[BreachExchange] The ethical and legal dilemmas of threat researchers

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 21 19:29:59 EDT 2018


Threat intelligence is mainstreaming into a de-facto everyday tool of
cyber-defense. But all that intelligence must be collected, analyzed, and
prepared by someone. Enter threat researchers, the advanced scouts of
cybersecurity. They are becoming more numerous and conspicuous as more
intelligence on illicit hacker activity is demanded. Threat researchers
trawl through the dark web, pick apart malware, reverse engineer exploits,
track outbreaks across the Internet, and set up honeypots to surveil
attacker activity.

They also find themselves weaseling around in the slippery space between
what is acceptable and what is forbidden. To get to the truth on the
ground, they can find themselves using stealth, misdirection, and even
outright deception. This is when threat researchers can find themselves in
unpredictable legal and ethical situations with consequences that they and
their employers never anticipated. I’m going to pose a series of scenarios
based on actual threat researcher incidents to illustrate these dilemmas.

How far is too far?

We’d assume that it’s the government’s job to protect us from those things
that we cannot defend against. In cyberspace, that is rarely true. Consider
the case where a threat researcher uncovers a large botnet composed of
hijacked critical infrastructure devices. Warnings to the owners and
manufacturers are ignored, especially since there is no information on the
specific exploit being used. Without the particulars on the nature of the
compromise or a reported crime by the actual victim, law enforcement
couldn’t be bothered. That is the problem with intelligence, it rarely
provides a smoking gun or the whole story.

To gather more information on how the botnet was constructed and by whom,
the researcher could break into the compromised devices and perform
forensics. Despite intention, in the eyes of the law, this act would be no
different than what the botnet creator has done. Unauthorized access is a
clear violation of the Computer Fraud and Abuse Act. When an agent of the
law does this, they need a court order that is referred to as OIA or
“Otherwise Illegal Activity.” For a civilian, it invites arrest, lawsuits,
and the very least, termination of employment. What are the alternatives
for the researcher? Ignore this massive threat? Disclose the information
publicly and hope the attacker doesn’t trigger an attack, disappear, or
change tactics? Worst of all, disclosure could inspire copycat attacks and
make things worse.

What to do about stolen data?

Consider the other things that are discovered on darknets: email addresses,
passwords, text messages, financial information, photographs, and even
private videos. What happens when a security researcher uncovers this kind
of stolen data? Do they have the right to search through it? Analyze it?
How much of it should they publish it? What if the data was from a public

Take this a step further, what should happen when a threat researcher finds
evidence of crimes committed? Police are rarely interested in ill-gotten,
dubiously-sourced data except for intelligence purposes (which means the
researcher will see no immediate action). On the other hand, journalists
are usually interested, but they will publish their findings.

Keeping everything secret might not seem like such a bad thing, as many
organizations are leery of potential liabilities or blowback. There is a
real tension between the sharing of intelligence versus causing more mayhem
about the disclosure of threats. This is why threat researchers know about
things that are happening that are not being shared openly.

Deceptive practices

Sometimes the actions chosen by threat researchers aren’t a question of
legality but instead a question of ethics. In most cases, there is no legal
obligation to report a crime (encouraging or helping plan a crime is
another matter). Is it ethical for a researcher to impersonate a
cyber-criminal with the intent of gaining access to illicit forums? Or to
try to trick criminals into revealing their secrets? This goes beyond
honeypots, creating actual fake identities and trolling the dark nets and
criminal forums in an undercover guise.

As an aside, it seems to me there are times when so many threat researchers
are stumbling around in the dark web that I’m reminded of The Man Who Was
Thursday. In that book (spoiler alert), a police officer infiltrates a
cabal of anarchists, all of which turn out to be undercover police
themselves. I wonder how many threat researchers are surveilling and taking
notes on each other? I wonder how many threat researcher publications have
hampered law enforcement or intelligence agency investigations?

For the most part, threat researchers try to remain anonymous in online
forums, but at the same time, it’s not always possible. Some forums
necessitate a level of participation in order for anyone to trust you. What
happens when those same criminals start bragging about their crimes? And
producing details? Should the researcher go ahead and publish this
information, possibly spoiling an investigation? Report it to the
authorities? Ignore it?

Unsupervised decisions

There are no clear threat researcher guidelines as to what researchers
should do. In many cases, consultation with an attorney often results in
any action that smacks of impropriety being discouraged. The result being
that nothing useful related to threat research could be found or shared. In
fact, this is the reason that conversations with corporate attorneys are
often avoided by threat researchers.

In many cases, threat researchers are making these kinds of decisions on
their own. This can yield unpredictable results as there is no defined code
of conduct for threat research, nor are there any professional standards.
There is no telling if one threat researcher will do the same thing as
another. Often a threat researcher may opt for the choice that maximizes
their deniability and minimizes the blowback, such as producing obfuscated
warnings and omitting telling details.

Undeclared threat researchers gone wild

I have also seen situations where IT professionals have been caught
violating the rules and then claiming it was not done for criminal gain but
under the aegis of “threat research.” I’ve been part of several security
investigations where IT personnel were terminated for conducting their own
supposed threat research while using company equipment. Whatever their
intentions, for most organizations, the liability for this kind of rogue
action is indefensible.

Where do we go from here?

Ethically, it is understood that security professionals should act to
preserve the safety and welfare of society as well as adhere to the highest
ethical standards of behavior. When wrestling with these predicaments, one
question to ask is are your actions adding to existing harms? Are you
making the problem better or worse? But even then, sometimes the outcome is

I don’t want to go as far as pushing for threat researchers to licensed,
certified, or required to adhere to a code of standards. We already have
plenty of those in the cyber-security industry. I raise this topic to make
people aware, as it is a growing problem and one that not enough people are
talking about.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180521/734e0ad0/attachment.html>

More information about the BreachExchange mailing list