Threat Intelligence Blog

By Eric Olson, Vice-President, Cyveillance, Inc.

The following post is in response to a presentation recently given at the APWG General Members Meeting and eCrime Researchers Summit by Tyler Moore and Richard Clayton:

http://www.apwg.org/events/2008_generalMeeting.html
http://www.ecrimeresearch.org/
http://www.lightbluetouchpaper.org/2008/10/16/non-cooperation-in-the-fight-against-phishing/

Executive Summary
A. Moore and Clayton are partly right – Every hour a phishingPhishing: The use of emails that appear to be from a legitimate, trusted source that are enticed to trick recipients into entering valid credentials including personal information such as passwords or credit card numbers into a fake platform or service. LookingGlass Cyber (n) - tailoring an attack (such as email) to garner trust and credentials that are then used maliciously. The preverbal digital version of the ol' hook and bait. site is up equates to phished consumers and significant, real-dollar losses. Thus speed of both detection and takedown are critical.
B. Superior speed and capability takes massive investment in people, technology and systems, and that must produce an ROI or companies will stop making the investment.
C. Sharing the results of that investment would reward those who can’t perform on the dime of those who can
D. This disincentive will push the competent to exit the market and spend their capital and expertise on other products
E. This will rapidly result in poorer detection, few choices and longer takedown times when the banks have only the least competent vendors remaining to choose from
F. There are other less critical flaws in the proposal which are noted as well

Full Brief
I read with interest the presentation entitled “The consequence of non-cooperation in the fight against phishing” by Tyler Moore and Richard Clayton. The basic premise of their argument is that all “phishing takedown vendors” should be forced by the banks who are their clients to share phishing URLs immediately upon detection, ensuring the earliest possible initiation of takedown by a given bank’s vendor. I commend Messrs. Moore and Clayton for elucidating with their model that time is the critical matter in the detection and takedown of phishing sites. This is illustrated in a conceptually-similar model we ourselves have developed here at Cyveillance (see graphic below). It too shows that every hour a phishing site is live equates to real customers phished and real-dollar impact.

phish_life_cycle

However, if this model is true, then the market should reward superior performance and encourage investment in it, not mandate a process that would quickly lead to a decrease in available service and the voluntary exit from the industry by all but the least competent players. Consider the following argument:


1. Lifespan time, not just takedown time, is the driver of dollars lost

First, it should be noted that the critical metric is the total lifespan of a phish from launch to takedown, not just from detection to takedown. As shown in the curve above, the financial impact is minimized by reducing both the time-to-detect and the time from detection to takedown.

2. Timely detection requires investment
While Cyveillance was not one of the two vendors profiled in Moore and Clayton’s analysis, I am sure our peers face the same challenges we do in solving this problem. In order to detect phishing attacks in the shortest possible time, Cyveillance has systems that identify thousands of unique phish each day by examining content from billions of multilingual spamSPAM: Email or postings containing irrelevant, inappropriate or indiscriminate messages sent to a large number of recipients. LookingGlass Cyber (n) - tons and tons of emails sent out with no relevance to anyone, or anything. messages, a global array of honeypots, hundreds of thousands of new domainDomain: A specified location where a set of activity or knowledge exists. For instance, an Internet domain is synonymous with a website address or URL where information can be made available. LookingGlass Cyber (n) - A fancy name for a URL or website. registrations, and all our customers “abuse” messages on a minute-by-minute basis. In the ever more critical quest for detection speed, Cyveillance has even developed a patented system that offers pre-attack intelligence before the phishing email is ever sent, allowing takedown to begin literally the minute the fake page is created.

According to hard data from customers who have objectively tested multiple vendors in “bake off” competitions, these investments have led to detection that often runs four to eight hours faster than other methods, and this is before takedown is even initiated. Thus, if all takedowns were of equal length and equal cost, superior detection performance can still provide significant hard-dollar savings. This performance gap came only at the cost of many millions of dollars in investment, and Phishing evolves so fast that only constant, continued investment will enable vendors to keep pace with the criminals.

3. Faster takedown requires investment too
In reality, all takedowns are not created equal, nor are takedown vendors. Streamlined, 24×7 response and effective takedown processes require the hiring and training of expert, multi-lingual staff, development and continuous refinement of operating procedures, refined processes and building relationships with ISPs, CERTs, registrars, registries, hosting providers, search engine providers and law enforcement all over the world. This too takes huge amounts of capital. Here again, criminal innovations such as fast-flux and rockphish (or soon Pharming) attacks demand the constant evolution of processes and systems, as well as ever more skilled, experienced and talented (read as “higher-cost”) staff.

