ACCELERATED PRIVATE SECTOR
RESPONSE & MITIGATION PROCESS RESEARCH

David Piscitello and Dr. Steve Crocker

Authors Piscitello and Crocker illuminate an accessible third way for potent interventions that can operate at the speed of cybercrime through agreement-based precribed responses by stakeholders themselves 

Online cyber crimes exhibit characteristics that make them particularly challenging to mitigate or defeat: the activities that collectively comprise online criminal acts are conducted transnationally; the perpetrators operate from many countries, often with temporary relationships; and the acts themselves are not universally recognized as crimes in all jurisdictions where the actors or their criminal assets reside. These characteristics make apprehension or prosecution of the perpetrators exceedingly difficult. Perhaps the most difficult challenges security interveners or law enforcement officers must overcome when they combat cyber crime are to be duly diligent or to satisfy due process quickly enough – in Internet time – to contain the harm or minimize the number of victims affected by a given criminal attack.

In this article, we consider private sector frameworks that provide effective, rapid response to criminal activity while maintaining public confidence. We discuss how the successes of these frameworks can serve as the basis for public-private partnerships. We identify challenges that such public-private partnerships face. And we examine and how such partnerships might bring us closer to multinational or international agreements where due process of law is served through a universally recognized judicial system.

Cyber crime timelines reveal important truths

Today, the burden of online criminal investigations falls on private sector actors for phishing, malware distribution, counterfeit goods, identity theft or other fraudulent acts. Figure 1 illustrates a representative timeline for a phishing attack, from the onset of the attack through response or remediation, to the point where a law enforcement officer presents sufficient evidence to obtain a court order in a single jurisdiction.

Figure 2 illustrates a representative timeline for a more sophisticated criminal activity. Here, one or more criminal actors first build an online crime-enabling infrastructure by combining hundreds, thousands or even millions of infected computer systems in multiple jurisdictions into a botnet. These criminal actors then lease this infrastructure through an underground marketplace to other criminal actors who use the botnet to conduct phishing, distributed denials of service (DDoS) or other criminal attacks.

These figures illustrate that criminal activities – in particular, those that operate on crime-enabling botnet infrastructures – proceed seemingly unabated. Harm or loss from botnets often exhibits what data analysts call a long tail: a large portion of the harm or loss associated with a crime occurs near the onset of the criminal attack, but the damage can continue for weeks, months or even years.

These timelines give us an opportunity to dispel several misconceptions regarding cyber crime. Cyber attacks aren’t always sophisticated; often, it is not skilled but unskilled criminal actors who lease facilities and who download or purchase attack software such as phishing kits or denial-of-service clients (e.g., LOIC). Likewise, cyber attacks are not launched from superior technology; the technology advantage that cyber attackers have is not that they have superior technology but that they are able to build criminal infrastructures at low or no cost by exploiting systems they have no authorization to use. Lastly, cyber attackers aren’t all comic book super villains; what is popularly perceived as sophistication is actually “a direct result of the vast number of attack methodologies at their disposal.”

Private sector and law enforcement investigators can match or surpass the tactics of criminal actors. They have access to comparable technology, including sophisticated detection or mitigation software. As Figures 1 and 2 illustrate, they are technologically able to mitigate or contain attacks in Internet time. However, the ability to collect and share sufficient evidence to identify, apprehend and prosecute criminal actors is a decidedly different story.

fgure11

We conclude from these timelines that:

A framework that strips criminals of the advantages they currently enjoy should exhibit the following characteristics: rapid response, effective action and an accelerated process that weathers public scrutiny.

Private Sector Frameworks Accelerate Response to Online Criminal Activity

Today, private sector investigators collect and share information that they can reliably associate with criminal activity through ad hoc trust networks or vetted, trust-based communities. When they cannot obtain court orders, they use the shared or accumulated information to identify acceptable use policy, trademark or copyright infringement, or other policy violations. Identifying such violations gives a service provider the justification to disrupt criminal activity by removing content, suspending website operation, or terminating name resolution of domain names associated with online criminal activity. Similarly, domain name registrar or registry operators may voluntarily suspend an Internet domain name when investigators present evidence that the name(s) have been used to lure victims to sites hosting illicit content or to support criminal botnet infrastructures.

The operative word here is voluntary. The operator will act after reviewing the evidence that an investigator presents, and after considering any business risk (liability) that the operator has determined it would assume by removing content or suspending an Internet domain name registration without a court order. These recourses are effective with operators who are vigilant about criminal activity or believe that managing abuse is a service differentiator.

