Professional Documents
Culture Documents
Lingua Franca:
A Technical
Advisory for
Industry and
January 2009 Government
OPTIMIIZING E-CRIM
ME INVESTIGA
ATION
EFFIC
CIENCY USING
G A COMMO ON DATA FORMAT
SUMMAR
RY ............................................................................................................................................. 3
THE RAT
TIONALE FOR
R A COMMON
N ECRIME REPORTING
E FORMAT
O ............................................... 4
CRITERIA
A FOR DETER OF OPTIMAL
RMINATION O L DATA FORM
MATS .................................................. 5
THE IOD
DEF EXTENSIIONS FOR E‐C
CRIME REPO
ORTING ..................................................................... 6
ENABLIN
NG ROBUST DATA SHARIING ................................................................................................. 9
USE CASE SCENARIO
OS AND ASSO
OCIATED BEN
NEFITS .................................................................... 10
LOOKING
G AHEAD: IO
ODEF EXTEN
NSIONS DEVE
ELOPMENT ARC ................................................... 11
REFEREN
NCES ....................................................................................................................................... 12
Corresp
pondent Au
uthor Contaact Data:
Patrick C
Cain, APW
WG, pcain@aantiphishing
g.org
Disclaimmer: PLEAS SE NOTE: T The APWG G and its coooperating in
nvestigatorrs, researcheers,
and servvice providers have prrovided thiss message aas a public service, bassed upon
aggregated professsional experrience and personal op pinion. Theese recommmendations are
not a commplete list of steps thaat may be taaken to avo
oid harm from phishin ng. We offeer no
warranty as to the completeneess, accuraccy, or pertin nence of theese recommmendations
with resspect to any
y particular registrar’s operation, or with resspect to any
y particularr
form of criminal attack. Pleasse see the A
APWG webssite — http:://www.apw wg.org — ffor
more infformation.
O
Optimizing e-Crime
e Inv
vestigation Efficiency Using
U a Common Data
a Format 2
h
http://www.apw
wg.org ● info@
@apwg.org
PMB 246, 40
05 Waltham Street, Lexington MA USA
A 02421
OPTIMIIZING E-CRIM
ME INVESTIGA
ATION
EFFIC
CIENCY USING
G A COMMO ON DATA FORMAT
Conttributing Researrchers
Princip
pal Investig
gator:
D
Dave Jevans, C Chairman, APWWG
Patrick
k Cain, Ressident Reseaarch Fellow
w, APWG Peter Casssidy, Secretary
y General, APW
WG
Su
ummary
Historically, crime has been a local eventt; that is, th
he criminal iis in close p
proximity to o the
victim. EElectronic ccrime (e‐crimme) and vaariants on w
well‐known n criminal taactics that h
have
been updated to usse the Intern net have removed thiss persistentt of locality.. The
perpetraator of the ccrime and tthe victim m may be sepaarated by enntire counttries ‐ or eveen
continen nts. This ad
dds new challenges forr crime investigators aas the party y performin ng
initial in
nvestigationn may be qu uite remotee from the aactual crimee “location”” with diffeerent
parties pperforming g different p
parts of the investigatio
on. The ability to convvey accuratte
and com mplete invesstigative daata—in mulltiple langu uages and styles—is no ow paramo ount
to successful management of ee‐crime eveents, law en nforcement case formaation and
subsequ uent prosecu ution.
To help with this innformation exchange, the APWG G has workeed with its ppartners across
its globaal membersship base off some 17000 institutionns to develoop an XML‐‐based dataa
model fo or reportingg the technical aspectss of phishin
ng, fraud, annd other eleectronic criimes
to remotte parties in
n a clear, co
onsistent meethod. The goal of thee data modeel is to alloww an
investigator to sharre relevant details of aa possible crriminal act with others in a data
format tthat requirees completeeness, like loocal time‐zoone, while also provid
ding multi‐
languag ge support.
