Nevertheless, as the technologies of both attack and defence are chasing each other (as has been the case for almost any other computer security issue), there has been little focus on the drivers of these technologies - from the attack side, of course- and specifically on the economics of the market that creates them. Iftach Ian Amit investigates.
When approaching such a topic, one has two options in terms of the research focus. The first is to examine the economics on a purely monetary basis. The second is to start from the technical aspects and follow the money trail, where possible, to figure out what business models apply to the subjected market.
There has been some research on the purely economical scale of shadow economies in the past, usually covering nations and states when comparing GDP, and other macro-economic factors in order to derive the size of such shadow economies operating in each country, where each country has a different ratio of what the shadow economy accounts for in their overall economical metrics. The second approach has been the entry point for this research, and while no one system can be said to cover the business of cybercrime completely, future research would have to align these two approaches in order to create a complete model.
Starting from the business of e-crime, computer security attacks must first be categorised in order to realise a financial value for them, so that a business model can be derived from facts that we find in the field - malicious code developments, website hacking for altering their content, spam delivery frequency and materials sold through it etc. Surprisingly, some of the incidents can still be attributed to 'pro-bono' hacking, where a clear business model is lacking in terms of backing the attack with a monetary reward, but most of the incidents can be easily tracked down to a motive.
The common attacks and incidents that have a defined business model behind them are the ones that result in an infection of a computer system with a piece of software that can be used for stealing personal information, corporate data and to monitor and modify the communication to/from the infected system, especially when dealing with financial systems.
After figuring out the categories that are making money for the business, the means of getting to these goals are simply tagged as 'operating expenses' for the e-crime entrepreneur. Such expenses include commissioning custom code to be written for any part of the business operations - from the trojans that infect the target machines, through delivery systems responsible for attacking them (by providing the malicious code) and the systems that manage the infected machines and can direct them to perform certain actions in order to gain a higher yield on the revenues to be made from them.
Simple analysis of such systems, which are made available in the shadow economy marketplace, shows some interesting insights. From more popular packages to one-offs trying to capitalise on the success of others, development roadmaps of certain software packages (toolkits) can show how the rat race is evolving: putting in new measures to counter security products, removing obsolete attack vectors whose return on investment (ROI) is becoming less effective as software patching is catching up, and even intricate licensing mechanisms that enforce proper usage of such toolkits.
Once the basic operating infrastructure has been set up for the e-crime business, it can commence generating revenue. But just like a legitimate business, prospects do not just send money in return for goods, especially if it is a new business, and a marketing strategy has to be in place in order to drive potential customers to the business. The shadow economy of e-crime is no different, although the means of driving 'customers' to interact with the e-crime business are a little less restrictive. Early in the research, a common theme has emerged in terms of the marketing initiatives used - getting legitimate websites to contain either the malicious code itself, or a reference to it, has proven to be the most effective means of getting customers to 'work' with the business.
Initially, hacking groups were paid to infect legitimate sites with malicious code, but the model has quickly been revised to accommodate more legitimate sites and more innovative business models. Affiliations at the start were driven by people with the means of getting a given code to run on a legitimate site who were paid a 'commission' based on the number of 'customers' that they brought in (i.e. systems that have become infected with the malicious code associated with the code delivered through the legitimate site). This quickly changed to a full-scale stock exchange-like marketplace, where anonymity thrives and the volume of traded traffic (traffic that can be brought in from legitimate sites and traded to establishments that can serve malicious code to that traffic) is breaking new records.
The marketing model described above, where stock exchange-like trading is taking place, marks a point in the research where we shift from looking at a single business that operates in a small environment and where service providers are the providers of the toolkits for the delivery of malicious code and control of the infected systems, to looking at the marketplace as a whole - buyers and sellers, distributors and channels, affiliations and individuals - all conducting business in this intricate market.
From that point on, the integration of macro-economic scale research is fitting, as there is enough transaction volume to quantify economic factors and measure them in scale to the legitimate economy. However, this does not mark the end point for tracking the e-crime business on the operational side. As transaction volume rises and the market reach of e-crime strengthens, it becomes obvious that, as this internet economy is almost completely borderless, 'business-to-business' transactions are bound to happen.
It comes as no surprise that, during the investigation of some recent e-crime activities, it was possible to observe an almost barter-like trading between two e-crime operations that have been rewarding each other with the benefit of having the opportunity to share each other's clientele. Such behaviour was proven not to be an isolated incident. Additional research and work with law enforcement organisations has confirmed this assumption and made it possible to almost map the relationships between several e-crime operations across Europe and the US.
Overall, dealing with web security in the past few years has proven to be one of the more intriguing research aspects in computer security - not only because of the rapid evolution in the arms race that is typical for any security field, but also because of the much closer affinity between the criminals and their victims. In such a level playing field, where the internet as the medium for both sides makes it impossible to define a 'good' or a 'bad' place in it (a concept that has taken a very long time to sink in with a lot of security providers), the main focus is on actual content and its motive.
When referring to actual content, it's important to realise that the same resource on the internet (especially when dealing with ones affected by e-crime operations) would almost never provide the same content on subsequent requests and often delivers completely different kinds of content based on the geographic source of the request, the frequency of requests from the same source and the kind of environment in which the requesting entity 'lives' (operating system, browser type etc.).
Having said that, the evolution in terms of solutions that provide security in this environment is proving to be a real challenge and is finally dragging security from the drab days of signing viruses and running the same engines faster to a newer age of real-time analysis and decision-making that cannot tolerate any compromise - as the web cannot be stopped.
Iftach Ian Amit is director of security research at Aladdin Knowledge Systems.
