Flashpoint legal and best practices
About this policy
Last updated: March 20, 2020
In February 2020, the U.S. Department of Justice (DoJ) published “Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources”, which reflects input from the Federal Bureau of Investigation, U.S. Secret Service, and the Treasury Department’s Office of Foreign Asset Control.
The overarching themes and best practices from this DoJ document validate Flashpoint’s operating principles and highlights the need for a trusted and experienced partner in gathering threat intelligence from a broad array of illicit communities, forums, and chat services. It is critical to work with an organization that understands these challenges both legally and logistically, and navigates them with precision to ensure all activities are above board, while mitigating risk for private and public sectors.
Best Practices and Rules of Engagement
This document transparently provides guidance on best practices to “help organizations adopt effective cybersecurity practices and to conduct them in a lawful manner.“ The guidelines address several scenarios around interactions and transactions in the online illicit ecosystem and reinforce that operating at scale in these communities requires considerable rigor, controls, and compliance processes.
Flashpoint’s approach starts with commonly known and accepted Rules of Engagement. All of Flashpoint’s collections operators are required to follow this code. This guide outlines how our intelligence team can gather critical intelligence while minimizing risks to our operations and our clients. Our Rules of Engagement align clearly to the DoJ’s recommended “Best Practices” highlighted in the document and include:
- Practicing good cybersecurity internally
- Conducting intelligence gathering that is legal in nature
- Documenting all collections in preparedness for potential investigation
- Avoiding allusion to an identity that is not one’s own or not authorized to be used by that individual.
- Building Trusted Relationships with Law Enforcement
DoJ also emphasizes the importance of developing trusted relationships with law enforcement to facilitate deconfliction and responsible disclosure:
“It may be beneficial to build an ongoing relationship with the local FBI field office or Cyber Task Force and the local U.S. Secret Service Electronic Crimes Task Force. Having trusted lines of communication established in advance can avoid misunderstandings about intelligence-gathering activities.”
As a team, Flashpoint has operated in this way from inception. Our mission has always been to create a safer world, and working collaboratively with law enforcement as a trusted partner is critical to our safety and security. Based on our Rules of Engagement highlighted above, we are able to provide pertinent government agencies insights into illicit communities so they can review and independently investigate under their respective authorities. This relationship has helped Flashpoint assist in numerous law enforcement investigations, including:
- Two Major International Hackers Who Developed the “SpyEye” Malware get over 24 Years Combined in Federal Prison – Apr 20, 2016 link
- Justice Department Announces Charges And Guilty Pleas In Three Computer Crime Cases Involving Significant Cyber Attacks – Dec 13, 2017 link
- Computer Hacker Who Launched Attacks On Rutgers University Ordered To Pay $8.6m Restitution; Sentenced To Six Months Home Incarceration – Oct 26, 2018 link
- Criminal Charges Filed in Los Angeles and Alaska in Conjunction with Seizures Of 15 Websites Offering DDoS-For-Hire Services – Dec 20, 2018 link
Notifying Affected Parties
It’s also noteworthy to see DoJ call out activity that has been far too prevalent in the vendor community:
“When contacting someone who’s stolen data has ended up in your possession, avoid communicating in a manner that could be misconstrued to be an extortionate demand.”
An unfortunate reality is that some intelligence vendors utilize information found via their sources as a way to initiate a pitch of their service. Not only is that individual they are attempting to pitch often enduring one of the hardest days of their life, that individual should never feel as though a vendor is trying to take advantage of their hardship.
A best practice that we employ is reaching out to the impacted organization and ensuring we have the right people to speak with about the data collected — whether they are a client or not.
If we have an existing relationship with the organization, our team will reach out directly.
If we do not, we work closely with the respective Information Sharing and Analysis Center (ISAC) to pass the information along and avoid any misunderstandings.
If necessary, we reach out to law enforcement to ensure the sensitive data is handled appropriately.
Protecting all affected parties from further potential harm is Flashpoint’s utmost priority.
- Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources – US Department of Justice – Feb 2020 – https://www.justice.gov/criminal-ccips/page/file/1252341/download
- Two Major International Hackers Who Developed the “SpyEye” Malware get over 24 Years Combined in Federal Prison – Apr 20, 2016 – https://www.justice.gov/usao-ndga/pr/two-major-international-hackers-who-developed-spyeye-malware-get-over-24-years-combined
- Justice Department Announces Charges And Guilty Pleas In Three Computer Crime Cases Involving Significant Cyber Attacks – Dec 13, 2017 – https://www.justice.gov/usao-nj/pr/justice-department-announces-charges-and-guilty-pleas-three-computer-crime-cases
- Computer Hacker Who Launched Attacks On Rutgers University Ordered To Pay $8.6m Restitution; Sentenced To Six Months Home Incarceration – Oct 26, 2018 – https://www.justice.gov/usao-nj/pr/computer-hacker-who-launched-attacks-rutgers-university-ordered-pay-86m-restitution
- Criminal Charges Filed in Los Angeles and Alaska in Conjunction with Seizures Of 15 Websites Offering DDoS-For-Hire Services – Dec 20, 2018 – https://www.justice.gov/opa/pr/criminal-charges-filed-los-angeles-and-alaska-conjunction-seizures-15-websites-offering-ddos