Data shaared in thiss format can n be furtherr processed
d quite easilly by autommation. For
examplee, data abou ut certain crrimes can bbe automatiically proceessed via coomputer onn
arrival aand redirectted to the aappropriatee investigato
or in near‐rreal time. A
Additionally
y,
specific data elemeents can be ccontrolled o or encrypteed to complly with evo olving data
privacy regimes.
These faactors makee this data m
model an ex xcellent veh
hicle to repo ort, share, aand interprret
electron
nic crime events. Ultimmately, the AAPWG beliieves that u utilizing a common data
format wwill allow foorms of auttomated prrocessing off forensic data, giving investigato ors
and e‐crrime respon nders the kiind of insig
ghts they reqquire to traansform larg ge reposito
ories
of forenssic data into
o actionable narratives that can aanimate pottent e‐crimee managem ment
exercises for privatte industry,, as well as case formaations, invesstigations aand
prosecuttions for laww enforcemment.
O
Optimizing e-Crime
e Inv
vestigation Efficiency Using
U a Common Data
a Format 3
h
http://www.apw
wg.org ● info@
@apwg.org
PMB 246, 40
05 Waltham Street, Lexington MA USA
A 02421
OPTIMIIZING E-CRIM
ME INVESTIGA
ATION
EFFIC
CIENCY USING
G A COMMO ON DATA FORMAT
The Ratiionale Fo
or a Common eCrrime Rep
porting Fo
ormat
The rise in phishingg and fraud
d activities via e‐mail, instant meessaging, DN NS corrupttion
and mallicious codee insertion h
has compellled corporaations, Inteernet Service Providerss
(ISPs), consumer ag gencies and
d financial iinstitutionss to begin to
o collect, fuse, correlatte
and analyze phishiing attack innformationn and data rrelated to e‐‐crime even nts. The
collectedd data allow
ws them to better coorrdinate mitiigation activvities and ssupport thee
pursuit and proseccution of atttackers.
By usingg a common n format, it becomes eaasier for an organizatio
on to engag ge in these
coordinaation activitties as well as the correelating of in
nformation from multip ple data
sources or productss into a coheesive view. As the num mber of dataa sources in
ncreases, a
common n format becomes even n more important sincee multiple ttools would d be needed to
interprett the differeent sources of data.
O
Optimizing e-Crime
e Inv
vestigation Efficiency Using
U a Common Data
a Format 4
h
http://www.apw
wg.org ● info@
@apwg.org
PMB 246, 40
05 Waltham Street, Lexington MA USA
A 02421
OPTIMIIZING E-CRIM
ME INVESTIGA
ATION
EFFIC
CIENCY USING
G A COMMO ON DATA FORMAT
• Private enterprises and
P d their contrractors (e.g. banks and
d their secu
urity
coonsultants)) can quicklly consolidaate e‐crime report dataabases to prresent a casse to
laaw enforcemment.
• Private secu
P urity firms ccan share daata quickly
y and effectiively to ideentify and trrack
teelling trend
ds as well ass indentify and characcterize antagonists wh ho are causin ng
lo
osses to theeir client com
mpanies.
• National com
N mputer emeergency ressponse team ms, coordinnating invesstigations in
nto
p
phishing att
tacks, can co ombine e‐crrime event databases to find corrrespondingg
d
data points i
in attacks laaunched in
n one countrry against ttargets in an
nother.
• Public sectorr law enforrcement ageencies and ccombine e‐crime even
P nt databasess to
an
nalyze for ttrends and clues to infform case in
nitialization
n.
• Public sectorr law enforrcement ageencies can q
P quickly asseemble e‐crime event d
data
around a forrmerly unid dentified su
uspect whose identity has been su urmised an
nd
co
onfirmed.
• All parties to
A o developm ment of an eexisting law
w enforcemeent or privaate security
y
caase can pro
ogram their systems to o automaticcally direct rreports of p
pre‐determiined
chharacteristiics to the ap
ppropriate iinvestigatoors.
