In light of recent cyberespionage, the breakup of cybercrime rings, and the threats that sophisticated malware such as Stuxnet present to critical infrastructures, McAfee Labs researchers and industry experts call for a more proactive strategy for fighting cybercrime.
“Cybercriminals prosper because they have very little reason to fear the consequences,” said Jeff Green, senior vice president of McAfee Labs. “As security experts, it’s time to take a hard look at what we do, how we do it, and what our ultimate goals are. The tools and techniques of cybercrime continue to grow in number and sophistication at alarming rates. Every time we release a new statistic about the rise in malware it points to our failure as an industry.”
A new McAfee report, titled “Security Takes the Offensive,” is based on strategies compiled by international experts and issues a “call to arms” to the security industry. Traditionally, security technology companies and computer users have taken a defensive posture, putting the cyber equivalent of body armor on computers, networks and in the cloud. The report’s authors say it is now time to avoid enemy strikes altogether by taking a more aggressive stance, aligning forces and involving law enforcement.
“As we look at the evolution of risky domains and websites over multiple years, we can’t avoid the conclusion that the risk keeps increasing in both volume and sophistication,” said David Marcus, director of security research and communications for McAfee Labs. “If we want to stop being victims, then the good guys need to advance security efforts as threats evolve.”
The report details the following methods for building a more offensive security strategy:
Use hacker techniques: Data loss is accelerating at an alarming rate, as there were 222 million records lost in 2009 in the United States alone. Organizations should use hacker techniques, such as fuzzing and penetration testing, to find bugs within their own products and address the issues, shutting the door on the bad guys.
Provide data to help prosecute cybercriminals: A major component for combating spam lies in the hands of ICANN (the Internet Corporation for Assigned Names and Numbers), as it accredits the registrants that sell the domains which cybercriminals use to host malicious sites. Working with the security industry, ICANN should take a stronger stance against cybercrime.
Share information: Computer users, security professionals and administrators should share intelligence information with their trusted security vendor, and in turn security vendors should cooperate in live metadata sharing. Legislators should take these issues into account when drafting laws within their respective countries.
Implement “shuns” and “stuns”: Three successful “tried and true” takedowns to date—MoColo, Atrivo and Mega-D—fall into one of two categories: “shuns,” in which the Internet community ostracized the network, and “stuns,” which focused on incapacitating botnets. An offensive security practice should involve the entire security industry while incorporating methods that have proven successful. Shuns and stuns have beaten the odds in the past and industry experts as well as law enforcement should embrace these methods as a common security practice.
Use tactics that increase risk for cybercriminals: Cybercrime has become an increasingly for-profit endeavor. Like any enterprise business model, the psychology of organized cybercrime follows the three major factors: risk, effort and reward. By using a number of potential tactics affecting each of these factors, the ratio can flip, so that cybercriminals faced actual risk for substantially reduced reward, diminishing cybercrime overall. Some of those tactics include publicly disclosing the names of cybercriminals, increasing the fines against cybercriminals, increasing the shutdowns of affected domains, more effective spam filtering, closing “dropped” email accounts and freezing payment accounts that are suspected of fraud.
Educate: Security experts should work with governments to provide models to tie together cybercrime-reporting with cybereducation, so users can start to link uninformed behavior to their risk of becoming victims. This includes educating those fighting cybercrime “on the streets” to have the latest in malware techniques, bringing tools to the mass population to help identify risky behavior, pointing users to the right contacts to report crimes, and helping to build education and awareness at the kindergarten level through higher education.