Faced with the resurgence of crimes related to computer hacking tools, the police want to acquire new tools in order to be able to centralize and cross-reference the data collected during their investigations. In a decree published on December 26 in the official journal, the Ministry of the Interior thus authorizes the creation of the MISP-PJ database, which will bring together technical markers and compromise indicators collected by gendarmerie and police officers. investigating files related to computer crime.
Centralize data
MISP-PJ (Malware Information Sharing Platform – Judicial Police) will take the form of a database bringing together both the data collected by the agents and the open source data identified as being able to be linked to the investigation.
The database will thus allow agents to record several types of information related to their investigations: names, first names and corporate names of the people and organizations involved, IP addresses of the command servers used in a breach of a system. The platform will also make it possible to record all the data relating to the author of the attack collected by the investigators: “email addresses, IP addresses, pseudonyms, name (s) of profile on social networks or identifiers, name (s) domain name, port number, ransom demand email, ransom note, encrypted file data and file signature, virtual currency wallet address ”as well as payment information.
The database will be accessible to services specializing in the fight against cybercrime: the C3N of the gendarmerie, the OCLCTIC of the judicial police and the BEFTI of the police headquarters, as well as to specialized magistrates of the Paris prosecutor’s office and others. officers and magistrates needing access to data as part of their investigation. The database will also be open under certain conditions to judicial cooperation bodies (Europol, Eurojust or Interpol for example) or to foreign police services.
Cross IoCs
This information is essential in investigations aimed at tracing the origin of a computer attack. The IT security industry generally refers to them as indicators of compromise (IOC, Indicators of Compromise in English and many private companies specialize in identifying and sharing this data, used by security tools to trigger any alerts.
For the police, on the other hand, the issue is not to benefit from better protection, but rather to centralize information and facilitate cross-checking and cross-checking in investigations: we learn more in the CNIL opinion on this new file, published in the same edition of the official journal. The Commission explains that “The cross-checks will be carried out automatically within the MISP-PJ application itself, which provides for reporting when several files share an identical technical indicator. They will allow investigators to make links between certain breaches and thus facilitate their investigations. ”
The CNIL does not see any major problem in setting up such a file. The committee regrets in its opinion that the ministry did not wish to carry out an impact analysis before the establishment of the file. It is also concerned about the level of security that will be provided to such a file: access to it will be reserved for authorized officers and magistrates, provided with a username and password making it possible to trace their actions on the file, but it recalls that the centralization of this data in fact presents a risk in the event of a loss of confidentiality. Likewise, the data recorded in this file will be kept for 6 years, when the CNIL considers for its part that a period of three years could be considered justified.