Ultimateely the capaacity to rapiidly recruit,, combine aand analyzee large dispaarate pools of e‐
crime daata will sug
ggest more aautomated m mechanism ms for e‐crimme detection
n and
expositio
on. Furtherrmore, dataa fusion of ssummarized d e‐crime daata with othher establish
hed
law enfoorcement da ata resourcees will redo ound, over ttime, to the developmeent of poten nt e‐
crime in
nvestigative techniquess that will m make case innitialization
n and develoopment in tthe
electroniic realm as procedurall as they forr convention nal law enfoorcement. E
Establishingg a
common n data formmat is the firsst step towaard that mo
ore efficient future.
Criterria for De
etermination of Op
ptimal Da
ata Forma
ats
O
Optimizing e-Crime
e Inv
vestigation Efficiency Using
U a Common Data
a Format 5
h
http://www.apw
wg.org ● info@
@apwg.org
PMB 246, 40
05 Waltham Street, Lexington MA USA
A 02421
OPTIMIIZING E-CRIM
ME INVESTIGA
ATION
EFFIC
CIENCY USING
G A COMMO ON DATA FORMAT
Th
he IODEF Extensio
ons for e-C
Crime Re
eporting
Failing tto find an a
acceptable eexisting datta format innspired APW WG researcchers to deffine
a set of eextensions tto the IETF
F Incident O
Object Data Exchange F Format (IODEF)
definitio
ons as definned in IETF RFC 5070, a reporting g standard for network k events that
was officially adop pted by the Internet Enngineering T Task Force (IETF) in D
December 2007.
(The IETTF is an inteernational bbody that, iin part, dev
velops technnical and prrotocol
standard ds for the operation annd mainten nance of thee Internet.)
The IODDEF is an XM ML‐based d data formatt designed to identify and describ be network k
events such as viruus infectionss, Denial off Service (D
DoS) attackss, or large sccale malevo
olent
scans byy attackers. Each part o
of an IODEF report is specified th hrough a scchema
definitio ng the data elements and their atttributes. Th
on indicatin he schema aalso allows for
implemeenters to sppecify which h elements and attribu utes are req
quired to make sure th hat
the impoortant oness are included within aa report.
O
Optimizing e-Crime
e Inv
vestigation Efficiency Using
U a Common Data
a Format 6
h
http://www.apw
wg.org ● info@
@apwg.org
PMB 246, 40
05 Waltham Street, Lexington MA USA
A 02421
OPTIMIIZING E-CRIM
ME INVESTIGA
ATION
EFFIC
CIENCY USING
G A COMMO ON DATA FORMAT
O
Optimizing e-Crime
e Inv
vestigation Efficiency Using
U a Common Data
a Format 7
h
http://www.apw
wg.org ● info@
@apwg.org
PMB 246, 40
05 Waltham Street, Lexington MA USA
A 02421
OPTIMIIZING E-CRIM
ME INVESTIGA
ATION
EFFIC
CIENCY USING
G A COMMO ON DATA FORMAT
Figure 1: APWG
A e-Crime Reportin
ng Tool
O
Optimizing e-Crime
e Inv
vestigation Efficiency Using
U a Common Data
a Format 8
h
http://www.apw
wg.org ● info@
@apwg.org
PMB 246, 40
05 Waltham Street, Lexington MA USA
A 02421
OPTIMIIZING E-CRIM
ME INVESTIGA
ATION
EFFIC
CIENCY USING
G A COMMO ON DATA FORMAT
Ena
abling Robust Data
a Sharing
g
Significaant operatioon efficienccies are possible if a co
ommon dataa format is shared
amongstt reporting and consum ming partiees. For exammple, once a reporter ggenerates aa
report, it can be eleectronically
y sent to a d
database wh here the datta could automaticallyy or
programmmatically b be consumeed and rediistributed.
