Network News

X My Profile
View More Activity

Time for an Internet A-Team?

Last week, I spoke to Joe Stewart, a senior security researcher at Atlanta based SecureWorks who probably has done more than any other researcher to make life more difficult and expensive for cyber crooks.

Stewart is speaking at the RSA Security conference in San Francisco on Thursday about what he thinks can be done to institutionalize some of these efforts.

Stewart says the world needs a more concerted effort to identify -- if not apprehend -- top cyber criminal actors. He also said that ISPs need to be held more accountable when they ignore overt signs of persistent criminal activity on their networks.

What follows are some excerpts from our discussion:

Stewart: We've had some small victories here and there, but overall the Internet security community hasn't been terribly effective. We're not really stopping them.

BK: Why do you think that is?

Stewart: One of the conclusions we came to was that we tend to be a lot more focused on attacks than on the attackers. We'd like to find out who these guys are, but instead we're looking at what botnet do we have to take down, or what the latest malware is. And after that, we move on to whatever the next attack-of-the-day is. What seems to be lacking is a focus on these criminal actors, when our attention is being drawn somewhere else that allows them to regroup once they've fallen off our radar.

What we really need is to form teams that focus on tracking specific adversaries, trying multiple tactics to affect these guys' criminal enterprises. The idea is to escalate the technical measures they have to go through to keep their businesses up and running.

BK: Can you give me a couple of examples of what you mean?

Stewart: Tactics that affect their, taking down affiliate programs, or blocking their ability to take credit cards. We need to have groups that do nothing but follow these guys around the 'Net and make it hard for them to make a living.

BK: So the idea is to raise their costs, right? But if so few of these guys pay any up-front costs - as you know spam bots and the bandwidth they use are basically free - it seems like you'd have to raise their costs substantially to make a dent.

Stewart: Every group or individual who's doing this is going to have a different threshold. If the potential reward is higher for them, they may be willing to take more risks. But [that risk increases] when we find a way to identify who these guys are and then follow them around virtually and really understand what we can do to affect their business.

BK: The longer and farther I look into the cyber criminal underground, the more I get the sense that most of this crime can be traced back to a relatively few number of key individuals. Do think that's accurate?

Stewart: I'd agree with that. There are probably a good 20 to 25 characters where, if we removed them from the scene, would really hamper things. There'd still be lots of low-level activity, and I don't think it's reasonable to think we can target all of these guys. The goal would be to go after larger more established professionals who are raking in the money.

BK: It seems like on one level this has been tried before. CastleCops comes to mind, and those guys were attacked and knocked offline constantly. Granted, that was an effort that was almost entirely volunteer-based.

Stewart: CastleCops was very overt in what they were doing. They had this big public Web site and were posting details of all these bad guys' operations. I don't recommend that at all. Ideally, for this to work, you want small teams that don't communicate a lot about what their doing to the larger community.

It doesn't pay to make yourself a big target like that. The more public face you have the more heat you're going to get from the bad guys. CastleCops couldn't deal with the amount of attacks they were taking. What I'm talking about would definitely need to be more low-key than that.

BK: Okay, but the people best qualified to do this kind of thing work at companies that make money by selling products. How would those companies justify letting their brightest minds work on stuff that in the end doesn't get written about and doesn't produce a product they can sell?

Stewart: Right. So it would really have to be a dedicated group, either privately funded or government funded.

BK: So what is the model, then?

Stewart: Well, I think there are some entities, like Team Cymru, that do this kind of thing already, who get grants to pay people full-time to do this kind of legwork.

BK: This sounds like a fine idea, but what about the other half of the equation - the Internet service providers and Web hosting companies like McColo, Atrivo, and others who turn a blind eye to this kind of activity on their networks?

Stewart: That's actually what the second half of my talk is about. We've talked so far about the short-term plan, the whole offense-in-depth thing. Longer term, we need to have more accountability in the networks that are out there. There are some places that are safe havens for these guys and they know it and gravitate to those places.

BK: So, what's the answer to that second part? New laws aren't going to do much.

