Shadow Server: PDF
Document Details
Uploaded by CooperativeJacksonville
Nanyang Technological University
Stuart Garrick
Tags
Summary
This document discusses Shadow Server observations on working with law enforcement, describing top-tier international cybercrime and the evolution of cyber threats from banking Trojans to ransomware. It details public-private partnerships, and the importance of partnerships in internet security.
Full Transcript
shadow Server Public Private Partnership Working NTU Singapore CTI Course Input Stuart Garrick of the Shadow Server Foundation What follows is a presentation of observations gleaned by Shadow Server through its multiple cases of working with law enforcement over the years. This presentation is at TL...
shadow Server Public Private Partnership Working NTU Singapore CTI Course Input Stuart Garrick of the Shadow Server Foundation What follows is a presentation of observations gleaned by Shadow Server through its multiple cases of working with law enforcement over the years. This presentation is at TLP Green That means it's for people who are interested in the community only There is no permission to forward onto any people outside of your course Please observe the restrictions that are here If you are unfamiliar with the Traffic Light Protocol I strongly recommend you read it and start using it It's a very useful way of handling information to be shared During the course of this presentation my goal is to give you a brief overview of what Shadow Server is and what we do I'm going to talk about some of the entities that operate at the top tier of the internet and use those to explain why public private partnerships are so important ending with a suggestion of what we find is the best way of them actually working in practice I will also give a description of top tier international cybercrime and explain the modular nature of what we see and, to a degree, the evolution over time from banking trojan botnets to ransomware as a service My background is law enforcement 30 years with the Metropolitan Police and the National Crime Agency in the United Kingdom I was a senior investigating officer for international cybercrime cases before I retired in 2015 and I've continued working investigating cybercrime when I moved into the Shadow Server Foundation Let's start with a brief overview of what Shadow Server actually is So what is the Shadow Server Foundation? It is a non-profit, not-for-profit organisation and we are trying to work to make the internet more secure for everybody We have unique data, a global vantage point most of the data we've collected ourselves Our unique element is that we give this information away for free to network owners in order to enable them to mitigate vulnerabilities and threats in their own networks We've also got proven partnerships with national certs NC certs, as they may be called law enforcement and industry and security researchers around the world We've been doing this for a long time, for 18 years We're the world's largest provider of free cyber threat intelligence OK, Shadow Server A little bit deeper, some of the numbers that are involved in what we do There are about 3.7 billion routable IPv4 addresses on the planet There are very, very many more IPv6 addresses We scan all of IPv4 and a large proportion, over 2 billion addresses of IPv6 every day, many times, looking for exposed services things that shouldn't be visible on the internet that might include vulnerable devices or compromised devices We get over 380 million responses each day of devices around the globe which we would want to report out We also run SIG holes These are run in conjunction with law enforcement or occasionally the private sector where we're able to get control of either domain names used by criminals or the IP addresses used by criminals and we point these at our own benign servers and it means that as infected devices are calling out, unbeknown to their owners instead of hitting the criminal systems, they hit ours we log their IP addresses and we know where the victims are We also have a very large honeypot network a global one, nearly 3,000 honeypots which are devices that sit on the internet looking vulnerable and waiting for criminals to scan, find them and then try and compromise them This lets us know what criminals are actually trying to attack and what they're interested in at any given time and lets us have sight of new attack types as they come along We also collect malware on an industrial scale We take in over a million samples of malware, unique by hash, every day We run them through our sandboxes We expose them to the internet It means we can identify the first tier of criminal infrastructure We can see what the malware does to our systems and we can also use it to test the antivirus products that are out there and we run an exchange with antivirus companies so they can get more data in order to be able to train their engines too All of these functions are available as commercial services There are companies that do this for sale but we are unusual in that we do all of these things under one roof and also that we do not sell this data or make it available to the general public We have a very large amount of data in our repository We can search across it in a few seconds and we collect lots of interesting artefacts such as SSL certificates which are very useful in tracing the movement of infrastructure across the internet whenever those certificates are reused, whether by criminals or anyone else The whole purpose of us doing this is to give the data away for free So we have thousands of network owners around the globe It's actually over 8000 network owners now and each of them has defined their network space with us and we will tell them everything we see in that network space We also provide the national CSIRTs of 175 countries with a daily feed of data of IP addresses located in their jurisdiction of devices that are either vulnerable or exposed or potentially compromised Behind the scenes we'll help law enforcement with targeted investigations as well and much of this presentation is drawn from the experience of doing that We provide all of this for free thanks to donations and project work We don't believe that anyone should have to pay to be told they're a victim or that they're vulnerable Everywhere in Green is a country that takes our data at a