Trend Micro Incorporated released key ways to identify and disrupt criminal market operations to conclude a three-part report series on the underground hosting market. In the report, researchers outline the infrastructure business approaches of attackers to help security teams and law enforcement agencies best recognize, defend against, and disrupt them. Understanding criminal operations, motivations and business models is key to dismantling the bulletproof hosting industry on which the majority of global cybercrime is built.
“Increasingly, mature organizations have SOC and XDR capabilities, which means security teams today have moved into the realm of also being investigators,” said Robert McArdle, director of forward-looking threat research at Trend Micro. “At that level of security sophistication, you need to understand how the criminals operate to strategically defend against attackers. We hope this report provides insight into cybercriminal operations that can prove actionable for organizations and ultimately make hosters lose profits.”
Bulletproof hosters (BPH) are the root of cybercriminal infrastructure and therefore use a sophisticated business model to outlast takedown efforts. These include flexibility, professionalism and offering a range of services to cater to an array of customer needs.
The report details several effective methods to help investigators identify underground hosters, including:
- Identify which IP ranges are in public block deny lists, or those associated with a large number of public abuse requests, as those may be indicative of BPH.
- Analyze autonomous system behavior and peering information patterns to flag activity that is likely associated to BPH.
- Once one BPH host has been detected, use machine fingerprinting to detect others that may be linked to the same provider.
The report also lists methods for law enforcement agencies and businesses to disrupt underground hosting businesses, without necessarily needing to identify or takedown their servers. These include:
- Submit properly documented abuse requests to the suspected underground hosting provider and upstream peers.
- Add BPH network ranges to well-established deny lists.
- Increase the operational costs of the BPH, to impair business stability.
- Undermine the reputation of the BPH on the cybercrime underground: perhaps via covert accounts that call into question the security of the criminal hosting provider or discuss possible collaboration with authorities.