4. Disincenting Performance
The model that Moore and Clayton propose essentially suggests that those vendors who have invested millions of dollars and years of effort into the most innovative, competitive, effective and successful products should take the results of those efforts (and therefore the business value and pricing power earned by those investments) and give them, free of charge, to their feebler competitors. Under such a model, what possible motive would our company have to continue investing in providing superior performance?

As an Executive Team, our responsibility is to allocate scarce resources, and we have a fiduciary responsibility to our investors to maximize the return on the capital with which they have entrusted us. What Moore and Clayton’s model would do, if implemented, is drive the capable, the flexible and the competent out of the market. In very short order, by trying to “force cooperation” this proposal will actually eliminate the healthy competition that pushes performance ever upward, and leave banks with only the worst performers to choose from. Certainly our systems, people, domain expertise and capital can easily be applied to other services instead, ones where we can compete fairly, charge a fair price and generate profits.

Though the word is sometimes maligned, it is only profit that allows us to continue to exist, to serve our customers, and even to “give back” to the industry and the community. We are not opposed to sharing data where it is beneficial, or even to giving it away for free where we choose to do so. Cyveillance does leverage its multi-million dollar platform for shared benefit in many areas, e.g. in providing data and analysis services pro bono to the National Center for Missing and Exploited Children. We do this voluntarily because it is a cause we believe in, but any proposal that mandates giving away value robs every vendor of the profits necessary for them to continue to both provide valuable services and support philanthropic or charitable endeavors.

5. A final note – Other flaws in the argument
While less critical, I find other flaws in the proposal as well. First, no matter how automated, vendors have to invest some level of time and resources in detecting and delivering phish against a specific target or range of targets. For example, if I am vendor A and I have been contracted by XYZ bank but not ABC bank, why would I devote resources to isolating phish against ABC bank? Who will bear each vendor’s costs of detecting phish for banks that are not paying them? Surely Messrs. Moore and Clayton do not suggest the industry should mandate that all vendors find and deliver phish against all banks as a charity initiative?

Second, on a related note, it should be evident that as a group, “the banks” have neither reason nor leverage to make the proposed demand for cooperation. With very rare exceptions, each bank has decided on a single vendor. What incentive would XYZ bank (my client) have to demand that I share my data with another vendor they don’t use? Similarly, what leverage does ABC bank (not my client) have to demand I share my data with the vendor they do use? I don’t work for them.

Finally, Moore and Clayton hold up the anti-virus industry as a model where sharing among all the vendors works to everyone’s benefit. There are two flaws with this argument. First, A/V companies do have a mutual benefit from sharing. They know that every competitor collects and analyzes lots and lots of virusVirus: A hidden, self-replicating piece of code written to have a detrimental effect that is designed to become a part of another program. LookingGlass Cyber (n) - it’s when your computer catches a cold and it may or may not make it. before they do. Everyone has huge holes in coverage and analysis bandwidth, so they all could, in theory, benefit from pooling their knowledge. The phishing space is much more narrowly and clearly defined, and the weaker vendors have essentially nothing to offer the stronger ones. Thus, there is no incentive (barring Moore and Clayton’s proposed external demand) for any competent vendor to participate in the data sharing. Only the weak players could love this idea.

Second and just as important, the hard data is that the A/V industry model, which they hold up as an example, isn’t actually working worth a hoot. Despite the supposed pooling of information about viruses and malicious binaries across the industry, you can run any 100 pieces of malware through virustotal.com and you will see wildly different detection capabilities across dozens of “brand name” A/V engines. (We’ve already done a much larger study on this point, and the results are appalling. You can learn more on the subject here: /malware/how-protected-are-we-really-against-malware )

Conclusion
In closing, it seems that, although their notion of time-is-critical is absolutely correct, the solution is NOT forced exposure of valuable data developed at enormous cost, skill and investment. It is to let the banks demand ever faster and more successful solutions of their vendors, with performance rewarded by patronage and profits, and non-performance rewarded with extinction.

Cyveillance offers SLAs on detection timeliness, accuracy and takedown times, by which we are rewarded for performance and penalized for non-performance. This is the right approach. Forced sharing of data would reward those who can’t make those guarantees with a free ride on the coattails of those who have spent millions so that they can.

Additional Posts

Deadline approaching for comments on the new ICANN gTLD proposed Application Guidebook

There are only a few days left to make a difference regarding the future of online corporate ...

Nearly Seventy Percent of All Malware is Delivered via Drive-By Downloads

There has been no shortage of press regarding malware on the Internet over the past several months. ...