Ever since the arrival of advanced persistent threats, obfuscation technologies have existed to help cybercriminals evade security detection and tracing. It’s an ongoing evolution of technology on the bad guys’ end.
It really started with antivirus evasion, years ago. Today, we have about 500,000 virus samples coming into FortiGuard Labs every day. A lot of those are from the same virus family, but they’re polymorphic—which means they use binary packers to shift the nature of the code every few seconds to try and bypass antivirus detection technology.
Attackers have moved on to adapt similar obfuscation techniques in other vectors and channels. For example—with websites, web filtering technology protects users by blocking access to malicious sites in order to serve up a virus. Over a decade ago, cybercriminals started using fast-flux networks to shift IP addresses and domains very frequently—in some cases one threat can use over 50,000 websites in just a day to disguise where they’re coming from.
Things like Tor networks introduce an even more sophisticated adaptation of deep web activity. Tor (which stands for “The Onion Router”) is designed to enable anonymous sending and receiving of web traffic. Users not only have the ability to remain unidentifiable, but they can also access content that’s blocked to them. Tor manages this by custom encrypting traffic and then randomly forwarding it via a network of relays. Each individual relay features its own encryption layer to help cover the tracks and conceal the user’s identity.
These kinds of next-generation security evasion tools use the deep web to hamper inspection and tracing. When it comes to law enforcement trying to attribute where an attack is coming from, criminal operators are continually creating new communication protocols and encryption schemes to “go dark” and shift tactics when law enforcement and security intelligence are on their trails. This opens up channels for all sorts of potential illicit activity—selling stolen goods, drug trafficking, child pornography, and even espionage.
The most important thing that we as an industry can do to combat these sorts of threats is to work together—including computer emergency response, security experts, vendors, and law enforcement. Because the technical aspects of cybercrime aren’t a core strength of policing agencies, researchers in the private sector should be sharing their expertise with the public sector to help pursue and shut down nefarious operations. And there have been several special interest forums and working groups in the past that have enjoyed success.
When the Conficker threat came out back in 2008, it used a domain generation algorithm (DGA) to produce up to 50,000 different websites that it would try to connect to in a day. The bad guys would pick one of those out of the 50,000 to actually make active for communication. For anyone outside the hacking group, finding that site was the proverbial needle in a haystack. So the industry (intel operators and security vendors) got together and created the Conficker Working Group to try and proactively block all these new domains that the threat was generating and protect users. Those disruption efforts helped to buy time for people to deploy the MS08-067 security patch, and allowed the working group to sinkhole and track infections..
Today, Fortinet is contributing to groups like the Cyber Threat Alliance (CTA). When CTA released our CryptoWall Version 3 report in October 2015, it showed evidence of approximately $325 million in ransomware damages via this operation. And as soon as we published that paper, the cybercriminals behind CryptoWall 3 went completely dark and shifted their tactics. The power of collaborative research and information sharing proved to be a major disruptive force against these attacks.
At Fortinet, we also contribute to Interpol’s expert cybercrime working group. We also work with the FBI and other relevant agencies to support research and consume intelligence that can further protect our customers. Certainly Fortinet’s latest partnership agreement with NATO is also worth mentioning in this context. We recently signed an agreement to boost two-way information sharing with a particular emphasis on pursuing cyber criminals and their campaign playbooks. This kind of private/public collective intelligence helps combat advanced threats, deploy security controls to counteract the latest moves, and deliver greater security for our customers and all organizations.
While we fully expect the bad guys to continue finding new tools to conceal illegal activities and evade identification, our industry has proven the ability to fight back against those threats through cooperative problem solving and sharing relevant research. Putting more resources into these sorts of common-ground alliances only makes sense as attackers develop new and better tools to exploit users. Cyber criminals are becoming more clever and hiding their tracks since they know they are being tracked and are at risk. For the first time, we are seeing fear within cyber criminal organizations.