Trend Micro, a global leader in cyber security, released key ways to identify and disrupt criminal market operations to conclude a three-part report series on the underground hosting market. The researchers outline the infrastructure business approaches of attackers to help security teams and law enforcement agencies best recognize, defend against, and disrupt them.
Understanding criminal operations, motivations and business models is key to dismantling the bulletproof hosting industry on which the majority of global cybercrime is built.
“Increasingly, mature organizations have SOC and XDR capabilities, which means security teams today have moved into the realm of also being investigators,” said Robert McArdle, director of forward-looking threat research at Trend Micro.
“At that level of security sophistication, you need to understand how the criminals operate to strategically defend against attackers. We hope this report provides insight into cybercriminal operations that can prove actionable for organizations and ultimately make hosters lose profits.”
Bulletproof hosters (BPH) are the root of cybercriminal infrastructure and therefore use a sophisticated business model to outlast takedown efforts. These include flexibility, professionalism and offering a range of services to cater to an array of customer needs.
The report details several effective methods to help investigators identify underground hosters, including:
Identify which IP ranges are in public block deny lists, or those associated with a large number of public abuse requests, as those may be indicative of BPH.
Analyze autonomous system behavior and peering information patterns to flag activity that is likely associated to BPH.
Once one BPH host has been detected, use machine fingerprinting to detect others that may be linked to the same provider.