Cybercrime- You Can’t Win Only With Defense

I picked up the ever-ubiquitous USA Today sitting in front of my hotel room door this morning and noticed an interesting article by Jon Swartz and Byron Acohido on cybercrime markets. (Full disclosure, I’ve served as a source for Jon in the past in other security articles). Stiennon over at Threat Chaos is also writing on it, as are a few others. About 2-3 years ago I started talking about the transition from experimentation to true cybercrime. It’s just one of those unfortunate natural evolutions- bad guys follow the money, then it takes them a little bit of time to refine their techniques and understand new technologies. I can guarantee that before banks started buying safes and storing cash in them, the only safecrackers were bored 13 year old pimply faced boys trying to impress girls. Or the guys who make the safes and spend all their time breaking the other guy’s stuff. Trust me, I have a history degree.

We all know financial cybercrime is growing and increasingly organized. Unlike most of the FUD out there, the USA Today article discusses specific examples of operating criminal enterprises. Calling themselves “carders” or “credit card resellers” these organizations run the equivalent of an eBay for bad guys. And this is only one of the different kinds of criminal operations running on the web.

We, as an industry, need to start dealing with these threats more proactively. We can’t win if all we do is play defense. I used to teach martial arts, and we’d sometimes run an exercise with our students where they’d pair of for sparring, but one person was only allowed to defend. No attacks, no counterattacks, blocking only. The only way you can win is if the other guy gets so tired they pass out. Not the best strategy.

This is essentially how we treat security today. As businesses, government, and individuals we pile on layers and layers of defenses but we’re the ones who eventually collapse. We have to get it right every time. The bad guys only have to get it right once.

Now I’m not advocating “active defenses” that take down bad guys when they attack. That’s vigilantism, and isn’t the kind of thing regular citizens or businesses should be getting into. Something like a tar pit might not be bad, but counterattacking is more than a little risky- we might be downing grandma’s computer by mistake.

One of the best tools we have today is intelligence. We in the private sector can pass on all sorts of information to those in law enforcement and intelligence who can take more direct action. Sure, we provide some intelligence today, but we’re poorly organized with few established relationships. The New York Electronic Crimes Task Force is a great example of how this can work. One of the problems those of us on the private side often have with official channels is those channels are a black hole- we never know if they’re doing anything with the info we pass on. If we think they’re ignoring us we might go try and take down a site ourselves, not knowing we’re compromising an investigation in the process. Basically, none of this works if we don’t develop good, trusted relationships between governments and the private sector.

When it comes to intelligence gathering we in the security community can also play a more active role, like those guys on Dateline tracking pedophiles and working with police directly to build cases and get the sickos off the street. Those of you on the vulnerability research side are especially suited for this kind of work- you have the skills and technical knowledge to dig deep into these organizations and sites, identify the channels, and provide information to shut them down.

We just can’t win if all we do is block. While we’re always somewhat handcuffed by playing legal, we can do a heck of a lot more than we do today. It’s time to get active.

But I want to know what you think… *[Email:]: Email *[Twitter:]: Twitter *[Phone:]: Phone

2 Comments

art bowker 2006-10-14

Another example of law enforcement and private sector working together to combat cybercrime is the High Technology Crime Investigator's Association (HTCIA). HTCIA is celebrating its 20th anniversary of being a non-profit professional organization devoted to the prevention, investigation, and prosecution of high tech crime. We have over 3,000 members throughout the world. We come together on a regular basis through local chapter meetings and our listserve. Once a year we also have a three day annual training conference where major networking takes place and we receive quality training through lectures and hands on computer labs. Additionally, the biggest and best vendors will be there to demonstrate their newest products. This year's conference is being held in Cleveland, Ohio, October 30, 2006 through November 1, 2006. Attendees are registering from all of the world for this important training event and space is filling up. This year we have Keynote/Lunch Speakers from MySpace, U.S. Dept of Justice, and the Brazilian Forensic Computer Crime Unit. We also have numerous lectures and labs during the conference (five rooms devoted to breakout sessions and seven rooms devoted to hands on computer labs). Here is just a sample of the topics and classes: Artifacts of Deletion Utilities Cell Phone Forensics Network Crime and Network Intrusions Internet Browser Forensics Linux/SMART Enterprise forensics ProDiscover Basic Access Data FTK 2.0 Technology Encase Tools Investigation the Usenet Tips and Tricks Mac Forensics Google as an Investigative tool Forensics on "Live" Running Networks and Systems Wireless hacking and Cell Phone Forensics Inside Illegal World of the WAREZ Tool Shootout for Cell Phone Forensics AOL Forensics Detecting and Collecting Whole Disk Encryption Media Access Protected Registry Forensics Ultimate Boot Disk CD for Windows Investigating Wireless Devices Steganography Investigations The Handheld - The next hacker workstation Tripping over Borders in Cyberspace - Legal Issues Introduction to Malicious Software Analysis (Windows) AccessData Rainbow Tables Guide For Handling Cyber-Terrorism And Information Warfare Advanced Unicode and Code Page Keyword Searching Moble IP, Secure Portable Metro Networks Digital Crime Scene Forensics Cyber laundering Informal Value Transfer systems Electronic operations traceability. A challenge for IT Managers Dissecting The Stream, IP forensics Cell/Mobile Phones: The Good, the Bad, the GSM Volatile Data collection from Running Windows Machines Bypassing the Best Laid Plans: How They Steal Proprietary Information Fuzzy Hashing- Matching similar documents Proactive Forensics: The Data Before it Goes Bad Advanced Unicode and Code Page Keyword Searching Instant message Forensics Detecting and Extracting Steganography Using Back Track to Compromise a Network CyberCrime in Brazil Anti-forensics Using Google Desktop in forensic Investigation Handheld Forensics: Cell Phones, PDAs, and Hybrids Google Hello,Access Data Password Cracking The turtle tool - Peer-to Peer Investigations Maresware Tools Legal Discovery and Redaction Issues Benefits and Risks of Undercover Internet Investig Moving from LE into the private sector Legal Issues in Civil Trials Network forensics in the digital world Benefits and Risks of Undercover Internet Investigations Proactive Online Investigation Artifacts of Deletion Utilities Malicious software & Steganography Investigations TCP/IP Protocol Analysis Hacking with iPods and Forensic Analyst Victims of Internet Crimes Dissecting The Stream, IP forensics This is an important training event for those serious about learning how to combat cybercrime (both law enforcement and private sector folks). The cost is very reasonable too. See http://ohiohtcia.org/conf_main.html, for more details. Respectfully, Art Bowker HTCIA International Secretary Conference Chairperson

More on Strategy at RiskAnalys.is 2006-10-11

Today I found a very nice article at securosis.com (which is a really great site, btw), Cybercrime- You Can't Win Only With Defense. From the article there: We just can't win if all we do is block. While we're always somewhat handcuffed by playing legal, we can do a heck of a lot more than we do today. It's time to get active.