SAN FRANCISCO, Calif. — Security professionals and law enforcement officials need to focus on the criminals behind botnets and sustain efforts to disrupt their networks and financial transaction to have any lasting impact on cybercrime, a security researcher argued at the RSA Security Conference on Monday.
The only way to beat cyber criminals at their own game is to undermine their operations and cut off their access to their ill-gotten gains, Joe Stewart, director of malicious threat research at SecureWorks told SecurityFocus. To defeat them, Stewart argues that the security community needs to focus, not on the attacks -- the Confickers, Storms and Code Reds of the cyber world -- but on the people behind the attacks. Taking to heart the old adage, "A good offense is the best defense," Stewart calls his approach "offense in depth."
"You have to look at the premise that there is a limit to what these guys are willing to put up with if they are to pursue their cybercriminal business," Stewart told SecurityFocus. "They only will put up with a certain amount of risk for so much effort for so much reward. If that equation changes too much, then they will stop."
The groups tasked with taking on cybercriminals need enough muscle to backed up threats with action, he said. Stewart suggested that the Computer Emergency Response Teams (CERTs) that exist in most nations connected to the Internet should be given regulatory powers — similar to South Korea's CERT — to take down domains and even cut off small segments of the network, if the controlling entity does not clean up their systems.
"They have authority in their country," he said. "They can tell them, you are going to take down this server or you are going to give us all these network flows. If you look around, you will not see a lot of abuse coming out of South Korea. That is really a model I would like to see adapted worldwide."
The suggestions come at a time when the United States is searching to revamp its stance in cyberspace and create a doctrine for the use of military power across the Internet. The Obama administration embarked on a 60-day review of the previous administration's cyber policy. The results of that study will be released on Wednesday at the RSA Security Conference. Earlier this month, two senators introduced two bills that would create a top U.S. advisor for cybersecurity that reports directly to the president and revamp existing laws to give the nation more ability to police the part of the Internet that it controls.
The current approach to taking on cybercriminals, however, is mainly to mitigate their attacks. Corporate defenders and law enforcement need to find a way to make cybercriminals' activities unprofitable, and to do that requires a long — likely years — effort against each group, Stewart said.
"If we can knock (their activities) back to the 2003 level, that will be a tremendous success, in my mind," he said, warning that cybercrime will never truly be eliminated. "Just like we are not going to stop burglary, we are not going to stop these guys. But as long as people can do business safely on the Internet, than that is a win."
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos