A few hundred expert hackers offering "crime as a service" are behind a large percentage of all the cybercrime acts committed. That's the conclusion of a group of international law enforcement experts from organizations including the FBI and the UK's National Crime Agency.
Talking at the recent InfoSec Europe security conference in London, FBI agent Michael Driscoll said that there is evidence that just 100 to 200 people around the world are enabling organized crime gangs to mount technical attacks by selling them malware, botnets, distributed denial of service (DDoS) capabilities and other hacking services.
Despite the small number of people behind many of the attacks, the effects of their actions are devastating, Driscoll said.
"The average loss on the Internet is $3,000, and bank losses average $1,800. That may not seem like a lot, but we get about 22,000 complains a month and we think that is about 10 percent of the total," he said. "There is constant hacking and online fraud; the volume is huge."
Catching organized crime gang members, and the cybercriminal masterminds who offer services to them, is hard -- or in many cases impossible, said Alan Woodward, a professor at the Surrey Centre of Cyber Security. That's because they operate in concert from all over the world.
"Some people think that the financial threats stem from Russia, IP threats come from China and so on, but it is not as simple as that," he explained. "These organized criminal gangs in particular are international and distributed. There might be one member in the Ukraine, one in the UK and so on."
Reach out to Law Enforcement
The good news for anyone whose company faces the threat of attack by cybercriminals - and that means just about any company - is that law enforcement agencies can help you. But before they can be of help, it's essential that you make contact with them.
"One thing that's sure is that you can't be secure on the Internet, so my advice is to make sure you are talking to law enforcement now. Don't wait until you get hit and it is too late," said the FBI's Michael Driscoll.
"You need to engage with the FBI, or with CERT, or with the National Crime Agency," he said. "They push information about criminal activity to companies, so you need to make sure that you are getting that. And you need to be sending information about odd activity that you spot back to law enforcement."
Woodward said that doing so can be crucial to the fight against cybercriminals. "Threat intelligence is very important; don't underestimate it. You need to share intelligence, use what you learn from others, and have a plan for when you get hit."
What makes "solving" cybercrimes particularly difficult is that attribution is hard. You may know that your organization has been hacked, but law enforcement agencies may have no idea where the attack came from -- let alone who is responsible.
"We are getting better at fingerprinting attacks but it is very easy to put in false flag trails so attribution is difficult," said Woodward.
(The widely publicized Sony attack in November 2014 has been attributed to the North Korean government, but this attribution was only possible because of information provided by local intelligence agents rather than by a forensic analysis of the hack.)
This is in sharp contrast to traditional criminal landscapes, pointed out Andy Archibald, deputy director of the National Crime Agency's National Cybercrime Unit. He said most cities play host to people involved in illegal activity such as drug dealing, firearms sales, immigration scams and even the provision of hitman services. Law enforcement officers monitor and limit these activities using covert policing to build up a picture of who is involved in each crime field.
How to Fight Cybercrime, at a High Level
Because it is so hard to pin down those involved in cybercrime, the unanimous opinion of the law enforcement experts was that the best way to fight it is to disrupt their activities as much as possible.
How can this be done? Archibald suggested going after so-called bullet proof hosting services - many of which are based in China, other parts of Asia and Russia and its surrounding countries.
Bullet proof hosting services can be used by organized crime gangs to:
- offer downloads of exploit kits and other malware
- serve as botnet command and control centers
- provide drop storage for stolen financial details captured by banking Trojans and other malware
- host forums where stolen credit card information and exploit ideas are exchanged
He also suggested cracking down on money launderers who help organized crime gangs clean the proceeds of their crimes, and even going after anti-virus testing services. These can be used to help malware authors test if their software is susceptible to detection by common anti-virus software used in the enterprise, he said.
Disrupting cybercriminals may well be the most practical way to tackle their illegal activities, but at best it can only limit the number of their attacks, and resulting data breaches, rather than solving the problem completely.
That means that having clear plans in place to mitigate the damage of a data breach when - not if - your company gets hit is vital, Woodward stressed. "The number of businesses that go bust after an attack is growing every day, so knowing how to respond is absolutely key."
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.