Cybercrime today is run as a business, with ROI, user support, clear hierarchies and business plans. One aspect of this type of business is the high rate of innovation, leading to new technical advances in cybercrime proliferation.
This can be seen in the speed with which viruses can be written to exploit newly discovered flaws and the advances of botnets in recent years. At the turn of the century, botnets were simple machines, linking computers with command and control servers organised by a clear controlling point. This led to techniques to discovering those command and control servers and shutting them down, effectively turning 'off' the botnet.
As time progressed, so too did innovation in botnet technology. Where botnets used to use IRC for relaying commands, they now use protocols with enterprise grade encryption. Where botnets had a small number of points of failure, they now distribute not just processing but also control. Technologies related to protocols like BitTorrent and TOR have enabled botnets to become resilient and reliable. The Avalanche botnet, which reigned supreme during 2009 and early 2010, was finally overcome after significant investment by the anti-cybercrime community. This involved large amounts of research into the botnet's operations and technical advances too. The BredoLab botnet (Oficla) was only dismantled after a more than 140 command and control servers were taken offline. The effort needed to take down a large botnet is significant, and appears to be growing as botnet technology out-paces anti-botnet advances.
The large technical innovation produced by cybercriminals highlights the need to be more strategic about responses. As well as the day to day "firefighting" of current attacks, research into more resilient systems, better managed policies and more informed users is needed. This involves short, medium and long term strategies with the co-operation of entities including the research community, security companies and government. At a business level, this means building resistance to cybercrime into processes and policies, not addressing them after they become a problem. As with any risk quantification of the threat of cybercrime is difficult, but preparation can produce more effective responses.
Technical innovation happens at an alarming rate by cybercriminals and this leaves security catching up, plugging holes as they are found. Can a more proactive research direction lead to stronger responses that provide more secure systems? How do the readers balance the "firefighting" season with more long term strategic responses? I invite comments with your strategic responses to cybercrime below.
Other articles by this author
Breadth first hacking
About the Author
Robert Layton is a Research Assistant with the Internet Commerce Security Laboratory (ICSL) at the University of Ballarat. Robert completed his Bachelor of Computing with first class honours before moving into a PhD in cybercrime attribution. Robert recently submitted his thesis on indirect cybercrime attribution