ACCELERATING CYBERCRIME RESPONSE AND MITIGATION
Today, the burden of online criminal investigations falls on private sector actors for phishing, malware distribution, counterfeit goods, identity theft or other fraudulent acts.
Online cybercrimes exhibit characteristics that make them particularly challenging to mitigate or defeat: the activities that collectively comprise online criminal acts are conducted transnationally; the perpetrators operate from many countries, often with temporary relationships; and the acts themselves are not universally recognized as crimes in all jurisdictions where the actors or their criminal assets reside. These characteristics make apprehension or prosecution of the perpetrators exceedingly difficult. Perhaps the most difficult challenges security interveners or law enforcement officers must overcome when they combat cybercrime are to be duly diligent or to satisfy due process quickly enough – in Internet time – to contain the harm or minimize the number of victims affected by a given criminal attack.
In this article, we consider private sector frameworks that provide effective, rapid response to criminal activity while maintaining public confidence. We discuss how the successes of these frameworks can serve as the basis for public-private partnerships. We identify challenges that such public-private partnerships face. And we examine and how such partnerships might bring us closer to multinational or international agreements where due process of law is served through a universally recognized judicial system.
Cybercrime timelines reveal important truths
Today, the burden of online criminal investigations falls on private sector actors for phishing, malware distribution, counterfeit goods, identity theft or other fraudulent acts. Figure 1 illustrates a representative timeline for a phishing attack, from the onset of the attack through response or remediation, to the point where a law enforcement officer presents sufficient evidence to obtain a court order in a single jurisdiction.
Figure 2 illustrates a representative timeline for a more sophisticated criminal activity. Here, one or more criminal actors first build an online crime-enabling infrastructure by combining hundreds, thousands or even millions of infected computer systems in multiple jurisdictions into a botnet. These criminal actors then lease this infrastructure through an underground marketplace to other criminal actors who use the botnet to conduct phishing, distributed denials of service (DDoS) or other criminal attacks.
These figures illustrate that criminal activities – in particular, those that operate on crime-enabling botnet infrastructures – proceed seemingly unabated. Harm or loss from botnets often exhibits what data analysts call a long tail: a large portion of the harm or loss associated with a crime occurs near the onset of the criminal attack, but the damage can continue for weeks, months or even years.
These timelines give us an opportunity to dispel several misconceptions regarding cybercrime. Cyberattacks aren’t always sophisticated; often, it is not skilled but unskilled criminal actors who lease facilities and who download or purchase attack software such as phishing kits or denial-of-service clients (e.g., LOIC). Likewise, cyberattacks are not launched from superior technology; the technology advantage that cyberattackers have is not that they have superior technology but that they are able to build criminal infrastructures at low or no cost by exploiting systems they have no authorization to use. Lastly, cyberattackers aren’t all comic book super villains; what is popularly perceived as sophistication is actually “a direct result of the vast number of attack methodologies at their disposal.”
Private sector and law enforcement investigators can match or surpass the tactics of criminal actors. They have access to comparable technology, including sophisticated detection or mitigation software. As Figures 1 and 2 illustrate, they are technologically able to mitigate or contain attacks in Internet time. However, the ability to collect and share sufficient evidence to identify, apprehend and prosecute criminal actors is a decidedly different story.
We conclude from these timelines that:
A framework that strips criminals of the advantages they currently enjoy should exhibit the following characteristics: rapid response, effective action and an accelerated process that weathers public scrutiny.
Private Sector Frameworks Accelerate Response to Online Criminal Activity
Today, private sector investigators collect and share information that they can reliably associate with criminal activity through ad hoc trust networks or vetted, trust-based communities. When they cannot obtain court orders, they use the shared or accumulated information to identify acceptable use policy, trademark or copyright infringement, or other policy violations. Identifying such violations gives a service provider the justification to disrupt criminal activity by removing content, suspending website operation, or terminating name resolution of domain names associated with online criminal activity. Similarly, domain name registrar or registry operators may voluntarily suspend an Internet domain name when investigators present evidence that the name(s) have been used to lure victims to sites hosting illicit content or to support criminal botnet infrastructures.