Stewart: Exactly. Ultimately, I think we're going to need to have some sort of global treaty where networks are made to be responsible. What I would like to see is a model where every country has a computer emergency response team that works like the CERT in South Korea. Not like the United States CERT, which is more of a clearinghouse of vulnerability information. South Korea's CERT has the authority to tell an ISP, hey, you're hosting malicious content, a botnet, phishing site, whatever, take it down.

What I'd like to see is a different situation where you have one global authority that acts as a clearinghouse of data for abuse complaints, and then filters those and sends them to the appropriate country-level CERT for action.

BK: But how would that work? What incentive would there be for countries to participate? And how would you keep the system from being abused by intelligence and law enforcement agencies?

Stewart: I think if there were enough pressure by the larger companies that provide transit to the smaller ones, pressure for them to sign such a treaty, it could work. The fact is that the level of Internet abuse we're seeing right now has gotten so bad that we really do need a treaty like this now. And being a network that is the source of abuse would not necessarily be what gets you disconnected. The focus would need to be on those networks that foster abuse and also are unresponsive.

I also think it could work if you were to include some pretty strong language in the treaty that ensures this is focused on Internet abuse and network abuse, and that this isn't about creating something like the Internet police.

BK: You raise an important point. A lot of the investigative activity you're describing...I'm sure many folks would consider this to be the purview of law enforcement.

Stewart: Law enforcement's job is to put bad people in jail, whereas our offense-in-depth approach is to discontinue the cyber crime model for these criminals. We're actually fine if [the bad guys] decide to move into another line of work. Putting them in jail would be nice, but we have to recognize that we probably can't do that in a lot of cases, given the current political climate in a lot of countries.

Law enforcement is not geared to do deterrence: Their one goal is to put someone in cuffs at the end of the day. Disruption is our main goal.

BK: But what about some the things that you envision this crime-busting group doing? Would some of those activities rise to the level of something you'd only want to see from law enforcement?

Stewart: The things we're doing now, albeit in a scattered way, are legal. We're not DDoSing people off the Internet. We're getting upstream Internet providers to kill their connection. It's totally doable and we're proving that with things like recent network takedowns that you've been instrumental in. But the other side of a takedown is not to let these guys crawl away in the dark and start something up somewhere else.

BK: Sounds like this could be an expensive operation you're talking about here. How much would be involved and how many people would it take?

Stewart: For each crime group you want to go after, it would probably cost about a half-million dollars a year to fund the people you want to do this as their full-time job. And I think professionals capable of following the leads at this level are going to cost a certain amount. I'd say a team of anywhere for four to ten people would be ideal. As far as resources, they'd just need resources from a network standpoint from which to stage their activities. This would mostly be about time and dedication.

BK: So, if someone were to come forward with a big fat grant to make this a reality, you'd be among the first to quit your job to sign up, right?

Stewart: [Laughs]. No, I'm an idea guy. But if someone says 'Hey Joe, want to serve on [President Obama] cyber security panel?' I'd be happy to do that.

What do you think, dear readers? Is Joe crazy, or is he onto something here? How would your strategy be different? Sound off in the comments below.

By Brian Krebs  |  April 22, 2009; 1:05 PM ET
Categories:  From the Bunker  | Tags: cybercrime, joe stewart, secureworks  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Cyber Spies Breach Pentagon's Fighter Jet Project
Next: Congress Investigating P2P Data Breaches


Awesome idea. I'd even go so far as to say that the groups should be virtual. In order to be "quiet" and leave as small a footprint as possible while backtracking these activities and that the individuals should work from remote offices not central locations. Even if the A Team groups aren't broadcasting what they're doing (like the company mentioned) the better camouflaged they are the less their work would be hampered.

I also think that following South Korea's model is somthing we should push for. I'm sure that the right think tank can come up with justifiable reasons for taking action (e.g. the delivery of emergency services?) that ISPs could be pressured to disconnect the problem children.