WITH A COMMON TERMINAL
Anotherr party coulld request tthat data fro om the
FORMATT FOR E-CRIIME REPORTTS,
databasee, receive itt in the com
mmon formaat, and use
NEW FORMS OF DA
ATA
xisting ttools to decompose an nd examine it. This
EXCHAN
NGE NECESS
SARY TO
second p party couldd also add aadditional ddata to the
original report and return it too the originaal database E E-CRIME BECOME
ENGAGE B
he same com
using th mmon formaat. POSSIBLE IN WAYS OTHERWISE
O
UNIMAG
GINABLE WITTHOUT IT
There arre four com
mmunities cu urrently ussing the
IODEF d data model and its exttensions: naational CER RTs exchangging netwoork incidentt
data; a g
group of fin
nancial instiitutions excchanging IP
P Addresses and fraudd attack dettails;
a numbeer of ICT seecurity com
mpanies and d individuals reporting
g phishing attempts.
The enduring logisttical challennges of international e‐‐crime dataa sharing aree:
• Fiinding a common dataa sharing an nd reportingg format thhat supportss multiple loocal
languages;
• P
Providing ad dequate flexxibility to ev
volve with the changin ng e‐crime llandscape;
• Ensuring tha at created reeports contaain sufficien
nt and synttactically correct data.
The APW WG believes that the I Extension too IODEF‐Doocument Claass for Phishiing, Fraud, aand
Other Noon‐Network Layer Reporrts meet these challeng ges and will continue to o do so for aa
long tim
me horizon a and will adaapt to indusstrial and laaw enforcem ment needs for the
foreseeaable future.
The scheema was deeveloped to o solve a feww specific, b
but growin ng, identifieed problemss
such as eexchanging g informatio on with speeakers of otther languaages and try ying to
minimizze the back‐‐and‐forth n negotiationn of capturinng critical d
data. A feww example u use
cases folllow.
O
Optimizing e-Crime
e Inv
vestigation Efficiency Using
U a Common Data
a Format 9
h
http://www.apw
wg.org ● info@
@apwg.org
PMB 246, 40
05 Waltham Street, Lexington MA USA
A 02421
OPTIMIIZING E-CRIM
ME INVESTIGA
ATION
EFFIC
CIENCY USING
G A COMMO ON DATA FORMAT
O
Optimizing e-Crime
e Inv
vestigation Efficiency Using
U a Common Data
a Format 10
h
http://www.apw
wg.org ● info@
@apwg.org
PMB 246, 40
05 Waltham Street, Lexington MA USA
A 02421
OPTIMIIZING E-CRIM
ME INVESTIGA
ATION
EFFIC
CIENCY USING
G A COMMO ON DATA FORMAT
Lookin
ng Ahead
d: IODEF Extension
ns Develo
opment Arc
A
O
Optimizing e-Crime
e Inv
vestigation Efficiency Using
U a Common Data
a Format 11
h
http://www.apw
wg.org ● info@
@apwg.org
PMB 246, 40
05 Waltham Street, Lexington MA USA
A 02421
OPTIMIIZING E-CRIM
ME INVESTIGA
ATION
EFFIC
CIENCY USING
G A COMMO ON DATA FORMAT
Refferencess
“Extensiions to the IODEF‐Doccument Claass for Repo orting Phishhing, Fraud
d, and Otheer
Crimew ware,” Intern
net Engineeering Task F Force, July 2008.
http://w
www.ietf.orgg/internet‐d
drafts/draftt‐cain‐post‐iinch‐phishiingextns‐055.txt
Danyliw
w, R., Meijerr, J., and Y. Demchenk
ko, “The Inccident Objeect Descripttion Exchan
nge
Format,”” RFC 5070
0, Decemberr 2007. http
p://www.ietf.org/rfc/rffc5070.txt
An openn source sofftware project relatingg to the dev
velopment o of tools for e‐Crime
reportin
ng can be fo
ound at: htttp://sourcefforge.net/prrojects/ecrissp‐x
O
Optimizing e-Crime
e Inv
vestigation Efficiency Using
U a Common Data
a Format 12
h
http://www.apw
wg.org ● info@
@apwg.org
PMB 246, 40
05 Waltham Street, Lexington MA USA
A 02421