The Federal Bureau of Investigation (FBI) would like IT services providers and their customers to share their malware with them. As part of its ongoing efforts to combat cybercriminals, the FBI has developed a massive database of malware that it uses to identify and keep track of the individuals and organizations that create malware.
Speaking at a DatacenterDynamics Enterprise conference in New York this week, Timothy O’Brien, a supervisory special agent for the FBI who leads a task force dedicated to combating cyberespionage, says the FBI now has six different task forces in place to help combat various types of cybercrime.
In return for sharing malware with any of those units, the FBI will share any of the information it might already have on how that malware behaves. That information can then be used to better remediate a security breach. For example, O’Brien notes that many forms of malware tend to distribute a lot of files in various places. Armed with the malware patterns identified by the FBI, IT services providers can do a better job removing all those files.
Overall O’Brien notes that the FBI is now in a much better position to investigate and apprehend cybercriminals. Many cybercriminals operate in bases from overseas, and the FBI has stepped up its presence in countries around the world to work with local law enforcement officials to apprehend cybercriminals. The malware the FBI collects becomes part of a much larger body of evidence used to prosecute those criminals.
In general, O’Brien says the FBI is now keeping taps on more than 900 criminal forums it has identified on the so-called Dark Web. That number is up from 12 in 2002. O’Brien also notes that there are now more than 1.25 million Internet monikers to keep track of that use more than 25 different languages to communicate. The FBI, adds O’Brien, has identified 50 classes of criminals participating in these forums, ranging from peddlers of child pornography to cybercriminals selling various types of malware.
Following the information trail
In addition to trying to catch cybercriminals, the FBI also shares malware information with the National Security Agency (NSA), which defines best practices for maintaining cyber security, and the Community Emergency Response Teams (CERT) organized by the Federal Emergency Management Agency (FEMA) that operates within the Department of Homeland Security. The latter agency is chartered with helping organizations respond to any actual cybercrime.
O’Brien says that ideally the FBI likes to be able to monitor a compromised server as part of its efforts to better understand how cybercriminals operate and who is ultimately behind these attacks. As part of that effort, O’Brien says the FBI has developed a “splicer” tool that it uses to reassemble streams of data that compromised systems are sending out to a remote server to better identify exactly what data is being stolen.
Organizations need to change their approach
Obviously, the FBI isn't necessarily chartered with preventing malware attacks from being launched by individuals and organizations based outside the U.S. But it does have a clear mandate to help prosecute cybercriminals wherever they are.
All too often, though, organizations are reluctant to share not only how their IT systems were compromised, but sometimes even to admit that it occurred. While there are all kinds of legal and vendor reputation issues for why that occurs, all that winds up doing in the absence of any form of punishment is creating a business environment in which cybercriminal activity will continue to flourish.