Posted by: georgivich | April 22, 2009 2:39 PM | Report abuse

Joe is a dreamer. The SK Cert model is nice, but clearly there would be no good way to have that work worldwide. Could you imagine a US or Russia CERT that had control over private companies.

Also, the notion that more operations like Team Cymru are the answer is even more laughable. Team Cymru breaks far more laws than the people they allegedly protect us against. If anyone belongs in prison, they do.

What the world really needs is to clone 250 Joe Stewarts to even out the fight.

Posted by: ptksec | April 22, 2009 4:32 PM | Report abuse

I am also frustrated by the law enforcement model that says, "Let's keep them under surveillance and let them continue to break laws for a few years, until we have so much evidence they can't possibly beat the charges." Meanwhile, the rest of us are continually victimized by those internet criminals who are so carefully monitored. There isn't nearly enough enforcement action to act as a deterrent.

And while I agree that playing whack-a-mole with botnets may be only a short term solution, the fact is that we don't even do that much most of the time. The criminals operate with complete impunity and pour evidence into our laps, but nothing is done.

Volunteers can't do it all, but there are a lot of them. What's lacking is effective means for them to contribute to the effort.

If I find a list of stolen credit card numbers posted on a web page somewhere, why isn't there anyone I can notify? As it is, it would be up to me to sort out which card is for which bank and file a report with each, if they are even willing to accept such reports from third parties.

If I find an IP address within the range of a cable company that is spewing spam or hosting spamvertised websites, why won't that cable company accept a report and notify the customer? Or better yet, why can't those companies be responsible for checking a central database of zombie bots and dealing with the ones on their own networks, instead of having to wait for a volunteer to track each bot down and send reports to each different company responsible?

DDoS attacks would not be nearly as much of a threat if there weren't such huge numbers of bots out there, and if they weren't in the same IP ranges as the legitimate customers of the sites under attack. The acceptable standard of conduct for ISP's should be to get bots cleaned up or get them off line, quickly.

Posted by: AlphaCentauri | April 22, 2009 7:42 PM | Report abuse

Brian, Joe, I applaud the discussion. I have wondered aloud in my blog many times what it would take to change the level of debate from the "incident response side" to the focused and disruption efforts from a covert / special ops side. There are MANY MANY things you can do. The usual problem is lack of legal cover and WILL. Granted a security immunity from prosecution to a group of organizations or individuals, with defined goals and Tactics Techniques and Procedures that they can use to disrupt, identify, destroy and track known individuals. The top 25 to start with would be good.

Here is the rub, and I will challenge you both on this. Through sources and otherwise you most likely know our a group of individuals in the community could provide those identities... and dont say you cant. If you really have the expertise and the data, OUT them, start the ruckus and kick it off.

You can post at my site Veiled Shadows and be the first additions to my SPOTLIGHT SHINE BRIGHT Series. The goal was to create the dossiers and run operations against groups.

Lets say encryption attacks in place where data drops get encrypted with ransom keys. located a weaker Group and pay a key member 1 million dollars to rat out 5 of his buddies, ensuring said evidence was validated. Ensure that hacked sites can seed their data with trojaned products and the recievers of said products beacon back to global sensors when the attackers have their guard down. I could go on and on and on.

While your interview was great, you both have the position to change the debate, keep it in the present, and extend it into the future. I would love to see a number of columns on this.

Or if you where will I could conduct and host these discussions on my site and I would love to pose some challenging questions of you both. Are you game?

If so, let me know and post a comment at my site and we can coordinate.

For what its worth, thanks for beginning to turn the tide on the debate. It was getting stale anyways.


Posted by: diocyde | April 23, 2009 12:10 AM | Report abuse

or for that matter, how about a reverse auction reward for clueful bad guy flipping on other important bad guy?

instead of offering a set $250,000 reward, it could be like Priceline: name your price, prove you can deliver, and we negotiate down depending on how many bidders there are and how good the information is.

Posted by: BTKrebs | April 23, 2009 12:43 AM | Report abuse

Joe took the words right out of my mouth. Well said.

Posted by: JonPraed | April 24, 2009 7:48 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company