Disrupting the Economics of CybercrimeHow the Industry of Cybercrime Works
No business wants its customers to become victims of cybercrime. The key to prevention is understanding how the cybercrime industry works.
Cybercrime is a business and, like any business, it's driven by profit. Here we describe how organizations can make credential theft less profitable at every stage of the criminal value chain, and, in doing so, lower their risk.
Every company's cybercrime defense strategy should include ways to increase the economic burden on the attackers, making fraud too expensive and unprofitable to be worth its cost and effort.
The cybercrime value chain has three components. The first phase is the attack, which involves the initial penetration (aka data breach) and theft of credentials. In the second phase, brokering, the stolen credentials are sorted and tested to confirm their value. The third phase, so-called carding, is when criminals take over accounts to obtain actual goods (e.g. expensive electronics) or take control of bank accounts, gift cards, rewards points, airline miles and the like, all of which can be converted to cash.
Preventing the Data Breach
For phase one, the most common method of stealing credentials is phishing, and employee education is the prime defense. (Don't click on that mystery link!) However, as humans are fallible, there are also good technology approaches that can detect and reroute malicious spam. Intrusion detection solutions also exist to detect anomalies in network traffic or application behavior if criminals manage to get past the defenses that are in place.
None of these defenses are infallible, but cybercriminals prefer targets that require little time and energy over those that are difficult to crack, for the obvious reason that overcoming sophisticated defenses costs more money and reduces profit margins.
Frustrating Brokers and Carders
Brokers add value (and make money) by testing and assessing the quality of stolen credentials and then reselling them. They typically attack the "create new account" system first. Brokers know that if they can create new accounts using a particular batch of stolen credentials, those credentials are of no value for credential stuffing. They're not in the target system. On the other hand, if brokers get a "This account already exists" message, they know the credentials are in the system and therefore ripe for attack.
One simple tactic that can frustrate brokers is limiting the amount of information your system provides. Instead of displaying, "This account already exists," display, "We'll check to see if this account is available and let you know shortly." Admittedly, this approach adds friction to the transaction, but it's worth the trouble.
The main point for cutting brokers' profits is to remember that they typically use automated technology capable of evaluating thousands of credentials in a matter of minutes. The same is true for carders who buy from these brokers. For this reason, organizations need to think in terms of real-time defenses against what in many ways resemble zero day exploits. This means being able to distinguish "bad" automated traffic from legitimate automated traffic and traffic from humans using the system.
Traditional Tactics Don't Always Work
Unfortunately, two well-known tactics that once worked well against automated, bot-driven systems are likely no longer highly effective.
CAPTCHA. Artificial intelligence systems can solve CAPTCHA challenges as well as or better than human beings, and these systems are well within the reach of cybercrime organizations. Also, there are CAPTCHA-solving services that use human labor to provide CAPTCHA responses for a few pennies per response with a turnaround time of under 10 seconds.
IP Blocking. Blocking based on IP reputation, also once quite effective, now has significant problems. First, with the help of automation, cybercrime organizations move very rapidly to exploit stolen credentials, often acting before those credentials appear anywhere on the dark web. Only after most of their value has been extracted will criminals put them up for sale on illicit sites, such as Pastebin. As a result, suspicious IP addresses can only be found there after they have done most of their damage.
In addition, blocking suspicious IP addresses can inadvertently exclude legitimate customers. For example, a university may have 50,000 people using the same IP address. Blocking that address because of a handful of bad actors excludes everyone in a large customer base. Finally, today's attackers can rapidly change IP addresses if they think they've been discovered by renting proxy services to create distributed IP attacks using thousands of different IPs.
Smarter Protection with Artificial Intelligence
One approach that does work is based on the use of artificial intelligence to distinguish log-in patterns that could only be generated by automated systems, even when those patterns are designed to mimic those of a legitimate human log-in.
A second method involves mediated cooperation among large numbers of potential target organizations, such as banks, large retailers, airlines and the like. A system in which the use of compromised credentials at one site or store can be detected in real time and shared with other likely victims can prevent fraud in real time. This process of security information sharing makes the activities of cybercriminals significantly less profitable and decreases their incentive to continue in their dark work.
New Criteria for Password Strength
One well-known tactic for protecting customer accounts that is still valid is the encouragement of strong passwords. However, the classic definition of a strong password - 10 alphanumeric characters including capitals, lower case and at least one symbol - is no longer valid. Today, the best strong password choice is a string of unrelated words, with or without spaces, such as "moon hat cup tiger." Strong passwords are quite simply harder to guess, and that's important when the "guessing" is being done by an automated system.
Cybercriminal organizations are organized to make a profit, just like other businesses. Every company's defense strategy should therefore include ways to increase the economic burden on the attackers, making fraud too expensive and unprofitable to be worth its cost and effort.
2018 Credential Spill Report
Read the 2018 Credential Spill Report where you can learn about the data behind credential stuffingRead now