Time for an Internet A-Team?
Last week, I spoke to Joe Stewart, a senior security researcher at Atlanta based SecureWorks who probably has done more than any other researcher to make life more difficult and expensive for cyber crooks.
Stewart is speaking at the RSA Security conference in San Francisco on Thursday about what he thinks can be done to institutionalize some of these efforts.
Stewart says the world needs a more concerted effort to identify -- if not apprehend -- top cyber criminal actors. He also said that ISPs need to be held more accountable when they ignore overt signs of persistent criminal activity on their networks.
What follows are some excerpts from our discussion:
Stewart: We've had some small victories here and there, but overall the Internet security community hasn't been terribly effective. We're not really stopping them.
BK: Why do you think that is?
Stewart: One of the conclusions we came to was that we tend to be a lot more focused on attacks than on the attackers. We'd like to find out who these guys are, but instead we're looking at what botnet do we have to take down, or what the latest malware is. And after that, we move on to whatever the next attack-of-the-day is. What seems to be lacking is a focus on these criminal actors, when our attention is being drawn somewhere else that allows them to regroup once they've fallen off our radar.
What we really need is to form teams that focus on tracking specific adversaries, trying multiple tactics to affect these guys' criminal enterprises. The idea is to escalate the technical measures they have to go through to keep their businesses up and running.
BK: Can you give me a couple of examples of what you mean?
Stewart: Tactics that affect their rewards...so, taking down affiliate programs, or blocking their ability to take credit cards. We need to have groups that do nothing but follow these guys around the 'Net and make it hard for them to make a living.
BK: So the idea is to raise their costs, right? But if so few of these guys pay any up-front costs - as you know spam bots and the bandwidth they use are basically free - it seems like you'd have to raise their costs substantially to make a dent.
Stewart: Every group or individual who's doing this is going to have a different threshold. If the potential reward is higher for them, they may be willing to take more risks. But [that risk increases] when we find a way to identify who these guys are and then follow them around virtually and really understand what we can do to affect their business.
BK: The longer and farther I look into the cyber criminal underground, the more I get the sense that most of this crime can be traced back to a relatively few number of key individuals. Do think that's accurate?
Stewart: I'd agree with that. There are probably a good 20 to 25 characters where, if we removed them from the scene, would really hamper things. There'd still be lots of low-level activity, and I don't think it's reasonable to think we can target all of these guys. The goal would be to go after larger more established professionals who are raking in the money.
BK: It seems like on one level this has been tried before. CastleCops comes to mind, and those guys were attacked and knocked offline constantly. Granted, that was an effort that was almost entirely volunteer-based.
Stewart: CastleCops was very overt in what they were doing. They had this big public Web site and were posting details of all these bad guys' operations. I don't recommend that at all. Ideally, for this to work, you want small teams that don't communicate a lot about what their doing to the larger community.
It doesn't pay to make yourself a big target like that. The more public face you have the more heat you're going to get from the bad guys. CastleCops couldn't deal with the amount of attacks they were taking. What I'm talking about would definitely need to be more low-key than that.
BK: Okay, but the people best qualified to do this kind of thing work at companies that make money by selling products. How would those companies justify letting their brightest minds work on stuff that in the end doesn't get written about and doesn't produce a product they can sell?
Stewart: Right. So it would really have to be a dedicated group, either privately funded or government funded.
BK: So what is the model, then?
Stewart: Well, I think there are some entities, like Team Cymru, that do this kind of thing already, who get grants to pay people full-time to do this kind of legwork.
BK: This sounds like a fine idea, but what about the other half of the equation - the Internet service providers and Web hosting companies like McColo, Atrivo, and others who turn a blind eye to this kind of activity on their networks?
Stewart: That's actually what the second half of my talk is about. We've talked so far about the short-term plan, the whole offense-in-depth thing. Longer term, we need to have more accountability in the networks that are out there. There are some places that are safe havens for these guys and they know it and gravitate to those places.
