Not everyone on the underground forums and marketplaces are criminals. Security researchers, law enforcement, and analysts are also known to lurk in these places collecting information which may indicate a possible data breach or data theft. It’s a tricky balancing act—blending in among criminals while not engaging in criminal activity that could get them arrested.
The cybersecurity unit of the Department of Justice published guidelines for private companies to consider when frequenting these places to avoid breaking the law. Many security vendors (such as Recorded Future and Digital Shadows) have teams monitor these forums on the behalf of their customers, looking for stolen information which may have been stolen from customer networks. Analysts from threat intelligence companies (such as Flashpoint) listen to online chatter to determine where the next attacks are coming from and to understand what techniques and tools would be used in the attack. Private companies employ teams to scour the marketplaces as part of their threat intelligence activities.
“Information gleaned from those sources can be a rich source of cyber threat intelligence and network deference information about past, current, or future cyberattacks,” the DoJ wrote in the memo. “But when private parties join or participate in these online forums to collect information for lawful purposes, the line between gathering threat intelligence and engaging in criminal activity can be hard to discern.”
The Justice Department’s memo underscores the fact that how that potential evidence was collected is important, and clarifies how prosecutors view activities the private companies and researchers engaged in.
Private actors may attempt to “purchase malware, security vulnerabilities, or their own stolen data—or stolen data belonging to others with the data owners’ authorization—in Dark Markets,” the DoJ wrote.
While some forums are open, most perform some level of vetting to filter out white-hats and law enforcement. Researchers create whole identities under pseudonyms with a history of what they have done in order to pass these checks and gain access to restricted and/or exclusive marketplaces.
In some criminal forums, participants may be required to establish their criminal bona fides by assisting in a criminal act or furnishing proof that they have committed a prior offense," the DoJ wrote. "Do not provide any valid, useful information that can be used to facilitate a crime.
The memo boils down to two basic rules: Don’t Become a Perpetrator and Don't Become a Victim.
Organizations should consult with their legal counsel to assess that their activities are legal. Organizations and researchers should have protocols in place for safely interacting with criminal websites. The "rules of engagement" should consider legal, security, and operational challenges beforehand to "discourage rash decisions" which may put organizations, individuals, and customers in jeopardy. Having documented protocols would also "prove useful if the organization ever faces criminal, civil, or regulatory action," the DoJ wrote.
Organizations, and individual researchers, should "cultivate a relation with local FBI and U.S. Secret Service field offices," the DoJ recommended. Establishing "trusted lines of communication" in advance "can avoid misunderstandings about intelligence-gathering activities," the memo continued, noting that investigators may not always be able to distinguish between criminals and white hats gathering intelligence.
It isn’t illegal to frequent, or participate in, these forums. However, if the police also lurking in these forums observe someone engaging in activities that could be considered as soliciting computer crimes, or taking part in the commission of one, they could be accused of violating the Computer Fraud and Abuse Act.
"Doing nothing more than passively gathering information from an online forum, even one on which criminal conduct related to computer crime is conducted, is unlikely to constitute a federal crime, particularly when done without any criminal intent," the memo said. But accessing the forum without authorization--such as by exploiting a vulnerability or using stolen credentials--or intercepting communications could "raise legal concerns" under the CFAA and the Wiretap Act.
Researchers and analysts should create their own pseudonym and alternate identity, rather than trying to impersonate an actual person or a type of person (such as claiming to be an employee of a targeted entity).
The underground "is dangerous in ways you don't expect," wrote Allison Nixon, chief research officer at security consultancy Unit 221B. Criminals often lie, not just about what they are selling, but about the rules of the marketplace. The administrators may log discussions or attempt to hack their members. There is always some level of risk involved in frequenting these places, so the analyst and researchers should be vigilant, institute security safeguards, and follow security practices to minimize the risk of being victimized.
“If you want to tinker with the underground, a lawyer is just a starting point,” Nixon wrote. “You need protocols and policies. Get to know your local FBI.”