When is an IP address not actually the person, country of origin or device you thought? From Klingons, to Harry Potter, to Xbox Halo’s Master Chief, the world has dreamt up scores of science fiction stories around the concept of visually cloaking someone in plain sight.
Now hackers have come up with virtual ways to be transparent – at least to the law: cyber cloaks. Cyber cloaks are most powerful for those engaged in criminal cyber activity, as it offers the freedom from consequence of persecution.
In general, the cloak consists of one or more of five core ingredients, and there are almost immeasurable ‘flavors’ that can be combined with great care and precision. I will not go into great detail as not to promote specific attacks, however the notion of how these techniques work is most important to help protect your organization against their use.
Cyber cloaking ingredient one: The attack originates from a domicile with poor-to-no law enforcement agreements with the domicile of your intended victim
The world has settled into a mode whereby cyberattacks are commonplace and almost ordinary. In fact, in many ways, the only news in cyberattacks is that they are actually accelerating in both rates of incidents and varied types of techniques.
What is new is the process of appropriately choosing the host country / area / domicile for your attack. Picking a country to best place your cyber weapon will incredibly complicate the legal ability to act upon the perpetrated act.
There are many places in the world where there is either no functioning jurisprudence system or even outright hostility for the intended victim country in which to conduct any after-action legal forensics or investigations. So, the first main ingredient in any cyber cloak is to properly pick a domicile to attack. This area would have the desirable attribute of complicating a legal trail by being hostile to the authorities of the intended victim in which you want to attack. Simply put, never attack from a country or land with good relations with the legal system of your intended target. Moreover, only amateurs attempt to attack a target within the same country in which the attack originated.
Cyber cloaking ingredient two: Anonymize your attack numerous times
There is no better way to introduce doubts and complicate authorities than by developing a robust plan for anonymizing yourself. There are five broad ways to anonymize your attack and the more you can combine these techniques, the longer the trail will flow and be complicated. These are as follows:
1. Make certain your are leveraging dynamic IP addresses: Today’s reality is that many users access the Internet through providers using dynamic hosting configuration that results in a new IP address each time they access the Internet. When you combine this with the increased mobility of today’s user, organizations are quickly faced with a challenging situation with regard to user identification.
2. Originate your attack from behind a carrier-grade NAT: Users accessing the NAT devices result in many devices sharing the same IP address, making it difficult to block IPs without potentially blocking legitimate users/devices. If you can originate your attack from behind one of these large proxies, it makes it hard to mitigate, as the victim often requires the service you are attacking from. It also makes it complicated to translate to a specific device behind the NAT because it requires access to the NAT tables from the proxied company.
3. Browsing through anonymous proxies: A large number of anonymous proxy services have cropped up in recent years, largely in response to privacy advocates seeking ways to avoid personal identification of users. Trouble is, they also provide an excellent cover for bad actors. Some of these networks are freely available such at TOR network, while others are for-fee and are claimed to be as innocuous as ‘ad blockers.’ Regardless, these proxies can really complicate legal and forensic trails in immeasurable ways.
4. IP Spoofing: Any number of tools are readily available that enable users (including criminals) to modify or forge the header of an IP packet to include a false source IP address. This tactic can be used to seek high levels of access when spoofing IPs of trusted machines, or simply to evade detection based on IP addresses previously blacklisted.
5. Accessing origin servers through a CDN: Content Delivery Network services have grown to support a high percentage of ecommerce traffic on the Internet. For all their benefits related to acceleration of browsing, CDNs create a number of security challenges, including the challenge of needing to whitelist IPs of the CDN in order to ensure access to origin server content. Criminals often exploit this by making multiple, malicious login attempts while masking their IP addresses.
Cyber cloaking ingredient three: Leverage numerous out-of-band communication techniques
In tracking down a perpetrator of an act, it is one thing to understand there is a smoking gun, but it is quite another to understand who directed the shot and why. To cloak themselves, perpetrators are ensuring techniques to have multiple bands of communications to severely complicate tracking technologies which may be advanced in one area (i.e. in HTTP), but less sophisticated in other areas (i.e. MP4 or SIP embeds, Bluetooth or Zigby communications). There is no better way to complicate the picture than to break communication up into separate, almost unforecastable communication bands and drive the nefarious actions in this manner.
Cyber cloaking ingredient four: Leverage hard-to-forensically uncover technologies
When choosing technology platforms from which to perpetrate an act, one way “bad guys” get around law enforcement environments is to pick devices with little capabilities to audit or otherwise record the actions of the perpetrators (e.g. think IoT or Raspberry Pi, etc.). The simpler the box or system conducting the attack, the less likely the device has strong native controls or the ability to augment with any more security. If the device is not good at auditing or controlling then the forensics will likely suffer and cause the perpetrator to be obfuscated or cloaked.
Cyber cloaking ingredient five: Spoof your IP & desktop images frequently
Last but not least, make your IPs more dynamic. Make sure you change them every session, and while you are at it, change your operating environment with each attack too. You can do that by leveraging virtual environments and cloud delivered services so that an attack can essentially be hosted by an innocuous third party and leveraged in a crime (much like how criminals use pre-paid cell phones).
Each of the five techniques listed above carry the ability to cloak a perpetrator’s real identity from a legal perspective. Yes, it’s true that there are ways to find out who perpetrated the act beyond legal methods and mitigating the perpetrators, but these techniques are generally only available for national self-defense, and even those are highly restrictive. It’s high time that the legal and security community understand that the IP address is dead for legal purposes and begin to work on rational ways to uncover malicious folks through the fog of technology and regional borders.
The answer to this cloaking malaise is to leverage enterprising technologies, such as fingerprinting and other fraud-like enumerations, which expose the perpetrator and provide an indelible mark from which to arrest them. Legal teams and security professionals alike must get beyond the lay of security technology and reach into the next generation to find answers.