[BreachExchange] Why Is it so Hard to Arrest Hackers?

Audrey McNeil audrey at riskbasedsecurity.com
Thu Mar 23 20:06:59 EDT 2017


https://dzone.com/articles/arresting-hackers-why-so-hard

So recently I was chatting with an acquaintance of mine, and he asked me
about recent hacking allegations and why we never see anybody arrested for
cyber crime.

Well, first, we do see arrests, though they're not usually widely
publicized in mass media, and we don't see enough of them. But people do
get caught.

But really, why so few? Well, honestly, because it's really hard to prove
that cyber crimes are committed by specific individuals, despite all the
allegations you'll see in the press, especially recently. And I mean prove
- with evidence that will hold in a justice system.

There are a few reasons for this. First, it's really hard to track careful
criminals down. Second, even if you have malware samples, it's pretty easy
for attackers to have sanitized them. And it's easy to plant false flags if
you're savvy. Finally, finding the appropriate evidence is difficult as
well, not in the least because of jurisdictional problems.

Tracking determined cyberattackers down is hard, and it takes time. Many
attackers use stolen infrastructure, and they will frequently camouflage
access through yet other compromised systems in difficult to access
countries. This leaves a trail of systems that needs to be traversed in
order to find the originating system. And these trails will change
frequently, or involve Tor.

Malware samples usually don't have much in them of value, unless you've
been able to acquire the cyberattacker's workstation. Actually compiled
payload code, or macros in MS Word documents, can be effectively
sterilized, so it contains no identifying traces. Now, it's difficult to
remove all stylistic traces, so it's best to use industry standard
conventions in your code, not things that can be used for later sample
correlation if you're an attacker. But even when engineers do use odd
tricks, that really only gives analysts a way to show that selected
payloads come from the same author, not that a specific author is a
specific person.

False flags are easy to plant in malware as well. When do command and
control systems operate? When are manual intrusions attempted? What kinds
of variable names are used, and what kinds of characters? Are there
characters from a specific alphabet? These kinds of tricks can all be used
to lead analysts to the true authors, but it can be forged too.

Extracting evidence from computer systems is a well defined and refined
field. But you need to get your hands on the system first, and the system
needs to have something compelling to link malware or command and control
to that particular system. Both of these can be difficult problems,
especially when dealing with criminals in other countries, or countries
that don't have particularly strong relationships with the one you're in if
you're an analyst.

Really, like many cases in the outside world, criminals are eventually
caught because they are careless. They provide a trail from cybercrime
forums to domain names, then to identifying information, for example. Or
they brag about a campaign. It just takes time - though sometimes it seems
like too much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170323/90dc7c98/attachment.html>


More information about the BreachExchange mailing list