national level and we're currently trying to build out countries taking our data across Africa in the Pacific and the Gulf regions at the moment So some things that you should be aware of on the internet The internet is essentially just computers connected by numbers Each computer that is on the internet has a unique designator whether it be IPv4 and a combination of four groups of numbers between 0 and 255 or IPv6 which is obviously the much longer way of referencing a point Most of what we do is on IPv4 but IPv6 is becoming more popular For most of this presentation I'll be talking about IPv4 So there's technically 4.2 billion IPv4 addresses but only 3.7 billion of those are routable If you look at IPv6 it is far, far larger A thing called undersillion is the number of decimal points you need to put into that but it's 340 undersillion addresses which is enough for one for every atom in a sheet that could cover 100 Earths So more than we're ever likely to need As I say, every computer on the internet can only communicate with another computer on the internet by knowing what number to connect to it by From a shadow server perspective we see the world like this This is the number of IPv4 addresses in the countries by proportion across the globe All the way from the United States with its 1.5 billion on the left hand side down to North Korea, bottom right, with its 1,000 IP addresses IP addresses are overseen by an organisation called IANA the Internet Assigned Numbers Authority and they delegate down to regions of the world run by organisations with names like RIPE, ARIN and APNIC In the Singapore region it's APNIC who control IP space allocation in that region Within each of those regions the IPs are clustered together in groups called autonomous systems and each autonomous system has its own number so nested within these regions are a whole host of ASNs These are useful for shadow server in the way that we view the internet When thinking about the internet you've got to remember that nobody actually owns it it belongs to everybody and it's just what happens if you choose to connect lots of small networks together and there are networks nested within networks nested within networks just as your home router maintains a network of computers and devices inside your own house the internet is made up of countless nested networks In each country there may be a body responsible for the internet in that country by geographical area they may be called by different names such as CERTs or NCSC but essentially they all have the same function which is to maintain the integrity of the internet at a national level and of course different countries have different capabilities so the national CERTs of most European countries and Singapore and North America etc are fairly developed now and will be able to give sound advice to network owners within their country but we still have countries which do not yet have a mature national CERT capability or actually any CERT at all so when we look at the world as I explained if we look into an individual country we can then divide that down into the ASs the networks that operate within that country so for example in the United States we see that the Department of Defense has the largest block of over 228 million IP addresses, almost 15% of their IP space what we do is we give our data to the national CERT, in America it's called CISA we also will give it down to as many of the ASs directly as we possibly can so at the time of putting these slides together in August we have 59% of ASNs in the United States taking our data directly the goal is to lessen the amount of work that the national CERT has to do by encouraging network owners to clean their own space before they have to be contacted by the national CERT that will leave the CERTs able to better protect critical national infrastructure and the networks of their governments etc if we look at Singapore with a healthy amount of IP by comparison we can look at their breakdown of ASs and we can see that currently in Singapore 32% of these ASs are taking the data directly and we're working to try and improve that figure by making people aware of what we do IP addresses are all well and good but human beings are not very good at remembering them as addresses we prefer names so we invented the domain name system the domain name system is overseen by an organisation called ICANN based in the United States but with a global remit and they are responsible for setting the rules for gTLDs that's generic top level domains there are three bodies in this system that you need to remember they are registries, registrars and registrants registrants are people like you and I who might want to lease a domain name registrars are the organisations that would sell them to us and registries are the people who maintain the index at the top of the tree for everything in that gTLD or ccTLD space so if we look at Amazon.com the end part, the.com is the gTLD the bit before the dot is the second level domain name so the generic gTLD for.com is VeriSign that's an organisation in the United States which has the ability to ensure that all.com domains are kept in a register and can be looked up to find out who's in charge of where the routing is recorded I mentioned ccTLDs, these are country code TLDs so if we think about those in a minute but the thing to remember about domain names is you don't actually buy them you only lease them you lease them for a year or two years and you lease them from the registrars so that would be companies like GoDaddy or Namecheap there are many of them in the United Kingdom we have a ccTLD of.uk in Singapore it's.sg, in the United States it's.us and so forth if we have a look at this the ccTLD is the bit at the end the second level domain name is everything before that and they're managed in the United Kingdom by Nominet who are the registry for.uk domains the thing that is important here is the gTLD has rules set by ICANN but the ccTLD has rules set by the government of the relevant country usually these align with ICANN rules but they don't have to the other thing to remember is that if law enforcement want to take control of a domain and the registrant isn't willing to hand it over or is a criminal in a different jurisdiction or whatever there are two points at which they can do so one is the registry level and one is the registrar