In August, word hit that the Justice Department had led a recent joint operation with private industry to put a dent in the global cybercrime ring known as the Carbanak Group.
Known for having stolen more than $1 billion through various cyber-scams over the last five years, the group has recently been using spear phishing techniques to hack thousands of businesses in the hospitality and restaurant industries, including Arby’s, Chili’s, and Chipotle.
Details on the collaboration are sparse, but it appears security teams at these and other companies may have played a key role in helping authorities arrest three suspects connected with the group, all Ukrainian nationals.
What does seem clear is that their participation entailed intelligence gathering versus direct penetration into the group’s operations. At least on the surface, that does fall in line with “active defense.”
For those just tuning in, active defense describes methods by which organizations hit by phishing and other cyberattacks can trace them back to their source and collect additional intelligence about the threat actors targeting them.
Active defense is not the same thing as “hacking back,” which has gained some notoriety over the past few years and can include counterstrikes meant to cripple the cybercriminals’ systems. Though perhaps a little less cathartic, active defense can still net some serious results.
In one recent case, for instance, Agari researchers developed responsible active defense techniques that enabled us to identify the perpetrators of a large number of email scams targeting several of their clients’ businesses.
Taking care to keep the FBI informed of our effort during this 10-month operation, we analyzed 78 criminal email accounts and unmasked 10 international cybercrime organizations. By analyzing these accounts and nearly 60,000 unique email messages, we were able to better understand the tactics, targets and, ultimately, the identities of the criminals responsible for a significant number of phishing campaigns.
Along the way, we warned financial institutions about accounts being used for money laundering and other criminal activities, and provided this evidence to law enforcement. In one instance, quick action even helped a company recover its money before it was lost forever. Still, active defense isn’t to be taken lightly. And it can come with some major risks.
Active defense has yet to become a product you can purchase. Instead, it’s an approach—one that falls in a gray zone between offensive cyber and more passive forms of defense such as firewalls, email filters, and so on.
Hacking back is really meant for nation-states hitting back against other nations or non-state actors. Besides the fact that it’s illegal for companies to conduct such operations, it’s also a very bad idea.
Why? Accurate attribution: Because of the sophisticated identity deception employed by today’s criminal networks, it’s very easy to end up targeting an innocent third party with your counterstrikes such as “reverse malware” meant to take down their operations. Even when successful, it can end up making the criminals set on waging an all-out war on your organization, creating far more trouble than it’s worth.
Within active defense, however, lies a full spectrum of activities ranging from low-risk efforts that include such things as information sharing, honeypots, and intelligence gathering on the dark web. On the higher-impact, higher-risk end of the spectrum, activities can include botnet takedowns, white-hat ransomware, rescue missions to recover assets, and more.
Better still is avoiding the need for any of this in the first place.
Long before considering active defense measures, businesses should have proper advanced email protection in place.
Yet today, most organizations rely on outdated systems that are adept at spotting malware or phishing links well, but are unable to detect and disrupt today’s most sophisticated BEC scams. Instead of code or cargo, these attacks use plain text messages that prey on human emotions—anxiety, fear, curiosity— to trick people into logging into a phishing site or even making a wire transfer to pay for a fraudulent invoice.
Who knows? As a growing number of organizations adopt modern email security solutions, perhaps we’ll all find less need to strike back—and even better ways to shut down cybercriminals when we do.
To learn more about active defense and its role in stopping the forces behind phishing and BEC scams, download an exclusive report, “Behind the ‘From’ Lines: 10 Cybercriminal Organizations Unmasked.”