Businesses of all kinds are evolving, improving, and innovating to attract and retain customers. This applies to the largest enterprises across industry verticals, as well as cybercriminal businesses.
Just like legitimate businesses across the globe seek to improve their information security and protect their network infrastructure, cybercriminal businesses must take similar precautions.
Today, Trend Micro Research released the final report in a series focused on this part of cybercriminal business – underground hosting providers. Based on the report, it’s clear that understanding both the criminal business targeting you and the attacks themselves better prepares defenders and investigators to identify and eliminate threats.
This understanding is even more critical for security teams now in security operations centers (SOCs), as SOC analysts are more like investigators than defenders. Seeing the full picture of threats in a corporate environment leads security teams to think more like the criminals they are trying to stop.
Those criminals operate within a specialized market across the cybercriminal underground focused on the infrastructure behind cybercrime. Trend Micro Research has dug into the technical aspects of this market, how criminals buy and sell hosting services, and what protections they rely on to secure their businesses.
Understanding cybercriminal operations
Today’s cybercriminal businesses are built on underground hosters, with a keen focus on avoiding shutdowns or disruptions. Underground hosting providers go to great lengths to stay active in a competitive business landscape, attracting and retaining as many (criminals) customers as they can.
As underground hosters are the root of cybercriminal infrastructure, this research also shares several methods that can be used by investigators to identify them. Whether an in-house investigator at an enterprise, or a law enforcement investigator, these insights into cybercriminal operations should prove actionable – particularly when paired with the technical functionality of XDR.
Holistic visibility of enterprise attacks
Many large enterprises are adding security operations centers (SOCs) to monitor the complete security posture of their organization. These high functioning SOCs require tools like XDR that connect all their data and correlate threat intelligence across endpoints, hybrid cloud infrastructure and email to have clear and actionable alerts.
This provides the visibility and understanding of cyber attacks that is needed to not only stop a piece of malware from running amok, but also patch the hole where it got in, check to make sure nothing else was infected, and ensure the attacker who put the malware on your system isn’t still lurking somewhere.
In this way, defenders today have moved into the realm of also being investigators. At that level of security sophistication, you also need to understand how the criminals operate to strategically defend against them and stop them in their tracks.
Technical Knowledge + People Knowledge = Stopping Attackers
The methods described in the report for identifying bulletproof hosters (BPH) include:
- Identify certain IP ranges in public deny lists and a high number of public abuse requests for a particular IP segment.
- Analysis of autonomous system behavior and peering information. Many legitimate upstream providers that partner with bulletproof hosters (BPHs) use autonomous systems so they can handle abuse requests without disconnecting the BPH from the internet.
- Once one BPH host has been detected, use machine fingerprinting to detect others that may be linked to the same provider.
The above tactics reinforce why a single view of threat detections correlated across an enterprise environment is critical for effective defense.
For example, a SOC analyst might know there is some malware on their network that is connected to an IP that is registered in Country A. That’s a good start, but an effective analysis could let you know that it is a shell company, while the actual servers are in Country B. It would also be critical to see that blocking that IP simply results in the attackers coming out of a new IP the next day.
Having all these pieces of information connected helps you better make decisions on how to handle the bigger picture threat. And knowing the key reasons why criminals host servers in a particular country might explain what motivations they have for targeting your business.
Ultimately, this understanding, advanced correlation, and improved investigations lead to cybercriminal businesses losing profits. If they can’t make money, they can’t maintain their current operations.
Trend Micro’s mission is to make the digital world safer for exchanging information. Disrupting cybercrime through Trend Micro Research and XDR is one of the ways we work toward that mission every day.