How the US DHS tracks down international cybercriminals

465iStock_000028846264_Medium

When Jason Brown takes the stage for his keynote address at SecTor next month, there won’t be any cameras or recording devices in the room. He won’t allow it because of what he’s going to say. This Secret Service agent is privy to some of the most advanced cyber-forensic and criminal investigation techniques in the world, and he doesn’t want it getting out to the broader public.

Brown spends his time chasing cybercriminals through shadowy online forums and sites on the dark web, and he has seen the face of international cybercrime change substantially in the last 15 years.

“It has changed and morphed,” he said. “In the early 2000s, a lot of stuff was done openly on websites and carding forums. These days, there’s a lot more vetting by people in deciding who can be on those forums and who’s not a cop.”

This has raised the stakes for Secret Service agents and others in law enforcement, who must now work much harder to infiltrate these online circles.

Brown has been with the Secret Service since 1999, where he began in the New York Field Office, working with their Electronic Crimes Task Force. He dealt with computer forensics, investigating electronic crimes against companies in the US financial and retail sector. From there, he transferred to Washington DC’s Criminal Investigative Division, Cyber Intelligence Section (CIS), targeting highly sophisticated electronic crime groups.

“CIS is the team that is going after those criminals doing the large network intrusions,” he said. “Those criminal groups are targeting large amounts of stolen credit card data and other valuable information. We investigate how they obtain, move, and monetise that data.”

The division of duties among these organised gangs is greater than ever. No one person would conduct every level of a criminal event, points out Brown. Malware must be coded, and compiled – that’s often two functions, right there. Botnets must be herded, data stolen, collated, and sold. Then, online money launderers must convert the virtual money into hard cash.

After a two-year stint on the White House National Security Staff directing cybersecurity policy and then a four-year period on the President’s personal security detail, Brown returned to the Cyber Intelligence Section, this time in a supervisory role, where he is once again concentrating on tracking down these cybercriminals using a cadre of special agents, linguists, and technology experts. This also includes undercover work.

“The vast majority of the criminals we target are overseas,” Brown said. “In these high-level organizations, the real serious actors are located outside the US.” That can make them harder to reach, he explained, especially in countries that don’t want to co-operate with the US. He won’t name those countries publicly, but you can guess which ones would hover at the top of that list.

“Some countries aren’t as friendly to us, and the criminals know that and they have a better chance there,” he said.

Assuming that the Secret Service is working with a friendly country, criminals can be extradited using various measures. The Mutual Legal Assistance Treaty (MLAT) process, under which the US sets up legal arrangements with individual countries, is one example.

When it comes to tracking and identifying criminals, much will depend on the partner country’s own laws. For example, a PEN register would be all you’d need to harvest a suspect’s IP connection log data in the US, Brown revealed. “Other countries may need a search warrant.”

When it comes to harvesting technical information like this, the challenges aren’t just legal – they’re technical, too. The dark web has added another layer of complexity to the mix, he admits. “Thanks to technologies like Tor, the dark web will always be a problem for law enforcement,” he said. “It was designed very well for its legitimate use by private citizens protecting their online communications. The criminals have found a knack for using it as well, though.”

Whether it’s on the dark web or in plain sight, international co-operation to bring cybercriminals to justice is getting better, argued Brown. “It’s a truly borderless crime,” he said. “Are things perfect? No, but I can say that the international legal landscape has improved.”

The Secret Service has been sharing cybersecurity and crime information via 37 domestic Electronic Crimes Task Forces and two international ones, in an attempt to create a unified approach to the problem. At his SecTor keynote, he will talk about it in more detail – and tell some stories of the Service’s bigger international wins.