Knock, knock! Secret Service here. "Is this your customer payment card data?"
By all accounts, many of the massive data breaches in the news these days are first revealed to the victims by law enforcement, the Secret Service and Federal Bureau of Investigation (FBI). But how do the agencies figure it out before the companies know they have been breached, especially given the millions companies spend on security and their intense focus on compliance?
The agencies do the one thing companies don't do. They attack the problem from the other end by looking for evidence that a crime has been committed. Agents go undercover in criminal forums where stolen payment cards, customer data and propriety information are sold. They monitor suspects and sometimes get court permission to break into password-protected enclaves where cyber-criminals lurk. They have informants, they do interviews with people already incarcerated for cybercrime, and they see clues in the massive data dumps of information stolen from companies whose networks have been breached.
They are constantly investigating, says Shawn Henry, president of CrowdStrike Services, a subsidiary of security firm CrowdStrike, describing how law enforcement follows the digital trail of cybercrime. He should know. Until two years ago Henry was executive assistant director of the Criminal, Cyber, Response and Services Branch of the FBI.
In the course of all of this monitoring, Henry says, law enforcement often finds itself in the odd position of having to show companies evidence they have been victimized. And they aren't always thanked for their efforts. Sometimes, Henry says, companies say "'Please just go away.'" He adds, "It happens all the time."
The FBI acknowledged the reluctance issue when James Comey, FBI director, said during his keynote at the RSA Conference in February, "We come knocking on your door to say you're under attack," and "we totally get you're reluctant to report intrusions because you fear government rummaging in your network or that competitors will hear about it." Law enforcement "asks for a lot but doesn't seem to offer much in return," he said, but the knowledge is critical for the industry at large.
The companies presented with evidence of stolen data don't have to work with law enforcement investigators, Henry points out, but many do, sometimes providing forensics reports to show how intruders got into their network to exfiltrate sensitive information.
How frequently do the Secret Service and FBI come calling? "About 40% to 50% of our customer base have regular conversations with the FBI and other agencies that have warned that they have been breached," says Simon Crosby, chief technology officer at security vendor Bromium. Law enforcement is very actively trolling the Internet to discover things, he says.
Sign up for Computerworld eNewsletters.