level and as long as one of those is in the country of the law enforcement or in their friendly jurisdiction then they may be able to get control of the domain in law I said the registries have a duty to make sure everything is recorded they do this in a thing called Whois where every domain can be looked up by anyone on the planet and it will tell you when it was registered where it is pointing at in terms of what name servers will say it will tell you where you can go and find it and when it expires this is mirrored in the ccTLD world as well although we're moving to a thing called RDAP which is a GDPR compliant version of this system because at the moment the things you would really want to know from Whois such as the real name of the person who registered it their phone number, their address those are typically redacted for privacy and you need a court order to the relevant body in order to try and identify who it was sold to to the relevant registrar there are different types of registrars so the registrar of Last Resort is one created by Shadow Server it is a non-profit it is a special purpose registrar to hold domain names that have been used in crime we use it for sinkholing domains at no cost or certainly low cost on behalf of law enforcement OK, let's have a look and see what happens when we resolve a domain there are a number of elements involved in the process which you may not previously have been aware of I'm going to talk through quickly what happens when you try and resolve a domain as we've said before everything needs to have an IP address we're using IPv4 in this example and the imaginary domain joescakes.co.uk so if you type that into your computer the first thing that will happen is your computer will check its cache it will see whether you've been to this address before if you have it will already know a mapping for the IP address and it will connect across the internet to that IP address and you will see it appear in your browser momentarily if however your laptop hasn't been to that address in the recent past it will ask a DNS resolver across the internet this is usually run by your internet service provider but it doesn't have to be, you can choose different ones if you want to that DNS resolver will see if any of the other customers, anyone else who uses it has been to joescakes.co.uk before in the recent past and if they have, it will know the IP address it will pass it back to your computer your computer will start caching it as well and you will connect as before so what happens if your DNS resolver hasn't had a previous customer who's been to this address in that instance it will call out to the root server there's a limited number of these around the globe and they know where the top level domain servers are run by the registries the DNS resolver will query the registry's TLD server and say where can I find the name server for joescakes.co.uk and it in turn will give the name server's address the query will go to the name server that will actually have the mapping across to the actual IP address for the domain the A record as it's called this will be returned to the DNS resolver and the DNS resolver will in turn cache it and pass it back to your computer which will also cache it and you will then connect as before now all of this happens in a few milliseconds after you've typed the address on your computer and you've actually been taken to the website to visit it and it all happens seamlessly behind the scenes thanks to your browser the key thing about all of this is it's all run by the private sector if law enforcement needs to be involved in any stage of this they have to engage with the private sector I mentioned sinkholing for the case of sinkholing there are two places where law enforcement can interact in order to sinkhole a domain one is at the TLD server level with the registries and the other is at the authoritative name server with the registrars and at those two levels the records could be changed to send a different IP address back for Joe's cakes one that might go to a sinkhole and log where all the victims are so let's have a quick look at how law enforcement order themselves essentially at the top tier for coordination you have Interpol and Europol although in theory Interpol sits above everything in reality these two units certainly for cybercrime operate side by side in addition for the US with the FBI and Secret Service and so on they could be viewed as on par as well when it comes to practical sense albeit the true coordinating features sit with Interpol and Europol Europol has a unit called the JCAT the Joint Cyber Action Team they are a group of law enforcement from across European agencies and a few other countries including the Five Eyes countries and they will assist with practical engagement with the operational teams in their countries there is a tier below that of Afripol and Ameripol and so on these are less operational and tend to be more administrative although at a local level they may coordinate operational work as well beneath these you'll have national law enforcement bodies of which there are literally hundreds under each national law enforcement body there will be regional bodies that collate law enforcement constabularies and police services etc that operate at the very local level so it's a tiered approach the thing to remember with law enforcement is they tend to work from the victim up so they will have a report of crime which they then have to investigate so it invariably starts with local law enforcement and depending on the severity of the crime it will move up through this stack and of course most countries law enforcement work alongside prosecutors so if you're engaging with law enforcement from the private sector you may well find yourself speaking to prosecutors as well as law enforcement officers. The prosecutor's priority is to build cases for presentation at court whereas law enforcement is to investigate the crime and find the evidence and the two systems have to work side by side because this is a bottom up approach there's a lot of bureaucracy there are a lot of local jurisdictional rules sharing is not always easy it's not always fast and at many levels law enforcement are under resourced and technically poor it's true to say that very often law enforcement lose their best and most capable officers to the private sector where