The operative word here is voluntary. The operator will act after reviewing the evidence that an investigator presents, and after considering any business risk (liability) that the operator has determined it would assume by removing content or suspending an Internet domain name registration without a court order. These recourses are effective with operators who are vigilant about criminal activity or believe that managing abuse is a service differentiator.
Some operators and private investigators facilitate such interventions through voluntary collaboration in ad hoc trust relationships at business or even individual levels. By contrast, some operators insist strictly on a court order. Yet other operators adopt business models that facilitate criminal hosting, and thus have no incentive to volunteer.
Role of Trusted Intervener Frameworks
The Anti-Phishing Working Group (APWG) has developed a service that attempts to formalize voluntary intervention. APWG’s Accelerated Malicious Domain Suspension process (AMDoS) was launched in 2012 with 12 top-level domains. Through attestations, AMDoS 2.0 can direct requests for domain suspensions to registrars of record. AMDoS employs a trusted introducer model whereby accredited interveners submit suspected malicious domain names for investigation and suspension by sponsoring registrars. The process is characterized in the following scenario.
An authority has processed the registration for exxxample.com. The authority has voluntarily enrolled in the AMDoS program and agrees to review attestations from trusted interveners in an accelerated manner. Through their participation, authorities agree to trust the program, and hence have confidence in the reporting parties.
An accredited intervener submits a phishing abuse complaint through a web submission form. This is a formal attestation that an Internet domain name is associated with a criminal activity; specifically, the attestation would provide evidence that criminal actors have used an Internet domain name to steal identities and commit fraud. For example, an investigator might provide evidence demonstrating that victims have clicked on a hyperlink in an email, http://www. exxxample.com/login.html, believing that they are visiting http://www.example. com/login.html. This malicious hyperlink takes them to a fake login page run by the criminals. On this site, the victim unwittingly discloses account credentials to the criminal actors.
Attestations, designed by subject matter experts and authority representatives, are the means to share sufficient evidence for a domain registry operator or registrar to make a decision to suspend the domain to prevent further harm. This shutdown occurs within hours (eventually, perhaps faster) of the time an intervener discovers a phishing email that is abusing the Internet domain name.
The AMDoS process improves on the collaboration between investigators and registry or registrar operators in several ways.
• The formal vetting process provides a level playing field for interveners. APWG governs the accreditation process for interveners. Candidate interveners must work for an enterprise relevant to the management and investigation of cybercrime. An expert committee prescreens each candidate’s technical qualifications, relevant intervener history and reputation to establish eligibility for enrollment.
• Attestations and responses by authorities are auditable, providing the accountability and review necessary to build confidence in the system.
• The AMDoS can be used only for cases involving financial fraud and where there is no dispute over the legitimacy of content.
These practices satisfy the requirements for scalability (large numbers of operators and interveners), accountability (audits and reviews), and public confidence (by establishing a formal vetted process and by not asserting the process as a substitute for legal course of action to resolve disputes over intellectual property or copyrights).
Voluntary action through AMDoS or similar processes only partly fills a void. In particular, where legal rather than voluntary actions are necessary, the processes involving multiple jurisdictions, court orders or mutual legal assistance treaties take too much time to be effective. As a result, information cannot be shared and action cannot be taken against online criminal activities that are global in scale, and in many cases, affect thousands of victims or millions in global currencies.
Extending Cross-Border Frameworks to Combat Cybercrime
Cross-border frameworks should consider certain processes that private sector frameworks employ for circumstances where law enforcement must collaborate to identify or prosecute criminal conduct.