Some operators and private investigators facilitate such interventions through voluntary collaboration in ad hoc trust relationships at business or even individual levels. By contrast, some operators insist strictly on a court order. Yet other operators adopt business models that facilitate criminal hosting, and thus have no incentive to volunteer.

figure21

Role of Trusted Intervener Frameworks

The Anti-Phishing Working Group (APWG) has developed a service that attempts to formalize voluntary intervention. APWG’s Accelerated Malicious Domain Suspension process (AMDoS) was launched in 2012 with 12 top-level domains. Through attestations, AMDoS 2.0 can direct requests for domain suspensions to registrars of record. AMDoS employs a trusted introducer model whereby accredited interveners submit suspected malicious domain names for investigation and suspension by sponsoring registrars. The process is characterized in the following scenario.

An authority has processed the registration for exxxample.com. The authority has voluntarily enrolled in the AMDoS program and agrees to review attestations from trusted interveners in an accelerated manner. Through their participation, authorities agree to trust the program, and hence have confidence in the reporting parties.

An accredited intervener submits a phishing abuse complaint through a web submission form. This is a formal attestation that an Internet domain name is associated with a criminal activity; specifically, the attestation would provide evidence that criminal actors have used an Internet domain name to steal identities and commit fraud. For example, an investigator might provide evidence demonstrating that victims have clicked on a hyperlink in an email, http://www. exxxample.com/login.html, believing that they are visiting http://www.example. com/login.html. This malicious hyperlink takes them to a fake login page run by the criminals. On this site, the victim unwittingly discloses account credentials to the criminal actors.

Attestations, designed by subject matter experts and authority representatives, are the means to share sufficient evidence for a domain registry operator or registrar to make a decision to suspend the domain to prevent further harm. This shutdown occurs within hours (eventually, perhaps faster) of the time an intervener discovers a phishing email that is abusing the Internet domain name.

The AMDoS process improves on the collaboration between investigators and registry or registrar operators in several ways.

• The formal vetting process provides a level playing field for interveners. APWG governs the accreditation process for interveners. Candidate interveners must work for an enterprise relevant to the management and investigation of cyber crime. An expert committee prescreens each candidate’s technical qualifications, relevant intervener history and reputation to establish eligibility for enrollment.
• Attestations and responses by authorities are auditable, providing the accountability and review necessary to build confidence in the system.
• The AMDoS can be used only for cases involving financial fraud and where there is no dispute over the legitimacy of content.

These practices satisfy the requirements for scalability (large numbers of operators and interveners), accountability (audits and reviews), and public confidence (by establishing a formal vetted process and by not asserting the process as a substitute for legal course of action to resolve disputes over intellectual property or copyrights).

Voluntary action through AMDoS or similar processes only partly fills a void. In particular, where legal rather than voluntary actions are necessary, the processes involving multiple jurisdictions, court orders or mutual legal assistance treaties take too much time to be effective. As a result, information cannot be shared and action cannot be taken against online criminal activities that are global in scale, and in many cases, affect thousands of victims or millions in global currencies.

Extending Cross-Border Frameworks to Combat Cyber crime

Cross-border frameworks should consider certain processes that private sector frameworks employ for circumstances where law enforcement must collaborate to identify or prosecute criminal conduct.

The processes provide for:
• Information sharing
• Rapid response to cyber attack
• Timely and effective action
• Confidence, transparency and accountability

Law enforcement’s most reliable process today for requesting access to data is through mutual legal assistance (MLA). The process is based on international treaties that are “bilateral, multilateral, or regional agreements detailing how and what kinds of data foreign governments may request.” The MLA workflow is a time-consuming process by which cross-border requests for access to data are communicated through formal correspondence. Law enforcement passes requests through its local central authority to the central authority for the receiving jurisdiction in a format specified in the applicable treaty. The receiving central authority reviews the request to determine whether disclosing the requested data complies with the local law and local standards of data protection. If the request complies with local laws, the receiving central authority processes the request.

When reacting to online crimes, minutes matter, but requesting data through the MLA process can take weeks or months. In circumstances where a treaty does not exist, countries may base data sharing on reciprocity or use letters rogatory (letters of request), or they may conduct joint investigations; all of these processes are also timeconsuming. The limited scalability or uniformity of the MLA process is exposed in circumstances where law enforcement officers request data from multiple jurisdictions. (For example, when law enforcement officers attempt to dismantle a global botnet, the botnet resources or the conspirators may fall under multiple jurisdictions.)

