National Cyber-Forensics & Training Alliance

About the NCFTA

The increasingly complex and ever shifting pattern of cyber threats demands a new and collective response.  The sheer increase in cyber threats requires a paradigm shift in our thinking and approach to address the rapid changes in attack vectors and methods.  We have to constantly evaluate our security posture to ensure we are agile, resilient, and prepared.  This is truly a highly connected world and an unprecedented evolution in Internet global connectivity.  With this highly connected world comes a dramatic increase in cyber crime, which demands thought leadership in defending and protecting our intellectual property, customers, citizens, businesses, and nations.  Each of us, as responsible stakeholders, plays a role in the mission to fight cyber crime.  We need a comprehensive and collaborative approach.

 Addressing cyber threats has become increasingly difficult.  Organizations must rapidly identify and leverage the most complete intelligence, be proactive and vigilant.  This makes collaboration and cooperation between private industry, academia, and law enforcement essential to their continued success and effectiveness.

 The National Cyber-Forensics & Training Alliance (NCFTA) is a non-profit corporation focused on identifying, mitigating, and ultimately neutralizing cyber crime threats through strategic alliances and partnerships with Subject Matter Experts (SME) in the public, private, and academic sectors. Ever vigilant in uncovering emerging cyber threats, we share threat information and (SME) resources on a real time basis across all sectors and all of our partners via multiple communication channels. 

 One of our most valuable and effective means of communications is our verbal, face-to-face communication that happens daily, in an environment where we have built trust and trusted relationships.  Our efforts are proactive and preventative, enabling us to give early warnings relating to cyber threats and transactions, assisting our partners in protecting their brand, reputation, shareholder value, economic losses, and customer confidence. 

 In an effort to streamline intelligence exchange, the NCFTA regularly organizes interaction into threat-specific initiatives. Once a significant cyber crime trend is realized and a stakeholder consensus defined, an initiative is developed wherein the NCFTA manages the collection and sharing of intelligence with industry partners, appropriate law enforcement, and other cross-sector Subject Matter Experts. Each initiative analyzes real-time resources to identify threats, threat actors, and provide intelligence to law enforcement to neutralize the threats. Through NCFTA initiatives, hundreds of criminal (and some civil) investigations have been launched, which otherwise would not have been addressed.  Currently, NCFTA has aided in successful prosecutions of more than 300 cyber criminals worldwide.  Furthermore, NCFTA has produced more than 800 cyber threat intelligence reports over the past three years alone to support these initiatives.

 It is through our vision, passion, and execution with public and private collaboration that we have enjoyed this success.

NCFTA Objectives

We rapidly build intelligence so that the threat can be:

1.      Identified – who is involved and where they are located?

2.      Mitigated – stop it from spreading.

3.      Neutralized – defused through:

ü  Seizing assets, funds, dismantling infrastructure, and making arrests

ü  Proactive law enforcement engagement

ü  Implementation of interim technology solutions

ü  Shared tools and techniques

This combination enables our partners to protect their brand, reputation, shareholder value, economic losses, and customer confidence. 

Results-Focused Partnerships

Our membership is constantly growing both domestically and globally across private industry, law enforcement, government, and academia.  The NCFTA has a proven track record and is a model for centers like ours around the globe.  We are focused on collaborating, cooperation, sharing, execution, and results.

What will the NCFTA provide for participants?

ü  A physical forum to meet with NCFTA analysts, law enforcement, scholars, and peer firms

ü  Dedicated staffing, including a program manager and analysts, specializing in each initiative

ü  Focus Group meetings for each initiative

ü  Intelligence feeds built and maintained by the NCFTA

ü  Monthly initiative calls, to include updates on trends, law enforcement efforts, and gaps needing attention

ü  Numerous contacts to help inform and encourage coordination within law enforcement agencies working elements of similar cases

ü  Assessment reports based on NCFTA  intelligence, including focused benchmarking and success metrics on each initiative

Initiative-based Models

The CyFin Program is dedicated to cyber threats targeting the financial services industry.  NCFTA has combined several ongoing and increasingly overlapping initiatives into one broader “umbrella” initiative named CyFin. This name was chosen to reflect the broader topic of “Financial Crimes over the Internet” and, in part, to reflect increased tendency of international organized cyber-criminals to rapidly “siphon” victim accounts via a variety of social engineering techniques as well as the use of malware and keystroke loggers.

In moving this initiative forward, refined information sharing and triage tools have been developed, and teams of dedicated analysts and investigators have been assigned to this endeavor. Partners in this effort include a growing list of financial services organizations, on-line merchants, anti-virus companies, payment/payroll processors, and telecommunications providers. Similarly, a growing team of federal and international law enforcement is regularly enlisted in support of this cause.

Brand & Consumer Protection Program: The utilization of the Internet for the sale of counterfeit merchandise is a serious problem for US manufacturers and customers. In order to aid in the mitigation of this problem, NCFTA has partnered with the National Intellectual Property Rights Coordination Center (NIPRC) to provide comprehensive and actionable intelligence on individuals/groups involved in the distribution of counterfeit merchandise. The initiative aims to work with industry members and law enforcement to identify pertinent targets affecting multiple organizations and provide mitigation for those members.

 NCFTA utilizes cyber forensic tools and methodologies to provide intelligence on the actors and key infrastructure components, in support of criminal and/or civil investigations, regarding the sale of counterfeit merchandise. Additionally, NCFTA strives to engage additional industry partners in order to better facilitate communication between industry and law enforcement to aid in the goals of identification, neutralization, and mitigation.

The Malware & Botnet Program is dedicated to better understanding the technology and identifying individuals or groups who utilize malicious code to enable crimes. The NCFTA maintains a collection of data regarding malicious code incidents, the network architecture being utilized to execute the schemes, and the communication channels implemented in these architectures.

