The success of the DDoS for Bitcoin (DD4BC) attack group has been well documented and so it should come as no surprise that other cyber-criminals are jumping on the denial of service extortion bandwagon.
Last week, at an IT industry awards lunch, we heard first hand from a large ISP how it was being threatened by just such an attack, complete with demands for a 'go away fee' to be paid in Bitcoin. And now we understand that e-tail company Aria Technology has been on the receiving end of a similar scenario of service disruption along with Scan Computers and Novatech.
Rather than pay the demanded 16.66 Bitcoin (approx £2,800) ransom, the Aria Technology chief executive, Aria Taheri, opted to turn the tables and took to Twitter to announce he was putting a £15,000 bounty on the heads of the attackers. This follows, we are led to believe, success in catching hackers who targeted the Aria website in 2013 after a reward for their capture was posted by Taheri.
Although offering financial reward for the apprehension of attackers, and indeed for disclosure relating to zero-day vulnerabilities in code, is not that unusual it is worthy of some further discussion. Not least as Taheri went on record (https://www.channelweb.co.uk/crn-uk/news/2431257/uk-e-tailers-hit-by-ddos-barrage) to say that he wouldn't be paying the demanded ransom as "these kinds of attacks are only designed to affect our website and make it inaccessible" while customer information remained 100 percent secure. Taheri also went on to say that this disruption would only last for a matter of hours and "customers can always come back at a later time."
This struck us as a somewhat surprising attitude for a customer facing e-tail operation to take, almost as much as the fact that it would not have some measure of DDoS mitigation in place to prevent such attacks from disrupting the business in the first place. Then there was the comment from Taheri that paying up would "only encourage others to come to us and blackmail us more" whereas a ransom says "I will spend a significant amount of money to bring them to justice."
The comments from Taheri open up something of a can of worms for the IT security industry, and lead to a number of questions that really do need answering. So we took these questions directly to the industry in order to try and get a feel of where it sits with regards to offering cash rewards for the capture of cyber-criminals.
Angela Knox, director of engineering at Cloudmark, sees the positives in what Taheri is doing. "By offering a bounty for information to track down the bad actors it will help bad actors to be found and prosecuted, preventing others from becoming victims," she told SCMagazineUK.com, continuing, "Successful prosecution of bad actors also acts as a deterrent or disincentive - stopping others from doing the same bad activity." Knox also thinks that a bounty can provide an incentive to researchers who are good at tracking down this type of activity to spend some time carrying out research and further, that offering a bounty helps to create awareness of the need for information and gives people a reason to share information about the bounty with others. Leo Taddeo, chief security officer of Cryptzone agrees with this position, telling us that: "Aria is doing a great service to the entire e-commerce community by standing up to the attackers. Bounties for information that lead to arrests do in fact encourage criminals to turn each other in." It has to be said, however, that not many of the security professionals and others connected with the industry that we spoke to shared this optimism.
Ian Trump, security lead at LOGICnow, admits that historically reward systems work. However, he's also concerned that when it comes to cyber-crimes, the criminal underground could be one step ahead of any reward system and use it to their advantage. "For example, to take out their competition and increase their market share or to finance their activities," Trump told us, adding, "therefore, the system would need to be monitored to ensure that it was not abused. I think the intention of cash bounties is good, I'm just concerned whether it is a sensible way to go." He's far from alone in reaching that conclusion.
Chris Boyd, malware intelligence analyst at Malwarebytes, was pretty clear when he told SCMagazineUK.com that "bounties to turn in criminals seems like a great way to potentially cause more problems than they solve. We'd be better served trying to figure out how an attack took place and steps to mitigate in future, instead of jumping on the 'Who did it' bandwagon so commonly seen in APT discussions." Boyd went even further, suggesting that introducing amateur hour detective work into financial incentives is something to steer clear of, and the bottom line decision of who is responsible should be left to law enforcement. "A company may say they won't pay a ransom, but how can they be sure criminals won't cook up convincing fake identities, launch an attack, and claim a reward for pinning it on the fictitious entity responsible?" Boyd concludes.
Ian Collard, managing director at Identity Methods, recalls a conversation with the CISO of a global telco who was asked by her CEO whether they should pay up as they were being threatened by a DDoS attack group. Her answer was that measures are in place, and while there may be some marginal degradation of service the business will be unaffected". This, Collard insists "is the ideal position and money should be spent on reaching that position." And John Benjamin, a partner in the IP and Technology team at business law firm DWF, advises "whilst they may be well intentioned, bounties can come across as a method of seeking private justice rather than necessarily providing comfort to customers. Even if the perpetrators are identified, international co-operation is often limited meaning it will be difficult to bring the miscreants to justice." This latter point being on the mind of Andy Taylor, CLAS consultant and lead assessor at APMG International, who told us that he would argue, "there is little value in spending so much on such a reactionary measure, when the chance of being able to take any legal or other action against the perpetrators is very slim."
TK Keanini, CTO at Lancope, could see the benefit from both sides of the fence. Is money better spent on DDoS defence or rewards for perps? "Both, because they are very different tasks by different types of people with different objectives," was Keanini's response. "DDoS defences are resourced by folks whose primary objective is business continuity," he told us, "whereas bounties are methods and practices for folks whose primary objective it is to catch crooks. Together we all do our part on the battle." He does, however, feel that we need to be very careful in the parallels we draw to zero-day bug hunters and the like because, in the case of the black market sale of exploits, evasions and other cyber-crime activity, we are just talking about how cyber-criminal capabilities are monetised in the dark web. "When we speak about bounties," Keanini insists, "they are a practice to gain information that leads to a conviction - it is not a money making activity." In other words, talent and people are the element that does not scale well and this is also true for the criminal side of the equation. "You put enough of these people out of operation," Keanini concludes, "and you reduce the criminal activity significantly."
Corey Nachreiner, CTO at WatchGuard, appears to agree when he told SC that "the biggest deterrent to cyber-criminals is them seeing others actually having to pay for their crimes. Cyber-criminals have gotten away with these attacks scot-free for ages. Seeing some of their peers go to jail might make them think twice." It may go beyond the ‘think twice' element, and into ‘think three times' and take the reward money instead. "It may mean that cyber-criminals are incentivised to rat on their associates," says Ronnie Tokazowski, senior researcher at PhishMe, who continues: "My perception is that this is a natural progression and should be applauded. It is a welcome addition to a multi-layered cyber-security strategy - prevention, detection, remediation and ultimately the prosecution of the criminals involved."
Ultimately though, it's hard to argue with the position taken by Dan Raywood, analyst in the Information Security Practice at 451 Research, who points out that we've seen DDoS used for several years as an attack method and there doesn't seem to be anything new about the tactic which cannot be prevented with available technology. "There is no guarantee that Aria's attackers can be detected so attribution would be difficult," Raywood says, adding: "Unless they were using something like the low orbit ion cannon (LOIC) which revealed the attacker's IP address, finding and prosecuting them would be quite a tricky task. You can assume the attackers have likely moved on and will either try another target or another tactic, leaving Aria as a target for retribution.”