[BreachExchange] Disrupting the Economics of Cybercrime

[Destry Winant]

https://www.databreachtoday.com/blogs/disrupting-economics-cybercrime-p-2652

No business wants its customers to become victims of cybercrime. The
key to prevention is understanding how the cybercrime industry works.

Cybercrime is a business and, like any business, it's driven by
profit. Here we describe how organizations can make credential theft
less profitable at every stage of the criminal value chain, and, in
doing so, lower their risk.

Every company's cybercrime defense strategy should include ways to
increase the economic burden on the attackers, making fraud too
expensive and unprofitable to be worth its cost and effort.

The cybercrime value chain has three components. The first phase is
the attack, which involves the initial penetration (aka data breach)
and theft of credentials. In the second phase, brokering, the stolen
credentials are sorted and tested to confirm their value. The third
phase, so-called carding, is when criminals take over accounts to
obtain actual goods (e.g. expensive electronics) or take control of
bank accounts, gift cards, rewards points, airline miles and the like,
all of which can be converted to cash.

Preventing the Data Breach

For phase one, the most common method of stealing credentials is
phishing, and employee education is the prime defense. (Don't click on
that mystery link!) However, as humans are fallible, there are also
good technology approaches that can detect and reroute malicious spam.
Intrusion detection solutions also exist to detect anomalies in
network traffic or application behavior if criminals manage to get
past the defenses that are in place.

None of these defenses are infallible, but cybercriminals prefer
targets that require little time and energy over those that are
difficult to crack, for the obvious reason that overcoming
sophisticated defenses costs more money and reduces profit margins.

Frustrating Brokers and Carders

Brokers add value (and make money) by testing and assessing the
quality of stolen credentials and then reselling them. They typically
attack the "create new account" system first. Brokers know that if
they can create new accounts using a particular batch of stolen
credentials, those credentials are of no value for credential
stuffing. They're not in the target system. On the other hand, if
brokers get a "This account already exists" message, they know the
credentials are in the system and therefore ripe for attack.

One simple tactic that can frustrate brokers is limiting the amount of
information your system provides. Instead of displaying, "This account
already exists," display, "We'll check to see if this account is
available and let you know shortly." Admittedly, this approach adds
friction to the transaction, but it's worth the trouble.

The main point for cutting brokers' profits is to remember that they
typically use automated technology capable of evaluating thousands of
credentials in a matter of minutes. The same is true for carders who
buy from these brokers. For this reason, organizations need to think
in terms of real-time defenses against what in many ways resemble zero
day exploits. This means being able to distinguish "bad" automated
traffic from legitimate automated traffic and traffic from humans
using the system.

Traditional Tactics Don't Always Work

Unfortunately, two well-known tactics that once worked well against
automated, bot-driven systems are likely no longer highly effective.

CAPTCHA. Artificial intelligence systems can solve CAPTCHA challenges
as well as or better than human beings, and these systems are well
within the reach of cybercrime organizations. Also, there are
CAPTCHA-solving services that use human labor to provide CAPTCHA
responses for a few pennies per response with a turnaround time of
under 10 seconds.

IP Blocking. Blocking based on IP reputation, also once quite
effective, now has significant problems. First, with the help of
automation, cybercrime organizations move very rapidly to exploit
stolen credentials, often acting before those credentials appear
anywhere on the dark web. Only after most of their value has been
extracted will criminals put them up for sale on illicit sites, such
as Pastebin. As a result, suspicious IP addresses can only be found
there after they have done most of their damage.

In addition, blocking suspicious IP addresses can inadvertently
exclude legitimate customers. For example, a university may have
50,000 people using the same IP address. Blocking that address because
of a handful of bad actors excludes everyone in a large customer base.
Finally, today's attackers can rapidly change IP addresses if they
think they've been discovered by renting proxy services to create
distributed IP attacks using thousands of different IPs.

Smarter Protection with Artificial Intelligence

One approach that does work is based on the use of artificial
intelligence to distinguish log-in patterns that could only be
generated by automated systems, even when those patterns are designed
to mimic those of a legitimate human log-in.

A second method involves mediated cooperation among large numbers of
potential target organizations, such as banks, large retailers,
airlines and the like. A system in which the use of compromised
credentials at one site or store can be detected in real time and
shared with other likely victims can prevent fraud in real time. This
process of security information sharing makes the activities of
cybercriminals significantly less profitable and decreases their
incentive to continue in their dark work.

New Criteria for Password Strength

One well-known tactic for protecting customer accounts that is still
valid is the encouragement of strong passwords. However, the classic
definition of a strong password - 10 alphanumeric characters including
capitals, lower case and at least one symbol - is no longer valid.
Today, the best strong password choice is a string of unrelated words,
with or without spaces, such as "moon hat cup tiger." Strong passwords
are quite simply harder to guess, and that's important when the
"guessing" is being done by an automated system.

Cybercriminal organizations are organized to make a profit, just like
other businesses. Every company's defense strategy should therefore
include ways to increase the economic burden on the attackers, making
fraud too expensive and unprofitable to be worth its cost and effort.