Several recommended improvements to the MLA process adopt characteristics from private sector frameworks, including:

• Agreement on a cross-border framework that expedites access to data while satisfying human rights and due process with transparency and accountability
• Agreement across jurisdictions on what content or metadata can be shared and what data protections must be guaranteed
• Agreement of submission format, preferably digital, to accelerate, securely route and more efficiently process requests
• Reconsideration of the role of the central authority to lower the administrative burden and focus more on international cooperation
• A rocket docket, where prosecutors and magistrates with cyber – and MLA processing expertise can process requests quickly

Solutions to combatting cyber crime must not compromise the public’s confidence and trust in international legal systems. These critical changes are worth exploring further, as they would enable law enforcement to operate in Internet time, and at the same time preserve due process.

We can nullify criminal advantages in technology and expertise by dramatically improving cyber security practices, by building capacity among law enforcement, and by harmonizing international criminal law. In addition, private sector frameworks for data sharing demonstrably mitigate or contain certain cyber crimes, but they are only triage measures. What is required is an international cooperative framework for data sharing that incorporates the positive aspects of private sector frameworks so we can methodically strip cyber criminals of their cross-border advantages.

REFRENCES

FireEye. “Threat Actor Tactics and Targeting Predictions for 2014.”
https://www.fireeye.com/blog/threat-research/2013/12/threat-actor-tactic-targeting-predictions-2014.html

Sponchioni, Roberto. “The phishing economy: How phishing kits make scams easier to operate.”
http://www.symantec.com/connect/blogs/phishing-economyhow-phishing-kits-make-scams-easier-operateInfoSec Institute.

“LOIC (Low Orbit Ion Cannon) – DOS attacking tool.”
http://resources.infosecinstitute.com/loic-dos-attacking-tool/

Cottrell, Lance. “Today’s Hackers Are Way More Sophisticated Than You Think.”
http://readwrite.com/2015/02/04/sophisticated-hackers-defense-in-depth/

Piscitello, David. “Can we extend trust-based collaboration beyond handshakes and face-to-face?”
http://www.securityskeptic.com/2015/03/can-we-extend-trust-basedcollaboration-beyond-handshakes-and-face-to-face.html

Amazon.com “AWS Acceptable Use Policy.”
https://aws.amazon.com/aup/

Piscitello, David. “Making Sense of Shutdowns, Takedowns, Seizures and More.”
http://www.securityskeptic.com/2012/05/making-sense-of-shutdowns-takedowns-seizures-and-more.html

Piscitello, David. “Dizmantling botnets: Dealing with DNS and Whois.”
http://www.securityskeptic.com/2015/08/dismantlingbotnets-dealing-with-dns-and-whois.html

Trend Micro. “Bulletproof Hosting Services: Cybercriminal Hideouts for Lease.”
http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/bulletproofhosting-services-cybercriminal-hideouts-for-lease

Anti-Phishing Working Group. “APWG Malicious Domain Suspension Process (AMDoS 2.0).”
http://antiphishing.org/apwg-news-center/amdos/

Brehmer, H. J. “The MLAT Problem: A major roadblock for law enforcement worldwide.”
http://www.crimlawpractitioner.com/#!The-MLAT-Problem-A-major-roadblock-for-lawenforcement-worldwide/cdog/5707f3f80cf2e0dbcac871e5

Mutual Legal Assistance Treaty FAQ. “Frequently Asked Questions.”
https://mlat.info/faq

Daskal, Jennifer, and Andrew Keane Woods. “Cross-Border Data Requests: A Proposed Framework.”
https://www.lawfareblog.com/cross-border-data-requests-proposed-framework

SYNTHESIS, Issue 3, July 2013. “Cross Border Data Flows and National Sovereignty.”
http://www.internetjurisdiction.net/wpcontent/uploads/2013/08/Internet-Jurisdiction-SYNTHESIS-3-July-2013.pdf

Kent, Gail. “Sharing Investigation Specific Data with Law Enforcement – An International Approach.”
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2472413

Swire, Peter and Justin Hemmings. “Re-Engineering the Mutual Legal Assistance Treaty Process.”
http://www.heinz.cmu.edu/~acquisti/SHB2015/Swire.docx