they can go and earn much more money for much less risk so there's a high churn of officers involved in this as well it makes sense to bear in mind how difficult it is for law enforcement to maintain investigations particularly long term investigations when budgets are tight and results are forever a pressure placed on law enforcement by the public and the paymasters so when it comes to getting your information to law enforcement you've got a number of different ways it might happen you might use a tip line, these tend to be anonymous but they have the drawback of no communication or poor communication it's not really a conversation it would be more where you would drop information and move on you could be a witness at the opposite end where you'd write a statement you may be called to give evidence in a court of law and explain what you've put in that statement and prove to the court that what you're saying is the truth you might be an informant an informant would act more covertly you would maintain anonymity informants can get authorities to take part in a small way in certain crime but you'd have to check those restrictions with the law enforcement you're dealing with because you'll be limited to what they say you can and can't do law enforcement might also issue a subpoena or a court order with these there are consequences if you ignore them you may end up in contempt of court which is not a good place to be so always take advice and my recommendation is always to respond you should also be aware of jurisdictional concerns so where is that request coming from if you're receiving a request direct from a different nation you may want to check with your local law enforcement or take advice from lawyers in your company or organisation because it may be that it's legal for them to ask in their country but it wouldn't have been legal for you to have been asked in that way in your own there may be other legal concerns as well so are you under a conflicting duty have you got to observe domestic legislation which might be at odds with answering the question that's being asked of you so again take advice one of the things law enforcement will always be interested in is a chain of custody which is the idea of being able to prove that the evidence hasn't been tampered with between the time it was gathered and the time it gets presented so evidential standards vary but pretty much this is universal if anything ends up at court you've got to be able to show that what is presented is what was found at the time and finally you should be aware of the concept of disclosure or discovery in the event that someone is prosecuted many countries have laws which say that the defence are entitled to know information even if it's not used directly in the prosecution particularly if that information might assist the defendant or undermine the case so you should ask if disclosure or discovery applies if you give information over because it might mean what you're passing is passed to the criminal defence team in the event of anyone being prosecuted my advice is always keep a log of who you're speaking to, what you've got, how you found it etc and if you haven't written something down write it down at the earliest opportunity never interfere with potential evidence so if you see something that you believe tends to prove a crime you should let law enforcement evidence it rather than you do anything yourself unless it is actually your role to do so it may be your role is to shut down a website or to take some action in which case do what you're paid to do if you're unsure, seek advice and remember what's legal in one country may not necessarily be legal in another so again you're not expected to be the legal expert in all countries but you should be asking questions and law enforcement will appreciate you asking those questions let's have a look at top tier cybercrime so this is a rather old diagram now that I drew back in 2015, 2014 and it was used to explain the processes that were happening with the Gameover Zeus botnet a major botnet at that time it can be found in open source at the presentations from the BotConf conference in 2014 December time on that link it is still a very useful diagram to explain what we saw back then and to give you a start point to understanding where we are today so if we talk through this image along the bottom we have the victim's bank account which has been controlled by the victim's computer which has been infected and we can see that there is a money transfer from the victim's bank account that has gone into a number of mule accounts or accounts that are being controlled by the criminals and if we look at the very top there is the malware coder the person who has written the malware that has infected that device now this was very much the setup of the system that we saw in the large banking trojans a few years ago now what we understood was that if you want to infect lots of computers which is what these criminals aim to do create large botnets the malware coder had a number of choices they could either use spam or they could use a watering hole attack they could send emails or they could use websites they would check to see if your browser was vulnerable and if so push malware straight onto your computer but in order to maximise the number of victims that you could expose to the attack they would use a subgroup of criminals called traffic sellers and these are just people who can provide you large numbers of potential victims they might be the people who control all of the hundreds of thousands or even millions of email addresses that they are going to send spam to or maybe they are people who are organising the adverts that are going to drive potential victims to the websites where the exploit kits are hosted and try and infect the computers so we are starting to see that there is a modular nature to this there's malware coders, there's traffic sellers if we go down the spam route when you send an email you don't just send the full piece of malware it would be too large you send a small piece of code called a loader and there is another subgroup of criminals who specialise in writing loaders and for the exploit kit route there are exploit kit writers another subgroup of criminals and then before you push anything out into the wild you want to use the services of crypters these are people who will