ISPs Can Tell Users About Infected Computers

Uploaded on 2017-04-12 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

If your computer’s been hacked, Dale Drew might know something about that. Drew is chief security officer at Level 3 Communications, a major Internet backbone provider that's routinely on the lookout for cyber-attacks on the network level. The company has linked more than 150 million IP addresses to malicious activity worldwide.

That means all of those IP addresses have computers behind them that are probably involved in DDoS (distributed denial-of-service) attacks, email spam, or breaches of company servers.

Hackers have managed to hijack those computers to "cause harm to the Internet," but the owners don't always know that, Drew said. 

The tracking capabilities of Level 3 highlight how ISPs can spot malicious patterns of activity over the Internet, and even pinpoint the IP addresses that are being used for cybercrime.

In more extreme cases, Level 3 can essentially block bad traffic from harassing victims, and effectively shut down or disrupt the hackers’ attacks.

So why aren’t ISPs doing more to crack down on cyber-crime? The issue is that an ISP's ability to differentiate between normal and malicious Internet traffic has limits and finding ways to properly respond can open a whole can of worms.

Malicious patterns

Level 3 has built up a database of 178 million IP addresses, most of them static IP addresses, that it has connected to suspected malicious activity. It’s done so by pinpointing patterns that deviate from “known good” Internet traffic, Drew said. 

He compared it to running a post office. Although Level 3 isn’t examining the content of the Internet traffic or the “envelopes” passing through, it does know who’s sending what and to whom.

For example, “every time this user gets a red envelope from person X, they complain its spam,” Drew said. “So I can start to build a heuristic off that behavior.”

Bad-behavior patterns have helped Level 3 build algorithms to identity suspicious traffic. Of the millions of IP addresses it’s been tracking, 60 percent are likely associated with botnets, or armies of infected computers that can be used for DDoS attacks.

Level 3 has associated another 22 percent with email phishing campaigns.

One might wonder why Level 3 doesn’t just block these IP addresses from the internet. But that can be problematic.  Often, users of hacked computers are unaware their machines have been compromised, and it may be unclear whether some of those machines are also being used for important purposes, such as legitimate financial transactions.

Blocking those machines could potentially mean stopping millions of dollars in transactions, Drew said.

Instead, the company tries to notify the users of those IP addresses. In many cases, they are businesses, which can be quick to respond, Drew said. However, when it comes to consumers, there's no phonebook linking one person to an IP address. So Level 3 has to work with the hosting provider in order to reach the user.

Confronting the limits

Overall, it can be an uphill battle. “For every IP address we repair, more IP addresses are being compromised,” Drew said.

Other ISPs, including some in Europe, have also been notifying customers when their machines might be infected. It’s become a years-old, growing practice, but getting users to fix their infected computers isn’t always straightforward, said Richard Clayton, a security researcher at the University of Cambridge and director of its cloud cyber-crime center. 

Even when ISPs send warning messages to users, what then? Not every PC user knows how to resolve a malware infection, Clayton said. For ISPs, it can also be a matter of cost.

“Of course we want to see ISPs helping, but they are in a competitive market,” he said. “They are trying to cut their costs wherever they can, and talking to customers and passing on a message is not a cheap thing to do.”

In addition, ISPs can’t identify every malicious cyberattack. Most hacking attacks masquerade as normal traffic and even ISP detection methods can occasionally generate errors, Clayton said.

“If you have a 99 percent detection rate, in an academic paper, that sounds fantastic,” he said. “But that basically means one out of 100 times, you’ll be plain wrong.”

No magic bullet

That’s why taking down suspected hackers usually requires collective action from law enforcement and security researchers who have thoroughly investigated a threat and confirmed that it is real. Governments and ISPs have also become involved in creating websites and services telling users how to effectively clean up their PCs.

It’s a difficult balancing act for ISPs, said Ed Cabrera, the chief cybersecurity officer at antivirus vendor Trend Micro. “They can do a lot of detection quite easily,” he said. “But the blocking piece is not something that they want to take responsibility for.”

Cybercriminals are also continually elevating their game, making them harder to detect. “The problem is nowhere near black and white,” Cabrera said. “We’re quick to say ISPs aren’t doing enough, but I think often times that’s unfair.”

Level 3’s Drew said it’s tempting to think that the world’s cybersecurity problems can be solved with a magic bullet. But for now, it will take a collective effort, of ISPs, governments, businesses and consumers, to clean up the internet and secure today's devices. 

"Even if we were able to deploy exhaustive technology to analyze the bad, ugly traffic, it still doesn't fix the infected devices," Drew said. "The end user still has a role to properly patch that device."

He also encourages all ISPs to take Level 3's approach and notify customers when their computers have been hijacked by hackers.

If more ISPs did this, Drew said, "we might make a dent."

Computereworld

DDoS: Deceptive Denial Attacks:

ENISA’s Threat Rankings: From Malware To Cyber Spies:

Turn Threat Data Into Threat Intelligence:

 

 


 

« Cloudbleed Is Just The Latest Internet Security Disaster
Mike Rogers Wants To Buy Cyber Weapons 'Off The Shelf' »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Karlsruhe Institute of Technology (KIT)

Karlsruhe Institute of Technology (KIT)

KIT is a leading research and education institutions with strong capabilities in information systems and security.

DefenseStorm

DefenseStorm

DefenseStorm is a Security Data Platform that watches everything on your network and matches it to your policies, providing cybersecurity management that is safe, compliant and cost effective.

Critifence

Critifence

Critifence provides unique Cyber Security solutions designed for Critical Infrastructure, SCADA and Industrial Control Systems.

Introspective Networks

Introspective Networks

Introspective Networks (IN) is a Cybersecurity company focusing on securing data in the network and automating knowledge work to decrease vulnerability points to critical infrastructure.

Vintegris

Vintegris

Vintegris are a Certification Authority and manufacturer of innovative systems and applications for the full cycle of digital identity.

TechArch

TechArch

TechArch helps customers to optimize their investments in cybersecurity by providing them independent and vendor-neutral consultation and guidance.

Incognito Forensic Foundation Lab (IFF Lab)

Incognito Forensic Foundation Lab (IFF Lab)

IFF Lab is a premier cyber and digital forensics lab in India that offers forensic services and solutions, cyber security analysis and assessment, IT support, training and consultation.

Mend.io

Mend.io

Mend.io (formerly known as WhiteSource) is an application security company built to secure today’s digital world.

ThreatSwitch

ThreatSwitch

ThreatSwitch a software platform for cleared federal contractors to get and stay compliant with NISPOM and Conforming Change 2.

Privacera

Privacera

Privacera enables consistent data governance, security, and compliance across all your data services - on-premises and in the cloud - so you can maximize the value of your data.

Microchip Technology

Microchip Technology

Microchip Technology Inc. is a leading provider of smart, connected and secure embedded control solutions.

Cyber Tzar

Cyber Tzar

Cyber Tzar is a new approach at dealing with an old problem; assessing and managing risks to your IT estate.

Netgo

Netgo

Netgo group meet the requirements of a complex, digitized world with IT consulting, IT solutions & services, managed & cloud services and software products & development.

Resilience Cyber insurance

Resilience Cyber insurance

Resilience helps to improve cyber resilience by connecting cyber insurance coverage with advanced cybersecurity visibility and a shared plan to reinforce great cyber hygiene.

Axient

Axient

Axient advances defense and civilian missions from aerospace to cyberspace with multi-domain test and analysis, mission engineering and operations, and advanced technologies.

Roberts & Obradovic Law

Roberts & Obradovic Law

Roberts & Obradovic Law Group is a corporate, privacy, employment and litigation law firm.