that we have right now that actually do some online investigations now have some of the foundational components that may not apply directly to your traditional technical requirements, your technical certifications, like your forensics certifications, your incident response certifications, your Ethical Hacker certifications,” Ray said. “But they do have the foundational components, which tells us they should be successful, in theory, to apply not only what foundation we have, but develop the technical expertise to then fall into an incident responder, and then also a higher level investigation that requires that technical aptitude.”