look at the code whether it's a loader or the exploit kit or the actual malware and they will look and see if antivirus products are likely to pick it up the crypters will morph the code by putting in some comments or changing the order of things to alter the signature and try and defeat antivirus services they in turn will use the services of counter AV services these are black market services that will check your code to see if antivirus software detects it and if it doesn't that's the point at which you want your spam campaign or your advertising campaigns to start running if you've done all of these steps correctly you will end up with a large number of infected computers but an infected computer still doesn't help you you need some way for it to communicate with the backend servers that you're going to run so if we look in the cloud shape in the middle you can see that we have C2 servers command and control servers these are the servers that control the whole botnet they know where everything is and you can configure it from there you might have malware servers these are going to be where the actual full payload of malware is downloaded from by the loader so once the loader gets onto a victim's computer it will infect the computer and cause it to call out and pull down the malware malware servers are often compromised websites where the criminals will just drop their code and allow it to be called down from there and there's a high churn because they're easily detected and then of course if you get a very large botnet you might want to use it for different things, you might want to use some of it for denial of service attacks or you might want to sell portions of it so you'll have configuration servers to keep everything updated you might have web inject servers these are servers that provide lookalike web pages pages that pretend to be a bank or a building society or some form of login and they're designed to harvest the credentials of the victim and these web injects are written by web inject writers a sub-breed of malware coders who specialise in developing these particular pieces of code there's a high churn because banks are very good at detecting them and then of course there will be exfil servers, these are servers which are there to dump any data that you've managed to harvest from the victim's computer and essentially they're the point of this system it's to get that information to somewhere where you can work on it and because these servers and I should say they might all be on the same box they might be on different boxes they're usually on very different computers in different countries but they could all be the same thing they're just different functions you want to hide those behind tiers of proxies so the first layer of proxies is very often IoT devices, internet of things that have been compromised like DVD players or security cameras that sort of thing they're plentiful, they're often very insecure and easy to manipulate and act as a proxy layer the second tier of proxies are more often paid for servers because you want reliability in them but you'll pay for them using stolen credentials so they're not going to cost you anything and if they're taken down they're easy to replace this is quite a complex infrastructure to maintain so you might use the services of a bulletproof hoster so the bulletproof hoster will maintain your network make sure it stays up and when there are abuse notifications or queries from law enforcement they will on one hand look to do the right thing and help and take things down but all the while in reality in the background they're rerouting servers and allowing things to pop up elsewhere in order to keep the system running but once you've got your running botnet and you have the communication with it and you start getting the data through to the exfil servers this is where the real people in charge the drop organisers who aren't necessarily the malware coders but this is where the drop organisers will interrogate the data and decide what they want to do with each infected computer they might identify bank account details or means to compromise them and they would tell the mule herders the people who control those money laundering accounts what needs to be stolen from which computer, how much and so on and in return there will be a cash out route to get money out of the system and a large chunk of that will go to the drop organisers the rest of it might be used to pay off the malware coders, pay for services pay the mule herder and that large number of people involved in that system what we've also seen is that when criminals get to a certain tipping point they will start using the reshipping route or reshipping scan and basically that is using the money that's been stolen to buy white goods and computer and high value goods often in America but certainly in the West and ship them often to Russia or prior to the current troubles to Russia from America but essentially from West towards the East or anywhere that they can be sold on a black market the advantage of this is not only do you increase your profits but you launder your proceeds at the same time now what we saw with Game Over Zeus which was the particular case where we developed this model was that there was a fallback ransomware being used at the time it was Cryptolocker it wasn't the first ransomware but it was very effectively used in this case and if there was a computer that had been infected that didn't have access to banking credentials or could be easily used in any other way then ransomware would be deployed and the owner of the computer would be extorted to pay in order to get their photographs or their data back now if we move forward a little way in time closer to where we are now we discovered that the ransomware was actually taking over part of this is because it deployed cryptocurrency which was very quick to move and it was a direct path for stolen money through to the technical people who were writing and deploying the code now what the drop organisers realised is that actually if you've got this pathway you don't need to worry about the old fashioned money mule network and all of the people that are involved in that that cash out route becomes a bit redundant because that always left you exposed you don't need to worry about the reshipping scam because there is so much money available through