ISPs Can Tell Users About Infected Computers

Uploaded on 2017-04-12 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

If your computer’s been hacked, Dale Drew might know something about that. Drew is chief security officer at Level 3 Communications, a major Internet backbone provider that's routinely on the lookout for cyber-attacks on the network level. The company has linked more than 150 million IP addresses to malicious activity worldwide.

That means all of those IP addresses have computers behind them that are probably involved in DDoS (distributed denial-of-service) attacks, email spam, or breaches of company servers.

Hackers have managed to hijack those computers to "cause harm to the Internet," but the owners don't always know that, Drew said. 

The tracking capabilities of Level 3 highlight how ISPs can spot malicious patterns of activity over the Internet, and even pinpoint the IP addresses that are being used for cybercrime.

In more extreme cases, Level 3 can essentially block bad traffic from harassing victims, and effectively shut down or disrupt the hackers’ attacks.

So why aren’t ISPs doing more to crack down on cyber-crime? The issue is that an ISP's ability to differentiate between normal and malicious Internet traffic has limits and finding ways to properly respond can open a whole can of worms.

Malicious patterns

Level 3 has built up a database of 178 million IP addresses, most of them static IP addresses, that it has connected to suspected malicious activity. It’s done so by pinpointing patterns that deviate from “known good” Internet traffic, Drew said. 

He compared it to running a post office. Although Level 3 isn’t examining the content of the Internet traffic or the “envelopes” passing through, it does know who’s sending what and to whom.

For example, “every time this user gets a red envelope from person X, they complain its spam,” Drew said. “So I can start to build a heuristic off that behavior.”

Bad-behavior patterns have helped Level 3 build algorithms to identity suspicious traffic. Of the millions of IP addresses it’s been tracking, 60 percent are likely associated with botnets, or armies of infected computers that can be used for DDoS attacks.

Level 3 has associated another 22 percent with email phishing campaigns.

One might wonder why Level 3 doesn’t just block these IP addresses from the internet. But that can be problematic.  Often, users of hacked computers are unaware their machines have been compromised, and it may be unclear whether some of those machines are also being used for important purposes, such as legitimate financial transactions.

Blocking those machines could potentially mean stopping millions of dollars in transactions, Drew said.

Instead, the company tries to notify the users of those IP addresses. In many cases, they are businesses, which can be quick to respond, Drew said. However, when it comes to consumers, there's no phonebook linking one person to an IP address. So Level 3 has to work with the hosting provider in order to reach the user.

Confronting the limits

Overall, it can be an uphill battle. “For every IP address we repair, more IP addresses are being compromised,” Drew said.

Other ISPs, including some in Europe, have also been notifying customers when their machines might be infected. It’s become a years-old, growing practice, but getting users to fix their infected computers isn’t always straightforward, said Richard Clayton, a security researcher at the University of Cambridge and director of its cloud cyber-crime center. 

Even when ISPs send warning messages to users, what then? Not every PC user knows how to resolve a malware infection, Clayton said. For ISPs, it can also be a matter of cost.

“Of course we want to see ISPs helping, but they are in a competitive market,” he said. “They are trying to cut their costs wherever they can, and talking to customers and passing on a message is not a cheap thing to do.”

In addition, ISPs can’t identify every malicious cyberattack. Most hacking attacks masquerade as normal traffic and even ISP detection methods can occasionally generate errors, Clayton said.

“If you have a 99 percent detection rate, in an academic paper, that sounds fantastic,” he said. “But that basically means one out of 100 times, you’ll be plain wrong.”

No magic bullet

That’s why taking down suspected hackers usually requires collective action from law enforcement and security researchers who have thoroughly investigated a threat and confirmed that it is real. Governments and ISPs have also become involved in creating websites and services telling users how to effectively clean up their PCs.

It’s a difficult balancing act for ISPs, said Ed Cabrera, the chief cybersecurity officer at antivirus vendor Trend Micro. “They can do a lot of detection quite easily,” he said. “But the blocking piece is not something that they want to take responsibility for.”

Cybercriminals are also continually elevating their game, making them harder to detect. “The problem is nowhere near black and white,” Cabrera said. “We’re quick to say ISPs aren’t doing enough, but I think often times that’s unfair.”

Level 3’s Drew said it’s tempting to think that the world’s cybersecurity problems can be solved with a magic bullet. But for now, it will take a collective effort, of ISPs, governments, businesses and consumers, to clean up the internet and secure today's devices. 

"Even if we were able to deploy exhaustive technology to analyze the bad, ugly traffic, it still doesn't fix the infected devices," Drew said. "The end user still has a role to properly patch that device."

He also encourages all ISPs to take Level 3's approach and notify customers when their computers have been hijacked by hackers.

If more ISPs did this, Drew said, "we might make a dent."

Computereworld

DDoS: Deceptive Denial Attacks:

ENISA’s Threat Rankings: From Malware To Cyber Spies:

Turn Threat Data Into Threat Intelligence:

 

 


 

« Cloudbleed Is Just The Latest Internet Security Disaster
Mike Rogers Wants To Buy Cyber Weapons 'Off The Shelf' »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Exodus Intelligence

Exodus Intelligence

Exodus Intelligence are an industry leading provider of exclusive zero-day vulnerability intelligence, exploits, defensive guidance, and vulnerability research trends.

ODVA

ODVA

ODVA is a global trade and standards development organization whose members comprise the world’s leading industrial automation companies.

SAI360

SAI360

SAI360 (formerly SAI Global) provide products and services for enterprise risk management including Governance, Risk & Compliance and Digital Risk solutions.

Reposify

Reposify

Reposify’s cybersecurity solution identifies, manages and defends companies’ global digital footprints.

ANIS

ANIS

ANIS represents the interests of Romanian IT companies and supports the development of the software and services industry.

Cytelligence

Cytelligence

Cytelligence is a cyber security consulting company with deep expertise in Cyber Breach Response, Cyber Breach Investigations, and Digital Forensics.

ThreatGen

ThreatGen

ThreatGEN™ works with your team to improve your resiliency and industrial cybersecurity capabilities through an innovative and modernized approach to training and services.

Perimeter 81

Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and distributed workforce.

36 Group

36 Group

36 Group's criminal law team, has the experience and specialist knowledge to conduct effectively trials heavily concerned with the growing phenomenon of Cybercrime.

CWSI

CWSI

CWSI provide a full suite of enterprise mobility, security and productivity solutions to many of Ireland and the UK’s most respected organisations across a wide range of industry and public sectors.

IN4 Group

IN4 Group

IN4 Group is a skills, innovation and start-up services provider that specialises in supporting businesses with the training, communities, networks and advice they need to scale.

Digitale Gründerinitiative Oberpfalz (DGO)

Digitale Gründerinitiative Oberpfalz (DGO)

Digital Founder Initiative Oberpfalz's goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

Invicti Security

Invicti Security

Invicti Security is an AppSec leader transforming the way web applications are secured.

The CyberWire

The CyberWire

The CyberWire gets people up to speed on cyber quickly and keeps them a step ahead in a continually changing industry.

GO Business

GO Business

GO Business are a specialised B2B team within GO that caters to the communication needs of the local business community in Malta.

tmc3

tmc3

tmc3 is an award-winning, people-centric consultancy that is transforming cyber security from an overhead into an organisational enabler.