Securing the Digital World

Does DDoS Takedowns Really Change Extortion Rules of Engagement?

Feb 02, 2016 | by Angel Grant, CISSP |

The proliferation of account takeovers, DDoS attacks, ransomware and outright cyber extortion targeting individuals and institutions is not only disrupting the hack attack landscape, but also raising questions around our rules of engagement. How are we supposed to deal with all of this knowing the bad guys aren't playing by the same rules that we do?

The first thing that inspired this observation was the recent arrest of suspects associated with distributed denial of services 'cyber extortion' group DD4BC (DDoS for Bitcoin). Though the cybercrime gang felt a sting from the arrests, the very next day a new wave of ransomware hit the cloud. In other words, even though these particular individuals were taken off the playing field there were others who quickly took their place, believing that the reward (of paid ransoms) far outweighed the risk (of being caught).

The second and for me more significant detail that bears even more weight than interchanging individuals involved in ransomware and related online crimes is the observation made by Al Pascual, head of fraud and security practices at Javelin Strategy & Research. Pascual suggests that while this recent takedown firmly communicates to the DDoS extortionists they can be found, arrested and prosecuted, there is a lack of international cooperation among countries (including a lack of extradition treaties). Stopping these types of crimes in their virtual tracks is just not realistic given that some of the localities where ransomware originates mostly lie just beyond the prosecutorial reach of law enforcement.

Conventional vs. Asymmetrical Combat

It is Pascual's observation, in turn, that underscores the rules of engagement I alluded to above.

Although these "rules" may contextually adhere to things like war - think of the obligatory Geneva Convention or how America drops "smart" ordinance to reduce civilian deaths in war zones - when it comes to stopping extortionists like DD4BC it applies to how we both perceive and combat these criminals on an ongoing basis.

The perception (and I think it's an accurate one) is that criminals like this can move faster and are more nimble than our security protocols simply because they can purchase needed tools and share information so easily and readily. Unlike how many approach their security measures, (an ambiguous brew of patches, antivirus apps and a lot of crossed fingers), the cyber extortionists aren't bound by geo-political boundaries, corporate policies or government regulations.

Instead, they collude and conspire with one another based on rules of engagement they've operated under since they first launched the first DDoS attack against us: in the cybercrime underground, on the dark web, and over social media. In the meantime, many institutions both in business and throughout government must rely on information sharing that doesn't always readily or even eventually yield the kinds of data and insight required to sufficiently address how the bad guys are attacking us today (e.g. zero-day attacks), much less address increasingly frequent and fierce distributed denial of service attacks.

In other words, whatever existing "playbook" we've depended on to figure out how we engage against these kinds of threats is outdated - or soon will be.

The Value of Intelligence Sharing

So, how can we hope to combat these kinds of threats moving forward? Well, we can continue to hope for more arrests and move towards a uniform policy that's lock-step from one business to another in not paying ransom for our own data. In the meantime, however, there's a lot to be said for more in-depth and consistent global intelligence sharing across all sectors. Bridging that information gap is the only sure way to plug all the holes in the proverbial security dike and maintain its long-term integrity.

There's no question the Internet has long ago transcended firewalls, borders, regulations and even the security measures we've put into place to ensure our own safety and security of the institutions we've come to depend on and trust. That's not to say we should raise the white flag and continue to spend resources on cyber extortion and distributed denial of service attacks. Instead, it should strengthen our resolve to partner with international cross industry organizations and security professionals to gather the intelligence we need to continue to protect our business.

Remember - consequences drive behavior whether good or bad and without real consequences, the rules of engagement will never change.

Learn more about RSA Fraud and Risk Intelligence by following: @RSAFraud