Most organisations are, understandably, focused on either preventing successful malicious cyberattacks or mitigating their effects. One area that hasn’t received as much attention but is, arguably, equally important, is sharing information to help law enforcement agencies track down and prosecute cybercriminals.
To achieve this, cybersecurity experts need to conduct malware analysis and research to gain a deeper understanding of how specific malicious online activities works. They can then share this detailed technical information with law enforcement agencies to facilitate their investigations. This information can even lead to arrests.
For example, the 2015 Dorkbot attacks infected more than a million PCs spanning multiple, independent botnets. Working with Microsoft and other partners to combat Dorkbot, malware researchers automated the process of extracting command and control information from Dorkbot binaries. This was applied to existing Dorkbot samples. The results were then manually sanitised to remove known sinkholes and clean domains, mitigating the risk of taking down legitimate resources.
Microsoft merged that list with its own data, creating an exhaustive list of all the active command and control servers to target so as to disrupt the Dorkbot network. This information was relayed to law enforcement agencies across the USA, Canada, and Europe. These agencies coordinated to execute warrants and takedown notices simultaneously. Since then, there has been a sharp decline in Dorkbot activity worldwide.
Making life difficult for cybercriminals is a crucial element in the fight against malicious attacks. When organisations are better protected against cyberattacks, some cybercriminals will seek other, easier targets. Collectively hardening defences across the internet can help create a kind of herd immunity whereby all but the most determined cybercriminals are disincentivised.
There are three key elements of using law enforcement techniques to reduce cybercrime and make the internet a safer place:
1. Increase the effort involved in offending
Coordinated disruption campaigns like the one against Dorkbot disrupt the attackers’ operations and force them to consider new strategies and techniques. Increasing the effort required to launch cyberattacks makes it more expensive and more time consuming for cybercriminals. However, there is unlikely to be a corresponding increase in the monetary reward for such attacks, so cybercriminals’ margins become squeezed and, ideally, untenable.
2. Reduce the rewards of a successful attack
When cybercriminals realise that run-of-the-mill attacks yield ever-diminishing returns, they may become less likely to mount these attacks and, instead, focus on narrower opportunities. This, in turn, means that cybersecurity professionals and law enforcement agencies can concentrate their resources on the most dangerous attacks.
Reducing the rewards of attacks may force smaller players out of the cybercriminal game altogether, although it would likely see a consolidation of sophisticated, corporate-like networks of cybercriminals. This could lead to larger, better-funded cybercriminal organisations that pool their resources to target high-value opportunities. Cybersecurity experts must, therefore, focus on continuing to close the gap, offering fewer opportunities for lucrative attacks.
3. Increase the risk associated with offending
Cybercriminals are, by definition, committing crimes. These crimes often carry prison sentences. For example, ESET helped the United States Federal Bureau of Investigation (FBI) identify and apprehend a Russian citizen named Maxim Senakh for his part in an attack that infected tens of thousands of Linux servers. Senakh was arrested by Finnish authorities at the Russian border while returning to Russia from vacation, and he was then extradited to the US where he was tried and sentenced to 46 months in prison.
As more cybercriminals are brought to justice, have their luxury boats, cars and homes confiscated, and serve prison sentences or pay huge fines, the risk versus reward calculation becomes tighter. Organisations can contribute to this by sharing technical information with law enforcement agencies to help them successfully investigate these criminals and build stronger cases. This can help lead to more arrests and more convictions.
The rate of arrests has already increased, with dozens of cybercriminals being arrested this year.
Fortunately, the odds are good that cybercriminals will eventually make a mistake that leads to their downfall. To commit a successful cybercrime, the perpetrator must launch the infection campaign, monitor its status, update the malicious components, register domain names for hosting these malicious services, monetise the operation, manage their co-conspirators, and never make a mistake. But it only takes a single error to bring it all crashing down. For example, the cybercriminal just has to connect to the wrong server before enabling a VPN or TOR connection and they can be immediately identified.
Even when cybercriminals take advantage of non-extradition countries, the chances are good that, at some point, they’ll reveal themselves and some interested law enforcement agency will arrest them. Therefore, businesses mustn’t give up the fight against cybercriminals who seem to operate in an anonymous shadow-world. Instead, they should cooperate with their security product vendors and law enforcement agencies and provide as much technical information as possible to help bring such criminals to justice.