BK: So, what's the answer to that second part? New laws aren't going to do much.
Stewart: Exactly. Ultimately, I think we're going to need to have some sort of global treaty where networks are made to be responsible. What I would like to see is a model where every country has a computer emergency response team that works like the CERT in South Korea. Not like the United States CERT, which is more of a clearinghouse of vulnerability information. South Korea's CERT has the authority to tell an ISP, hey, you're hosting malicious content, a botnet, phishing site, whatever, take it down.
What I'd like to see is a different situation where you have one global authority that acts as a clearinghouse of data for abuse complaints, and then filters those and sends them to the appropriate country-level CERT for action.
BK: But how would that work? What incentive would there be for countries to participate? And how would you keep the system from being abused by intelligence and law enforcement agencies?
Stewart: I think if there were enough pressure by the larger companies that provide transit to the smaller ones, pressure for them to sign such a treaty, it could work. The fact is that the level of Internet abuse we're seeing right now has gotten so bad that we really do need a treaty like this now. And being a network that is the source of abuse would not necessarily be what gets you disconnected. The focus would need to be on those networks that foster abuse and also are unresponsive.
I also think it could work if you were to include some pretty strong language in the treaty that ensures this is focused on Internet abuse and network abuse, and that this isn't about creating something like the Internet police.
BK: You raise an important point. A lot of the investigative activity you're describing...I'm sure many folks would consider this to be the purview of law enforcement.
Stewart: Law enforcement's job is to put bad people in jail, whereas our offense-in-depth approach is to discontinue the cyber crime model for these criminals. We're actually fine if [the bad guys] decide to move into another line of work. Putting them in jail would be nice, but we have to recognize that we probably can't do that in a lot of cases, given the current political climate in a lot of countries.
Law enforcement is not geared to do deterrence: Their one goal is to put someone in cuffs at the end of the day. Disruption is our main goal.
BK: But what about some the things that you envision this crime-busting group doing? Would some of those activities rise to the level of something you'd only want to see from law enforcement?
Stewart: The things we're doing now, albeit in a scattered way, are legal. We're not DDoSing people off the Internet. We're getting upstream Internet providers to kill their connection. It's totally doable and we're proving that with things like recent network takedowns that you've been instrumental in. But the other side of a takedown is not to let these guys crawl away in the dark and start something up somewhere else.
BK: Sounds like this could be an expensive operation you're talking about here. How much would be involved and how many people would it take?
Stewart: For each crime group you want to go after, it would probably cost about a half-million dollars a year to fund the people you want to do this as their full-time job. And I think professionals capable of following the leads at this level are going to cost a certain amount. I'd say a team of anywhere for four to ten people would be ideal. As far as resources, they'd just need resources from a network standpoint from which to stage their activities. This would mostly be about time and dedication.
BK: So, if someone were to come forward with a big fat grant to make this a reality, you'd be among the first to quit your job to sign up, right?
Stewart: [Laughs]. No, I'm an idea guy. But if someone says 'Hey Joe, want to serve on [President Obama] cyber security panel?' I'd be happy to do that.
What do you think, dear readers? Is Joe crazy, or is he onto something here? How would your strategy be different? Sound off in the comments below.
April 22, 2009; 1:05 PM ET
Categories: From the Bunker | Tags: cybercrime, joe stewart, secureworks
Save & Share: Previous: Cyber Spies Breach Pentagon's Fighter Jet Project
Next: Congress Investigating P2P Data Breaches
Posted by: georgivich | April 22, 2009 2:39 PM | Report abuse
Posted by: ptksec | April 22, 2009 4:32 PM | Report abuse
Posted by: AlphaCentauri | April 22, 2009 7:42 PM | Report abuse
Posted by: diocyde | April 23, 2009 12:10 AM | Report abuse
Posted by: BTKrebs | April 23, 2009 12:43 AM | Report abuse
Posted by: JonPraed | April 24, 2009 7:48 PM | Report abuse
The comments to this entry are closed.