The processes provide for:
• Information sharing
• Rapid response to cyberattack
• Timely and effective action
• Confidence, transparency and accountability
Law enforcement’s most reliable process today for requesting access to data is through mutual legal assistance (MLA). The process is based on international treaties that are “bilateral, multilateral, or regional agreements detailing how and what kinds of data foreign governments may request.” The MLA workflow is a time-consuming process by which cross-border requests for access to data are communicated through formal correspondence. Law enforcement passes requests through its local central authority to the central authority for the receiving jurisdiction in a format specified in the applicable treaty. The receiving central authority reviews the request to determine whether disclosing the requested data complies with the local law and local standards of data protection. If the request complies with local laws, the receiving central authority processes the request.
When reacting to online crimes, minutes matter, but requesting data through the MLA process can take weeks or months. In circumstances where a treaty does not exist, countries may base data sharing on reciprocity or use letters rogatory (letters of request), or they may conduct joint investigations; all of these processes are also timeconsuming. The limited scalability or uniformity of the MLA process is exposed in circumstances where law enforcement officers request data from multiple jurisdictions. (For example, when law enforcement officers attempt to dismantle a global botnet, the botnet resources or the conspirators may fall under multiple jurisdictions.)
Several recommended improvements to the MLA process adopt characteristics from private sector frameworks, including:
• Agreement on a cross-border framework that expedites access to data while satisfying human rights and due process with transparency and accountability
• Agreement across jurisdictions on what content or metadata can be shared and what data protections must be guaranteed
• Agreement of submission format, preferably digital, to accelerate, securely route and more efficiently process requests
• Reconsideration of the role of the central authority to lower the administrative burden and focus more on international cooperation
• A rocket docket, where prosecutors and magistrates with cyber – and MLA processing expertise can process requests quickly
Solutions to combatting cybercrime must not compromise the public’s confidence and trust in international legal systems. These critical changes are worth exploring further, as they would enable law enforcement to operate in Internet time, and at the same time preserve due process.
We can nullify criminal advantages in technology and expertise by dramatically improving cybersecurity practices, by building capacity among law enforcement, and by harmonizing international criminal law. In addition, private sector frameworks for data sharing demonstrably mitigate or contain certain cybercrimes, but they are only triage measures. What is required is an international cooperative framework for data sharing that incorporates the positive aspects of private sector frameworks so we can methodically strip cybercriminals of their cross-border advantages.
FireEye. “Threat Actor Tactics and Targeting Predictions for 2014.”
Sponchioni, Roberto. “The phishing economy: How phishing kits make scams easier to operate.”
“LOIC (Low Orbit Ion Cannon) – DOS attacking tool.”
Cottrell, Lance. “Today’s Hackers Are Way More Sophisticated Than You Think.”
Piscitello, David. “Can we extend trust-based collaboration beyond handshakes and face-to-face?”
Amazon.com “AWS Acceptable Use Policy.”
Piscitello, David. “Making Sense of Shutdowns, Takedowns, Seizures and More.”
Piscitello, David. “Dizmantling botnets: Dealing with DNS and Whois.”
Trend Micro. “Bulletproof Hosting Services: Cybercriminal Hideouts for Lease.”
Anti-Phishing Working Group. “APWG Malicious Domain Suspension Process (AMDoS 2.0).”
Brehmer, H. J. “The MLAT Problem: A major roadblock for law enforcement worldwide.”
Mutual Legal Assistance Treaty FAQ. “Frequently Asked Questions.”
Daskal, Jennifer, and Andrew Keane Woods. “Cross-Border Data Requests: A Proposed Framework.”
SYNTHESIS, Issue 3, July 2013. “Cross Border Data Flows and National Sovereignty.”
Kent, Gail. “Sharing Investigation Specific Data with Law Enforcement – An International Approach.”
Swire, Peter and Justin Hemmings. “Re-Engineering the Mutual Legal Assistance Treaty Process.”
David Piscitello is Vice President of Security and ICT Coordinator at ICANN. Dr. Stephen Crocker is Chair of the ICANN Board of Directors. The views expressed here are those of the authors, and do not necessarily represent the views of ICANN. The recommendations included here are intended for the entire Internet community, and are not completely within ICANN’s sphere of responsibility.