Search Close
Email Security Blog

Why Just Play Defense Against Cybercriminals When You Can Do So Much More?

Crane Hassold November 28th, 2018 Cybercrime
Cybercriminal On Computer

In August, word hit that the Justice Department had led a recent joint operation with private industry to put a dent in the global cybercrime ring known as the Carbanak Group.

Known for having stolen more than $1 billion through various cyber-scams over the last five years, the group has recently been using spear phishing techniques to hack thousands of businesses in the hospitality and restaurant industries, including Arby’s, Chili’s, and Chipotle.

Details on the collaboration are sparse, but it appears security teams at these and other companies may have played a key role in helping authorities arrest three suspects connected with the group, all Ukrainian nationals.

What does seem clear is that their participation entailed intelligence gathering versus direct penetration into the group’s operations. At least on the surface, that does fall in line with “active defense.”

For those just tuning in, active defense describes methods by which organizations hit by phishing and other cyberattacks can trace them back to their source and collect additional intelligence about the threat actors targeting them.

Active defense is not the same thing as “hacking back,” which has gained some notoriety over the past few years and can include counterstrikes meant to cripple the cybercriminals’ systems. Though perhaps a little less cathartic, active defense can still net some serious results.

Shield Meets Sword

In one recent case, for instance, Agari researchers developed responsible active defense techniques that enabled us to identify the perpetrators of a large number of email scams targeting several of their clients’ businesses.

Taking care to keep the FBI informed of our effort during this 10-month operation, we analyzed 78 criminal email accounts and unmasked 10 international cybercrime organizations. By analyzing these accounts and nearly 60,000 unique email messages, we were able to better understand the tactics, targets and, ultimately, the identities of the criminals responsible for a significant number of phishing campaigns.

Along the way, we warned financial institutions about accounts being used for money laundering and other criminal activities, and provided this evidence to law enforcement. In one instance, quick action even helped a company recover its money before it was lost forever. Still, active defense isn’t to be taken lightly. And it can come with some major risks.  

Stranger Danger

Active defense has yet to become a product you can purchase. Instead, it’s an approach—one that falls in a gray zone between offensive cyber and more passive forms of defense such as firewalls, email filters, and so on.

Hacking back is really meant for nation-states hitting back against other nations or non-state actors. Besides the fact that it’s illegal for companies to conduct such operations, it’s also a very bad idea.

Why? Accurate attribution: Because of the sophisticated identity deception employed by today’s criminal networks, it’s very easy to end up targeting an innocent third party with your counterstrikes such as “reverse malware” meant to take down their operations. Even when successful, it can end up making the criminals set on waging an all-out war on your organization, creating far more trouble than it’s worth.

Within active defense, however, lies a full spectrum of activities ranging from low-risk efforts that include such things as information sharing, honeypots, and intelligence gathering on the dark web. On the higher-impact, higher-risk end of the spectrum, activities can include botnet takedowns, white-hat ransomware, rescue missions to recover assets, and more.

Better still is avoiding the need for any of this in the first place.  

Priority: Modernization

Long before considering active defense measures, businesses should have proper advanced email protection in place.

Yet today, most organizations rely on outdated systems that are adept at spotting malware or phishing links well, but are unable to detect and disrupt today’s most sophisticated BEC scams. Instead of code or cargo, these attacks use plain text messages that prey on human emotions—anxiety, fear, curiosity— to trick people into logging into a phishing site or even making a wire transfer to pay for a fraudulent invoice.

Who knows? As a growing number of organizations adopt modern email security solutions, perhaps we’ll all find less need to strike back—and even better ways to shut down cybercriminals when we do.

To learn more about active defense and its role in stopping the forces behind phishing and BEC scams, download an exclusive report, “Behind the ‘From’ Lines: 10 Cybercriminal Organizations Unmasked.”

Leave a Reply

Your email will not be published. All fields are required.

December 6, 2018 Crane Hassold

How an Elite Counterintelligence Team Investigates BEC Scams Worldwide

Crane Hassold is the Sr. Director of Threat Research at Agari, where he leads an…

February 22, 2018 John Wilson

Email Phishing Scam Continues to Target College Students

Crane Hassold is the Sr. Director of Threat Research at Agari, where he leads an…

February 2, 2018 Agari

Tax season is open – and W-2 scammers are back in force

Crane Hassold is the Sr. Director of Threat Research at Agari, where he leads an…

December 7, 2017 John Wilson

The DMARC Mandate: How to Protect Citizens from Cyber Crime

Crane Hassold is the Sr. Director of Threat Research at Agari, where he leads an…

June 29, 2017 John Wilson

Real Estate Email Scams - Don't Get Tricked!

Crane Hassold is the Sr. Director of Threat Research at Agari, where he leads an…

mobile image