The war between law enforcement and cyber crime has evolved dramatically in the past decade. Law enforcement tries to find new ways to track down criminals, while criminals try to find new ways to evade law enforcement. The two primary ways attackers have worked on this problem include anonymity and plausible deniability.
The most known tactic is probably anonymity. Hackers strive to cover their tracks when launching an attack. For example, large lists of anonymous proxies are freely available on the public internet. These proxies are essentially services operated around the world, which allow a user to pass traffic to an intermediary (the proxy server), which then passes the traffic to the target. From the targets perspective, they only see the proxy not the original attacker. An anonymous proxy is different from a normal proxy, it does not require the user to register for an account. This means that when a site gets attacked by a user behind the proxy, the victim cannot simply subpoena the operator of the proxy for the real user’s identity. Nobody knows who they are, not even the company operating the proxy.
You might wonder why a company would be willing to operate such a service. Surely the vast majority of traffic would be malicious and represents a liability. However, the truth is that a large number of these anonymous proxies are compromised servers, or servers running proxy software without the owner of the hardware even knowing it. This is why there is an influx of new anonymous proxies coming online and a large number going offline every day. An attacker only needs one proxy and just needs it during the duration of the attack.
For example, an attacker picks a proxy running in Texas and attacks a company operating out of California. This is less than ideal from the attacker’s perspective, because the proxy running in Texas likely has no problem handing over its logs to the government, should a subpoena be issued. At least some of the time, the proxy will be setup to keep track of who is using it (from an IP standpoint). While nobody can identify who issued the malicious requests, they can at least point the government in the right direction. This is why having a huge list of available proxies in many different geographical locations provides a huge challenge for law enforcement and a bigger advantage for abusers.
A smart attacker will research which countries have good relationships with the government presiding over the target company. In result, they will intentionally choose a proxy located in a country that does not have relationships and therefore, the company under attack has no recourse to identify the attacker. The US government for example, would have a hard time convincing a company in Russia to hand over its proxy logs, even if the attacker was located in the US and simply bounced all of their attacks off a Russian proxy.
The power of proxies to enable anonymity go hand in hand with geo-politics to achieve a solid law enforcement evasion tool. For those not familiar with the TOR anonymity network, it brings together the concept of open anonymous proxies and geographical distribution to make attackers lives easier. Simply by using TOR, attackers can ensure that their tracks are sufficiently covered.
Another powerful technique for law enforcement evasion is by exploiting the rigidness of the government. In the US, to prove someone is guilty of a crime their case must be proven beyond a reasonable doubt. It’s much more difficult to prove something without reasonable doubt than it is to introduce a very small amount of doubt, in an otherwise solid argument.
This technique is no longer favored by solutions like TOR, which are far easier, faster and more robust. Although, it could become popular again if TOR is ever jeopardized. This tactic works not by having the attacker hide from law enforcement, but instead having them participate in the legal and illegal activities of everyone else that is using the same tactic. This works by having everyone participate in the evasion technique and operate as a proxy for everyone who runs the evasion technique. When someone makes a request, it bounces through a random number of users before it actually hits its destination. This means that everyone involved will see a portion of all traffic and even see where those requests are coming from.
If a hacker decides to attack a bank in the US and they load up a large amount of attack tools designed to identify vulnerabilities and penetrate that bank’s defenses, they would then work to connect to a network like Freenet/Darknet (a plausible deniability network) and begin the attack. As the attack progresses, the malicious requests generated by these tools are bounced through a confusing network of peers before reaching the site.
When the dust finally settles and the attackers have breached the bank, the bank will begin doing forensic analysis to identify the source. The first thing they may realize is that it originated from hundreds of different IP addresses, but all appear to be correlated and likely from the same true source. At this point, investigators will subpoena each of the Internet Service Providers (ISP) that host those Internet Protocol (IP) addresses, investigate the machines involved and will realize that the attacks did not originate from those machines, but instead from a second set of machines. Not surprisingly, a good proportion will no longer have any trace of where the attack request started.
Companies that have fallen victim can investigate as thoroughly as they’d like and while they will encounter many dead ends, eventually they will get to a large set of IP addresses that can direct them to the one that “likely” committed the attack. However, it is the loose nature of “likely” that prevents any additional subpoena’s from being issued. This is largely due to a lack of strong evidence to identify any of the likely IP addresses as the real attacker.
While the government might have its suspicions about which client is responsible, our own laws are designed to protect innocent people from being unfairly searched by the government, prevent them from being successful going after the attackers. Even if they do identify the most likely client, taking the matter to court only opens the doors to the argument of: “It came from my IP address, but I was running Darknet and therefore, those requests originated from someone else who simply asked my node to pass it along. In fact, because I was running Darknet, you can’t say for sure that any of the traffic you witnessed coming from my machine was actually initiated by me.” With that being the likely outcome of any investigations, it’s essentially not worth the great amount of money necessary to fight it.
Sadly, the prospects look grim for identifying the source of attacks. It will always be possible to track down and prosecute the less sophisticated attackers and basically that is how everyone starts. So all is not lost. But once an attacker gains enough experience, evading law enforcement becomes trivial and the learning curve isn’t that steep. More focus needs to be spent on how to stop the attacks themselves and less focus on how to actually track down the attackers. No matter what happens, technology seems to always move faster than the government and as such, advancements will only be seen with the innovation and adoption of better protection technologies.