Law enforcement may finally be making inroads into disrupting underground cybercrime, which could be a major factor accounting for the dip in the number of lost records reported by the most recent Verizon Data Breach Investigations Report, released today.
If you can tie a crime to 40 others in a six-month stretch, that gives you tackling fuel to pursue a conviction.
Bryan Sartin, director of investigative response, Verizon
The report, quickly becoming the de-facto information security industry snapshot for breach statistics and trends, says the number of 2010 lost records dropped dramatically to fewer than four million, after a high watermark of more than 360 million in 2008. That coincides with a number of high-profile arrests of cybercrime kingpins in the U.S. and other countries. While the report -- built from cases handled by Verizon, the U.S. Secret Service and the Dutch National High Tech Crime Unit — concedes the possibility that large breaches were either not reported or not handled by Verizon. But more likely, Verizon concludes, is that law enforcement activity is finally making a dent in cybercrime.
Arrests of leaders such as Albert Gonzalez, the brains behind the TJX hack, Ukrainian carder Maksym Yastremskiy, Russian carder Vladislav Horohorin and Georg Avanesov, handler of the Bredolab botnet, have cut into spam levels significantly and consequently into the amount of underground trading of credit card and other sensitive data.
Bryan Sartin, director of investigative response at Verizon, said law enforcement has made notable gains in intelligence sharing, not only among American law enforcement and the private sector, but also internationally.
“Every month we all get better sharing malcode intelligence,”Sartin said. “So if we’re seeing malware for the first time in Poland, others are seeing it around the globe at the same time. We’re seeing the same lead indicators for compromise for the purposes of tying many breaches together.”
Sartin explains, for example, tying many breaches together by finding commonalities in pieces of custom malcode such as unique points of entry, IP addresses or TCP sequences, is one outcome of intelligence sharing.
“If you can tie a crime to 40 others in a six-month stretch, that gives you tackling fuel to pursue a conviction,” Sartin said.
The report also speculates that the spate of recent high-profile arrests could have eroded certain underground hacking skill sets. “But correlation, of course, is not causation,” the report said. “It is also interesting that we consistently have a significant portion of our caseload that ties back to the same individuals or groups. If the attacker population were enormous, we wouldn’t expect to see that in our sample year after year.”
Verizon said too that law enforcement’s infiltration of black markets and criminal communications channels may have weakened trust in that community, accounting for some of the dip as well. Another hypothesis could be economic: Massive breaches pulled off at the end of last decade may have flooded the market with credit card and personal data. “Criminals might opt to let the markets clear before stealing more in bulk, or selling what they already had,” the report said. “We could be in such a holding pattern now.”
As a result, cybercriminals could be building markets for intellectual property being indiscriminately sucked up in breaches pulled off by malware such as the Zeus Trojan. Since credit card data has had a rabid marketplace, it has been much easier to move credit card data between theives. Not so any longer, the report indicates.
“We’re seeing small but developing black markets for intellectual property,” Sartin said. “We’re starting to see defined channels for buying and selling of that data.”
One factor leading to this trend is the fact that retailers and other enterprises handling credit card data are forced by regulations such as PCI DSS to implement controls such as encryption and segmentation around credit card data, making it more difficult to target. Companies notoriously don’t invest as much in protecting its trade secrets as they do custodial data, largely because of federal laws and industry regulations.
“Other information types are reasonably unprotected and unaccounted for,” Sartin said. “In the criminals’ initial [reconnaisance], they’re looking for interesting targets of opportunity and are not able to locate consumer records the way they used to. They’re just going after any proprietary data they can get their hands on.”