As it has been stated in the recent Joint Communication on Resilience, Deterrence and Defence: Building strong cybersecurity for the EU (European Commission and High Representative of the Union for Foreign Affiairs and Security Policy, 2017, p. 13), "Finding useful information for cybercrime investigations, mostly in the form of digital traces, is a major challenge for law enforcement authorities". Collaboration between Computer Security Incident Response Teams (CSIRTs) and Law Enforcement Agencies (LEAs) is key for finding such information and for fighting against cybercrime. A number of attacks that hit critical sectors brought about an increased level of cooperation, partly out of necessity, Wannacry (ENISA, 2017a) and 'NotPetya' (an updated version of Petya) attacks (Europol, 2017a) being the most recent examples. As mentioned in the Council Note of 31 May 2017 Cybersecurity - Information from the Commission (Council of the European Union, 2017a), "Conclusions drawn from the [WannaCry] attack include the need for CSIRTs, law enforcement authorities and the private sector to work together and the need for law enforcement authorities to have right tools to investigate these types of crimes and to prosecute criminals". The technical aspects, including tools and methodologies used, are an important component of the cooperation. This report aims to support the cooperation between CSIRTs - in particular national/governmental CSIRTs - and LEAs in their fight against cybercrime, by providing information on the framework and on the technical aspects of the cooperation, identifying current shortcomings, and formulating and proposing recommendations on technical aspects to enhance the cooperation. Moreover, the report presents a use case of cooperation between a CSIRT and a LEA as a real example of interaction between the different actors and of the methodology and the tools used for their cooperation. The data for this report has been collected by means of a desk research, interviews with subject-matter experts, and an online survey. The data collected confirmed that CSIRTs and LEAs exchange information often during incident handling/investigations, both formally and informally and that trust is the key success factor for the cooperation. CSIRTs and LEAs have different objectives and ways to collect and process information. However, between the two communities there is an increased reciprocal understanding of needs. According to the data collected, CSIRTs are more inclined to use open source tools, and the Malware Information Sharing Platform (MISP) is an example. The information sharing between CSIRTs and LEAs happens more ad-hoc than in a systematic manner. A common taxonomy for CSIRTs and LEAs has been developped (Europol - European Cybercrime Centre) and there are ongoing efforts towards a broader adoption and use of it.
