A who's who of cybercrime investigators

What happens after a cyberattack?

After a cyberattack takes place, it needs to be reported before an investigation happens. Cybercrime is generally underreported because victims often have low confidence in receiving a useful response. Victims might also be ashamed, embarrassed or afraid of reputational damage as a consequence of revealing that they've been exploited. Many victims also don't know whom to report cybercrimes to, where to report them or how.

After a cybercrime has been reported, it needs to be mitigated, attributed to the correct threat actor and prosecuted. This process can require input from a collection of different organizations or individuals -- but it starts with first responders.

What is a cybercrime first responder?

A cybercrime first responder is someone who responds to a cyberincident by securing digital evidence at the scene of the crime. The "scene" in a cybercrime can refer to the targets and targeted technology of the cybercrime, or the technology used to carry out or assist the crime. The first responder kicks off a broader investigation, triggered by a cybercrime report.

Cybercrime first responders can be anyone in a number of professions across both public and private sectors. They include computer forensics experts, law enforcement agents, military officers, private investigators, IT specialists and employees in the private workforce.

No matter what the first responder's official role is, they must carry out search and seizure practices in accordance with national law to ensure evidence is admissible in court.

Types of cybercrime investigators

A patchwork of organizations both public and private are tasked with responding to cybercrimes. Different organizations can be called upon based on the location, nature or scale of the incident.

Some types of entities that respond to cybercrime incidents include the following:

Criminal justice agencies

Securing the evidence is just one critical step of cybercrime response. Response also involves mitigation, detection, investigation, prosecution and adjudication of a cybercrime. In some countries, there's a single dedicated agency for cybercrime; in others, multiple agencies respond to cybercrime.

Criminal justice agents tasked with responding to cybercrimes need a special set of knowledge and skills to investigate and handle information technology that counts as evidence. Specialized skills vary among criminal justice agencies and countries.

National security agencies

National security agencies and militaries can be involved in a cybercrime response if it falls under the organization's purview -- for example, if a cybercrime is conducted directly against the military or affects national security. National security agencies in many countries are tasked with developing cyberdefensive and cyberoffensive capabilities.

Cyberdefensive capabilities are designed to prevent, detect and mitigate the effects of cyberattacks. Cyberoffensive capabilities are meant to attack enemy systems with the intent of causing harm or damage. National security agencies can be tasked with responding to cyberattacks that stem from another nation's cyberoffensive campaigns.

Private organizations

Most critical information technology is owned and managed by the private sector. Critical infrastructure is essential to keeping society functioning. Each nation has its own definition of what constitutes critical infrastructure, and variations exist among different countries' definitions of critical infrastructure.

Because the private sector operates and maintains critical infrastructure, it is an ideal place to deploy proactive cybercrime prevention and mitigation techniques and tools. For this reason, the public sector is also a primary target for cybercriminals and is frequently a first responder to cybercrime.

Public-private partnerships

The private sector can supply the public sector with human, financial and technical resources to respond to cyberincidents through public-private partnerships. International and national public-private partnerships pair law enforcement agencies with industry and academic cybersecurity experts.

Task forces

Task forces enable law enforcement agencies of different jurisdictions within a country to work together. Task forces help coordinate, share and integrate information across agencies to support cyberinvestigations. Some task forces deal with specific types of cybercrimes, such as those committed against financial payment systems.

Independent investigators

Journalists, civil society institutions and the public also help conduct cyberinvestigations and assist official organizations in the private and public sector. Sometimes law enforcement or other cybercrime responders crowdsource help with cyberinvestigations by putting out an open call to the public. Independent entities also publish research regarding their involvement in cyberinvestigations or on broader trends in cybercrime.

Examples of cybercrime investigation agencies

Here are some examples of cybercrime response agencies and supporting organizations:

Citizen Lab

Citizen Lab is a laboratory based at the University of Toronto that performs research and develops strategic policy surrounding information technology. Some topics of research and policy development include digital espionage; internet censorship and surveillance practices; and cyberthreat detection, mitigation and prevention. The lab provides cybersecurity insights and tools to organizations and individuals.

Computer Crime and Intellectual Property Section (CCIPS)

CCIPS is a section of the U.S. Department of Justice's Criminal Division that investigates cybercrime and intellectual property crime. CCIPS prosecutes hackers, spyware distributors, fraudsters and cyberstalkers. CCIPS also collaborates with other nations to disrupt large-scale cyberthreats, such as the CryptoLocker ransomware scheme and darknet markets.

Cyber Fraud Task Force (CFTF)

The CFTF is a task force run by the U.S. Secret Service. It is a partnership between the Secret Service, other law enforcement agencies, academia, prosecutors and private industry. The CFTF has offices across the U.S. and handles cybercrimes such as access device fraud, ransomware and identity theft.

Cybersecurity and Infrastructure Security Agency (CISA)

CISA is an agency under the U.S. Department of Homeland Security responsible for the cybersecurity of government infrastructure at all levels. CISA issues operational directives that mandate other government agencies act on specific cyberincidents. It also assists private sector organizations with cyberincidents. CISA provides cybersecurity services and tools to help government agencies handle cyberincidents. In addition to cyberdefense and defense of critical infrastructure, CISA takes action against disinformation and misinformation campaigns.

Europol Cybercrime Centre (EC3)

The Europol Cybercrime Centre is an agency of the European Union that aims to strengthen the EU's ability to respond to cybercrime incidents and protect EU citizens from internet crimes. EC3 specializes in cyber-dependent crime, child sexual exploitation and payment fraud. EC3 expands its reach to the dark web to mitigate cybercrimes as well.

Internet Crime Complaint Center (IC3)

IC3 is an FBI-run, national hub for reporting cybercrime. Any victim of an online crime can report it to IC3 by filing a complaint. Information submitted to IC3 helps the FBI investigate cybercrimes and track cyberthreat trends. IC3 partners with the private sector and public agencies to investigate cybercrime. It also hosts a database for law enforcement to access materials supporting the investigation of cybercrimes.

Interpol's Cyber Fusion Centre

The International Criminal Police Organization -- or Interpol -- operates the Cyber Fusion Centre, which helps member countries coordinate a global response to cyberthreats. The Cyber Fusion Centre partners with private cybersecurity companies to share cyberthreat data and develop threat prevention and disruption strategies. The Cyber Fusion Centre also publishes reports informing countries of the current cyberthreat landscape.

Mitre

Mitre is a not-for-profit government-sponsored organization that operates federally funded research and development locations. It supports the U.S. government in a variety of fields, including cybersecurity. Mitre maintains the Mitre ATT&CK framework, which is a free, globally accessible knowledge base of attacker tactics and defense strategies. Private and government organizations use the knowledge base to develop threat models based on Mitre's observations of attacker behavior in the wild.

National Cyber Investigative Joint Task Force (NCIJTF)

The NCIJTF is a task force made up of more than 30 partnering U.S. law enforcement and intelligence agencies. The NCIJTF combats domestic cyberthreats by coordinating, integrating and sharing information across the multiple involved agencies. It also provides intelligence analysis to combat terrorism, cyberespionage, financial fraud and identity theft in the digital domain.

United States Cyber Command

United States Cyber Command, or Cybercom, is the division of the Department of Defense that handles cyberspace operations. U.S. Cybercom coordinates cyberspace planning and operations in alignment with national interests, enlisting help from both domestic and international partners. U.S. Cybercom designs training, certifications and strategies that enable the military to withstand and respond to cyberattacks, as well as advance national interests and conduct cyberwarfare.

Ben Lutkevich is a writer for TechTarget Editorial's WhatIs site, where he writes definitions and features.