Trend Micro has revealed key ways to identify and disrupt criminal market operations to conclude a three-part report series on the underground hosting market.
In the report, researchers outline the infrastructure business approaches of attackers to help security teams and law enforcement agencies best recognize, defend against, and disrupt them.
“Increasingly, mature organizations have SOC and XDR capabilities, which means security teams today have moved into the realm of also being investigators,” said Robert McArdle, director of forward-looking threat research at Trend Micro. “At that level of security sophistication, you need to understand how the criminals operate to strategically defend against attackers. We hope this report provides insight into cyber-criminal operations that can prove actionable for organizations and ultimately make hosters lose profits.”
Understanding criminal operations, motivations and business models are key to dismantling the bulletproof hosting industry on which the majority of global cyber-crime is built.
The report details several effective methods to help investigators identify underground hosters, including:
- Identify which IP ranges are in public block deny lists, or those associated with a large number of public abuse requests, as those may be indicative of BPH.
- Analyze autonomous system behavior and peering information patterns to flag activity that is likely associated with BPH.
- Once one BPH host has been detected, use machine fingerprinting to detect others that may be linked to the same provider.
The report also lists methods for law enforcement agencies and businesses to disrupt underground hosting businesses, without necessarily needing to identify or take-down their servers. These include:
- Submit properly documented abuse requests to the suspected underground hosting provider and upstream peers.
- Add BPH network ranges to well-established deny lists.
- Increase the operational costs of the BPH, to impair business stability.
- Undermine the reputation of the BPH on the cyber-crime underground: perhaps via covert accounts that call into question the security of the criminal hosting provider or discuss possible collaboration with authorities.