NCFTA technical teams analyze this data to -among other things- identify criminal hosting providers that allow malicious code to be distributed through their servers. The data is also correlated with other datasets in order to link malicious code incidents with other cyber crimes, such as brokerage fraud, economic espionage, phishing, and other types of credential theft. In doing so, the NCFTA seeks to identify trends or patterns within the data repository that will help to better detect such threats in the future and to assist in mitigation and neutralization efforts together with NCFTA partners.

To further advance this initiative, NCFTA analysts participate in a number of operational security communities and working groups that focus on cyber threats associated with malicious code. In doing so, NCFTA staff members continually seek to strike a delicate balance between monitoring for investigations and aggressive mitigation when appropriate, to protect partners and other US economic interests.

Understand the Threat

 The Cyber threat has no boundaries.  The threat actors we see are often organized crime rings driven by money, without a care for exploited people, businesses, or governments.  Their actions typically fund drug trafficking, human trafficking, child exploitation, terrorist activities, and many other illicit actions.  They will even share their expertise and resources among each other to improve and expand their activity.  Finally, the threat actors often know the rules and regulations better than we do and will even leverage certain aspects of the regulations to avoid detection.

Share Information and Resources

 At NCFTA, to better combat the threat, our focus needs to be on what we can share, not what we cannot share.  In order to have an impact, we must work together across industry, academia, government sectors, and countries to collaborate and cooperate with a mutual goal of improving our security posture.  We all play a role in protecting our citizens, businesses, and nations from cyber threats.  There is no one company, agency, or country that can do this alone.

Embedded Public and Private Partners

The NCFTA is a productive environment because we operate as one unit with our private and public sector partners.   Our partners are located both on-site and off-site and come from private industry, law enforcement, academia, and government.  They collaborate with our Research Analysts, Program Managers, and support staff to achieve our shared vision and mission. 

It is a model that works; a model being replicated across the globe.  In fact, we have partners in other countries looking to establish this model and they are working directly with NCFTA to learn best operational practices.  Through this global collaboration, NCFTA is able to expand our intelligence and information-sharing capabilities to discover emerging trends worldwide.

 To find out more about how you and your organization can become a partner, contact us at [email protected].

One Team, One Goal.

Companies, Government, And Academia

Working Together To Neutralize Cyber Crime.

NCFTA Cyber Alerts


The National Cyber-Forensics and Training Alliance (NCFTA) is pleased to join Target, the National Cyber Security Alliance (NCSA), and the Better Business Bureaus (BBB) to form a coalition to assist in educational awareness of cyber threat activity affecting all consumers.   

When Target approached the NCFTA to be a part of this coalition, we were thrilled and honored.  Target has a long standing history and distinction of trust and doing the right thing.  Their approach to this adverse situation is not surprising, given their core values as a company and their commitment to communities.  The NCFTA is very proud to work with such trustworthy national organizations like Target, the BBB and the NSCA towards a safer cyber future for everyone, consumers and businesses.

In today's highly connected digital world, it is more important than ever for people to be more vigilant in regards to their cyber hygiene.  Education, knowledge and awareness to all of the schemes and techniques are critical to protect ourselves.  None of us are immune – from a personal or business perspective – but all of us can take steps to educate ourselves against the threats.  Cyber threats are constantly evolving and increasing complex.

Now, it is more important than ever to teach and spread the word to employees, friends, family, how to protect themselves from cyber criminals and threats.  When Target considered NCFTA as part of this coalition, we were truly honored to work with the BBB and NSCA in this worthy effort. 

Target’s Newsletter – “A Bullseye View”:

Target’s Website:

National Cyber Security Alliance:

Better Business Bureaus:

FBI looks for partnerships to counter Cyber threat

Government Security News
Mueller pointed to the National Cyber Forensics and Training Alliance as a model for private industry and law enforcement collaboration.

Press Release: Pennsylvania Governor Tom Corbett, FBI, Department of Homeland Security, and United Kingdom Officials to address government and industry collaboration on fighting cyber threats

FOR IMMEDIATE RELEASE Contact: Fleishman-Hillard Alex Kepnes, 703-575-8900 [email protected]   PENNSYLVANIA GOVERNOR TOM CORBETT, FBI, DEPARTMENT OF HOMELAND SECURITY, AND UNITED KINGDOM OFFICIALS TO ADDRESS GOVERNMENT AND INDUSTRY COLLABORATION ON FIGHTING CYBER THREATS   Forum to Focus on Steps Industry and Government Must Take to Address Cyber Threats at National, State and Local Levels   [...]

Tax Refund Spam

Individuals should be vigilant of emails concerning tax refunds. Fraudsters consistently send spam appearing to be from the IRS and financial institutions containing a link to a phishing website and/or malware typically during tax season in the US. Fraudsters then attempt to either socially engineer potential victims and/or infect their computers in order to gain [...]

Email Compromise and Wire Fraud

The NCFTA, along with its law enforcement and industry partners, has observed that cyber criminals are gaining access to compromised email accounts and leveraging the relationship between the email account holder and their financial advisor to request unauthorized wire transfers. The criminals either use the existing email address or slightly change the email address by adding or supplementing a letter or number. The criminals then typically attempt to socially engineer the advisor through stories of hardship or loss in order to justify the wire transfer.

Once the criminals have verified the amount in the account, they request that funds be sent to bank accounts in the US, Australia, and Malaysia. Some of the funds sent to US and Australian accounts have ultimately been sent to Malaysian accounts. Some of the money mules were recruited by romance scams on dating websites. Banks, brokerage firms, and credit unions of all sizes have been affected by this scam.

Please see for additional information on this scam and guidance on how to report such incidents to law enforcement.