the ransomware route and also because web injects were becoming harder and harder to maintain because banks etc were getting better at detecting them or kept changing you don't even need those either what you do need are people with pen tester skills penetration testing skills who are able to break into networks and compromise systems and make sure that the ransomware gets a toehold in order to ransom systems but because this is such an unbelievably lucrative area there's more capacity there's more money that can be stolen than there is capacity for these small groups to steal themselves so they offered it up to affiliates so people who are not necessarily coders or have particularly high end skills but can pay to use the whole system and will pay a percentage of whatever they get from the ransom for the benefit of using it and also there is a new group of criminals access brokers what they do is they specialise in breaking into networks then selling that access into these groups to either be sold or auctioned off to affiliates or sold directly to affiliates who then come into the groups and utilise that information in order to deploy the ransomware so what we now have isn't the banking trojan business model this is the ransomware as a service model which is far leaner than the old systems it is far more profitable and because it's using cryptocurrency it's far harder for law enforcement to keep tabs or trace the money or claw anything back so where are we today? we're today where the ransomware as a service model has taken over from the old banking trojan style crime it has introduced the concept of affiliates people who are not technically capable or extremely clever in that sense of the word that they could just be routine everyday criminals buying a service and because they can carry out the negotiations etc and they pay from a percentage of their profits they've proliferated and they can operate in just about every country we also have the concept of initial access brokers who may well be the people who've made the original breachhead into a victim system and they too are specialists selling their wares to anyone who will buy them so the net result of this is we have a huge Gordian Knot type problem it is global it involves ransomware groups affiliates, access brokers and victims all around the globe with law enforcement investigation teams starting from each victim up the whole system is complicated because it's massively under reported essentially all we know is what gets published on the ransomware leak sites from the outside and it only appears in a leak site after the victim has refused to pay at the first opportunities it's a ratchet system where they'll keep adding jeopardy to the victims until hopefully for the criminals the victim breaks and pays up and because of the obfuscation of the system and the difficulty in understanding what's truth and what's not truth from the criminals who often use bravado we've even had examples of criminals offering discounts to people who would tattoo their logos onto their bodies we have a highly active crime type that is transglobal it has high media interest and the cryptocurrency makes it ever more difficult for law enforcement to actually investigate it that's not to say there aren't leads that can be obtained through cryptocurrency but it only works if they share information but it also only works if you work in collaboration with the private sector who have the best information on these sort of things so what are the key takeaways if we look at the problem we've got now hopefully I've made the case that the best way forward is public private partnerships public bodies, law enforcement they have the coercive powers that are necessary to get evidence and get intelligence that can't be obtained by the private sector whereas the private sector have the ability to act at scale act more agilely and obtain data that law enforcement can't see because it's coming from multiple jurisdictions but all of this only works if you can build trust and the fundamental thing you need to have in a public private partnership is trust and trust requires, in my experience human to human meetings it's very difficult to build trust with anyone just over a virtual meeting you need to have shared secure communications because parties have to be able to trust each other and that includes the use of things such as handling codes because handling codes add to trust but they also add to security there is the principle of need to know not nice to know everyone has to appreciate that from both sides when we work with law enforcement we observe the primacy of the senior investigator so we will never do anything that might jeopardise a live case we will never report anything, blog anything or share information without permission without speaking with the senior investigating officer first to make sure our actions won't undermine it both sides need to avoid information black holes and remember that sharing is a two way process I've seen instances in the past where law enforcement just absorb data and never share anything back or never provide any feedback very quickly private sector get bored of working in these sort of environments and they will tend to work with those that are more engaged than those that are not each side should play to their strengths there are things that the private sector can do and the pace at which they can act which law enforcement may not be able to match but equally as I've said law enforcement has powers of coercion and court powers etc that private sector can only dream of and overall this doesn't need to involve money this doesn't need to involve anything more than the offer of giving credit where credit is due so we impress on law enforcement the importance of thanking publicly any support they've given should those companies ask for that support to be demonstrated and vice versa any blogs, any write ups by the private sector should credit law enforcement for the work that they've done in achieving these aims collectively we call these the magnificent servant principles but time and again they've held true and they are a good set of core principles to observe should you find yourself in the public private partnership please feel free to reach out to me at Shedder Server should you want any more information coming from this presentation thank you very much
