U.S. Department of Justice Shares Best Practices for Gathering Threat Intelligence

Josh Lefkowitz – CEO/Co-founder & Tom Hofmann – VP Intelligence

This week, the U.S. Department of Justice (DoJ) published “Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources”, which reflects input from the Federal Bureau of Investigation, U.S. Secret Service, and the Treasury Department’s Office of Foreign Asset Control.

This document transparently provides guidance on best practices to “help organizations adopt effective cybersecurity practices and to conduct them in a lawful manner.“ The guidelines address several scenarios around interactions and transactions in the online illicit ecosystem and reinforce that operating at scale in these communities requires considerable rigor, controls, and compliance processes.

What struck us about this document is how closely Flashpoint already follows these best practices in the way we conduct business.

Flashpoint’s approach starts with commonly known and accepted Rules of Engagement. All of Flashpoint’s collections operators are required to follow this code. This guide outlines how our intelligence team can gather critical intelligence while minimizing risks to our operations and our clients. Our Rules of Engagement align clearly to the DoJ’s recommended “Best Practices” highlighted in the document and include: 

• Practicing good cybersecurity internally
• Conducting intelligence gathering that is legal in nature
• Documenting all collections in preparedness for potential investigation
• Avoiding allusion to an identity that is not one’s own or not authorized to be used by that individual. 

DoJ also emphasizes the importance of developing trusted relationships with law enforcement to facilitate deconfliction and responsible disclosure: 

“It may be beneficial to build an ongoing relationship with the local FBI field office or Cyber Task Force and the local U.S. Secret Service Electronic Crimes Task Force. Having trusted lines of communication established in advance can avoid misunderstandings about intelligence-gathering activities.” 

• Practicing good cybersecurity internally
• Conducting intelligence gathering that is legal in nature
• Documenting all collections in preparedness for potential investigation
• Avoiding allusion to an identity that is not one’s own or not authorized to be used by that individual. 

DoJ also emphasizes the importance of developing trusted relationships with law enforcement to facilitate deconfliction and responsible disclosure: 

“It may be beneficial to build an ongoing relationship with the local FBI field office or Cyber Task Force and the local U.S. Secret Service Electronic Crimes Task Force. Having trusted lines of communication established in advance can avoid misunderstandings about intelligence-gathering activities.” 

• Practicing good cybersecurity internally
• Conducting intelligence gathering that is legal in nature
• Documenting all collections in preparedness for potential investigation
• Avoiding allusion to an identity that is not one’s own or not authorized to be used by that individual. 

DoJ also emphasizes the importance of developing trusted relationships with law enforcement to facilitate deconfliction and responsible disclosure: 

“It may be beneficial to build an ongoing relationship with the local FBI field office or Cyber Task Force and the local U.S. Secret Service Electronic Crimes Task Force. Having trusted lines of communication established in advance can avoid misunderstandings about intelligence-gathering activities.” 

As a team, Flashpoint has operated in this way from inception. Our mission has always been to create a safer world, and working collaboratively with law enforcement as a trusted partner is critical to our safety and security. Based on our Rules of Engagement highlighted above, we are able to provide pertinent government agencies insights into illicit communities so they can review and independently investigate under their respective authorities. This relationship has helped Flashpoint assist in numerous law enforcement investigations.

It’s also noteworthy to see DoJ call out activity that has been far too prevalent in the vendor community: 

“When contacting someone whose stolen data has ended up in your possession, avoid communicating in a manner that could be misconstrued to be an extortionate demand.” 

An unfortunate reality is that some intelligence vendors utilize information found via their sources as a way to initiate a pitch of their service. Not only is that individual they are attempting to pitch often enduring one of the hardest days of their life, that individual should never feel as though a vendor is trying to take advantage of their hardship. 

A best practice that we employ is reaching out to the impacted organization and ensuring we have the right people to speak with about the data collected — whether they are a client or not. 

If we have an existing relationship with the organization, our team will reach out directly. If we do not, we work closely with the respective Information Sharing and Analysis Center (ISAC) to pass the information along and avoid any misunderstandings. If necessary, we reach out to law enforcement to ensure the sensitive data is handled appropriately. 

Protecting all affected parties from further potential harm is Flashpoint’s utmost priority.

The overarching themes and best practices from this DoJ document validate Flashpoint’s operating principles and highlights the need for a trusted and experienced partner in gathering threat intelligence from a broad array of illicit communities, forums, and chat services. It is critical to work with an organization that understands these challenges both legally and logistically, and navigates them with precision to ensure all activities are above board, while mitigating risk for private and public sectors.