For the concluding part of this two-part series, we spoke with security researcher Anthony Kasza about the challenges facing financially-motivated criminals as they try to stay anonymous online.
It’s not a controversial statement to say that the Internet has seen an exponential growth in cybercrime. However, OpenDNS Security Labs researcher Anthony Kasza illustrated in an interview earlier this week that in many cases the same trends that allow criminals to scale their operations make it easier than ever to expose them.
The Risky Business of Cybercrime
The fundamental conflict for cybercriminals, Kasza said, comes from the need for criminals to reach out and attack others to make money. But financially-motivated criminals need to keep their profit-making activities as low profile as possible to avoid arrest.
“It’s all about your strategy,” he said. “If you’re financially motivated, it’s just like a business. You need some kind of strategy for making money off of it. You can scam people. You can be a provider that sells [malware] installs to someone else. You can have a big botnet, and the only way that you make money off of it is by sending spam. No matter how criminals turn a profit, the very act of running a botnet or distributing malware exposes their infrastructure to scrutiny.”
Hackers that go for broke with large operations tend to draw attention from international law enforcement agencies. The history of botnet takedowns contains many examples of how high-profile criminal networks have done so. The Ramnit and Citadel botnets were both examples of how size and volume of financially-motivated crime eventually brings their demise.
“You can adopt the strategy of ‘hit really hard, really big’ or you can adopt the strategy of ‘death by a thousand duck bites,’” Kasza said, noting that after a high-profile data breach criminals likely need to “go underground for a while” to avoid attracting attention.
Kasza also noted that complexity is another barrier to criminals hiding their activities online. Essentially, today’s financially-motivated criminals assume all of the overhead of running their business — such as staff, capital expenses, and working with third-party vendors — but without widely advertising their operations. They also operate without the legal protections that most of the legitimate economy relies on to do business.
“Think about [cybercrime] like a business,” he said. “Would someone want to develop their own malware in-house, or do they want to buy it from someone? If they buy it from someone, there’s still a risk that their vendor is going to mess up, which often leaves them with no recourse.”
He added that even in jurisdictions where cybercrime is tolerated, criminals can face significant operational setbacks when law enforcement seizes servers, sinkholes command-and-control domains, or a security company reverse engineers their malware.
Sometimes, these operational setbacks can persist for years. In July of last year for instance, security researchers were able to quickly connect a new malware campaign with attempts to resurrect the Gameover ZeuS botnet due to similarities in the code base between different generations of the malware.
Working with other criminals introduces even more operational hazards. In recent years, a laundry list of high-profile hacker groups and criminal operations, from Lulzsec to the group behind the Heartland Payment Systems breach, have been exposed by informants.
Fighting on Others’ Turf
“[Criminals] have to play Blue Team while they’re attacking someone,” said Kasza. “If you think about the way that boxing works, you can hit someone really hard, but you have to still make sure that you’re protecting yourself from getting hit, because if you miss, it’s not going to be fun for you.”
Taking the comparison back to business, Kasza said that the OPSEC best practices for criminal organizations parallel those of legitimate companies.
“If you get an ISO 27001 certification, you have to get to follow a set of best practices,” he said. “Same thing in cybercrime. Even criminals try to follow their own best practices as far as securing and monitoring their own infrastructure. The smart ones do that so if researchers come and start poking at their infrastructure, they can burn it all down and start over.”
In the end, though, it seems that the same basic security hygiene that is important (but hard to do well) for today’s businesses is often just as hard for cybercriminals when they operate over long periods of time.
“You can do things easily, or you can do things right,” he said. “That’s what OPSEC is. It’s the balance between doing things the disciplined, painfully meticulous way and doing things the quick and easy way. Good OPSEC is difficult. The one time you slip up, you’re going to get caught. So you have to be really strict and disciplined.”