Reverse Deception: Organized Cyber Threat Counter-Exploitation (40 page)

By perusing some of these forums, you will be able to gain a lot of good knowledge. But the cyber samurai need to supply some disinformation to get closer to the cyber ninjas. To gain the trust of most underground knowledge sources, you need to make posts and raise your rank in various security and subculture skill sets. This may allow you to talk to the right people to learn about the tools used to attack a specific target or the masses, for monetary gain or other purposes.

These are some of the places where the digital underground runs free, and a portion of badness happens. Once you get deeper into these areas, you will learn where all of the shadier deals are done. For example, the jabber, IRC, and ICQ networks are commonly used for direct communication with those wanting to do what you may be interested in learning about.

If you do not check out these sites, you need to throw away most of your security products, because you are not doing them any justice, as you are not keeping yourself up to date on how the bad guys do what they do. This true especially of the host-focused products, in a time when hundreds of IT security vendors are receiving more than 50,000 unique malware samples a day, and only a percentage of these generate any network activity.

There is something broken somewhere, and it is mostly due to most organizations not following the
defense-in-depth
approach properly. This is a layered approach to security that you can learn more about through the National Security Agency (NSA) document at
www.nsa.gov/ia/_files/support/defenseindepth.pdf
. Security professionals should take some time to read through this document. It will make a difference and hopefully wake you up a little.

If you know and understand the beast, you will be better able to combat the beast, or as they say, “knowing is half the battle.” Assign a portion of your time each day to look at a handful of underground forum sites. Everyone has a demanding schedule, but you need to take the defense-in-depth approach. Learning more about the opportunistic criminals can lead you to the targeted and more nefarious ones.

Here are two different public underground sources where the not-so-ethical entrepreneur can find out how cyber criminals do what they do:

Public Social Networking Sites

When working to gain full attribution of an individual or group, you can do all sorts of things that the bad guys do. Go to the following sites and attempt to learn more about bad actors who make it a habit to have an account for their online identities, and invite their group members and friends to join their account and actively open a dialogue.

MySpace.com

Facebook.com

LinkedIn.com

QQ.com

Tribe.net

Twitter.com

NOTE

None of these sites are bad or malicious by nature. They are simply the types of public knowledge sources that can be leveraged to learn more about active threats that are operating against you or your clients
.

There are many other social networking sites you can use to find information. If the bad guys do this to learn more about you or people within your organization, why can’t you do it to them?

There are terms-of-service agreements you must accept for most social networking sites, but when it comes to the defense of your enterprise, erring on the side of asking forgiveness is better than first asking permission. (I’m not telling you to go and do it, but if you do, don’t publicize it.)

Conclusion

The ability to counter active threats to your enterprise is the basic topic of this book. We’re talking about actively pursuing your threats in ways that have been reserved for law enforcement and intelligence agencies around the world. You’re not going to go out and shoot anyone, but you can build a dossier on a threat and use that when you do decide to get law enforcement involved (if you go that path). Some organizations simply use these methods to collect intelligence on threats so they have a better understanding of the actual threat they face.