- V3 Apps
In recent months law enforcement has had plenty to celebrate, with various agencies and departments catching and charging numerous people believed to have masterminded some of the world's most dangerous cyber criminal empires.
Most recently the criminal behind the notorious SpyEye malware, Aleksandr Andreevich Panin pleaded guilty to conspiring to commit wire and bank fraud for his role as the primary developer and distributor of the malicious software.
The arrest of Panin, whose SpyEye malware is believed to have infected over 1.4 million computers at its peak, has led to a wider debate within the security community about the benefits of arrests versus botnet takedowns.
The debate is important as cybercrime is undeniably a growing problem facing governments and companies, with numerous warnings of cyber campaigns that continue to plague users and make millions for criminals.
Tracking those behind the tools is increasingly difficult. This is in part because of the global nature of the internet, but mainly due to the way authors can use botnets and advanced technologies, such as the Tor network or bulletproof hosting services, to hide their movements.
As FireEye CTO Greg Day noted, this has limited the ability of law enforcement agencies to arrest cyber criminals by increasing the upfront costs and resources required to track and analyse the campaigns.
"Arrests do create a number of challenges throughout the entire processes. First you need the support of organisations to gather the relevant evidence, which needs to be done to specific guidelines, which are admissible in court," he said.
"This can require trawling through large amounts of data, so skills are required both in malware analysis and forensics. One challenge for law enforcement is simply having enough of what is a highly skilled and so typically highly paid-for resource."
Day added that even if law enforcement did gather the necessary information, current international law means they would also have to overcome a number of legal and regulatory issues before being able to arrest criminals.
"E-crime is typically mixed, so crimes are national and others are international. The latter requires that there is co-operation between nations, this can be time consuming," he told V3.
The issues mentioned by Day have traditionally forced many law enforcement agencies to rely simply on attacking criminal groups' infrastructure, rather than arresting their members as they did with Panin. These operations have involved various takedown strikes against command-and-control servers being used to run botnets or host illegal sites.
Key victories in this endeavor include sinkhole operations against the Citadel and ZeroAccess botnets last year. The FBI and Microsoft confirmed taking down a significant part of the Citadel botnet in June 2013.
Symantec confirmed successfully rescuing 500,000 of the 1.9 million zombie machines enslaved by the infamous ZeroAccess botnet later in October.
Both these operations have been lauded as key victories in the fight against cybercrime. Assistant general counsel at Microsoft's Digital Crimes Unit Richard Boscovich told V3 that even if they do not permanently stop cyber criminals, the operations do have a positive effect.
"The main objective of Microsoft's botnet takedowns and disruptions is to identify and stop the harm caused by the malware threats in order to protect people. We've found that disruption and clean-up efforts like this not only help to clean people's computers, but they help take the very infrastructure the botnet needs to be impactful and profitable away from the cyber criminals," he said.
However, some researchers and experts have been less positive about the operations. As noted by F-Secure chief research officer Mikko Hypponen: "It is more effective to take down the guys than taking down their systems. Systems don't rebuild themselves without the master."
Trend Micro's global vice president of security research Rik Ferguson (pictured) was even more dismissive, claiming that most takedowns are ultimately futile.
"If you look back at some of the big ‘takedowns' that many vendors like to make PR hay with, they have been spectacular failures, most recently Kelihos, ZeroAccess and Citadel have been trumpeted by various PR departments and agencies as a giant blow on behalf of the good guys and yet no lasting effect has been noted in any of those cases," he told V3.
Ferguson went on to highlight other recent arrests as proof of his claim. "A couple of really good examples of how taking down the perpetrator rather than the infrastructure can help, are the arrests of the man behind Blackhole Exploit Kit (Paunch) and the individuals behind DNS Changer (Rove Digital)," he said.
"In both of these cases, the arrest of the individual or group behind those criminal operations, led to a huge and almost immediate halt in the use of those malicious creations. Once Paunch was reported to be arrested, other criminal groups began immediately to shift their operations to exploit kits from other underground vendors."
Threat alert statistics that F-Secure gave V3 provide evidence to support the two security experts' feelings about the effectiveness of arrests.
Statistics taken from F-Secure's threat intelligence network showed that Blackhole usage dropped from 50,000 detections in August 2013, to less than 1,000 in December. F-Secure's stats mirror those of independent malware researcher Kafeine, who reported finding that the use of the Blackhole hack tool had almost completely ceased in November 2013.
A hybrid approach
But despite the obvious effectiveness of arresting hackers, some, such as FireEye's Day, remain convinced of the benefits of takedown operations.
"A key challenge is focusing on what should be prioritised. It would be great to arrest and prosecute every one of these, but for all of the previously mentioned reasons the challenge today is resources," he said.
"In my view law enforcement has to take a layered approach. If their goal is harm reduction, getting an attack site or a botnet server taken down is much quicker and easier than arrests."
There certainly is merit to this hybrid approach, which is the same taken by Microsoft. This is because, even if the criminals do reappear, the takedown at the very least limits their revenue and saves enslaved machines from the botnet.
That said, there is undeniable evidence supporting Ferguson and Hypponen's assertion the only way to permanently stop cyber criminals is to arrest them and shut down their entire operation, rather than just one part of it.
The question is, is the added effort worth the expense?