Cybersecurity

Fox-IT's Driehuis on Why Attribution Matters

Criminals Behind Dridex, Other Malware Are Often Connected
Eward Driehuis of Fox-IT

Attributing cybercrime to specific cybercriminals is becoming increasingly critical, says Eward Driehuis of cybersecurity and threat intelligence firm Fox-IT. Using the elusive Dridex campaign as an example, Driehuis explains how and why most malware attacks and the cybercriminals behind them are connected, making it essential for law enforcement and cybersecurity professionals to closely trace attackers' steps.

See Also: Detecting Insider Threats Through Machine Learning

In this video interview at Information Security Media Group's recent Fraud Summit in Toronto, Driehuis explains why security researchers are focusing more attention on the actors behind malware.

Tracing attackers' methods has proven more advantageous, long-term, than tracking the malware itself, Driehuis contends. That's because attackers often change tools but not behavior.

"They will change malware; they will change the Web injects and so on; they will even change parts of their supply chain, including how they mule the money," he says. "But, in essence, they are often one-trick ponies; they operate in a certain way, so understanding who they are, the attribution, will also tell you how they will do it."

In the recent Dridex takedown, which, according to threat researchers at IBM and security firm Proofpoint, appears to have been short-lived, Driehuis says the focus was more on the actors, not the malware (see Inside the Dridex Malware Takedown).

"We've been tracking these guys for almost five years," Driehuis says. They have links to other banking Trojans, such as peer-to-peer, Gameover, Zeus and Dyre, he adds.

"We go as far as to provide the link analysis between the criminal groups that you need to have in order to understand who they're dealing with, who is in their criminal supply chain, who their partners are, who their suppliers are and who their customers are," Driehuis says. "We go as far as their persona or their nicknames. We track those links, those relationships between the criminals, and that's, of course, where law enforcement can go further."

Both IBM and Proofpoint claim they've confirmed that within 48 hours of global law enforcement agencies' takedown of Dridex on Oct. 13, a new variant of the malware had already been detected in the wild. Kevin Epstein, vice president of threat operations at Proofpoint, says it's not clear that Dridex "ever left." And Limor Kessem, a senior cybersecurity evangelist within IBM Security Systems, says Dridex has "resurrected."

During this interview, Driehuis also discusses:

  • How Fox-IT and other companies are working with the Financial Services Information Sharing and Analysis Center to streamline threat intelligence and information sharing;
  • The evolution of cyber-attacks; and
  • Why tracking attackers' workflow has proved successful for law enforcement and others.

Driehuis is the director of the product management and marketing at Fox-IT, where he works with financial institutions, e-commerce companies and other corporate enterprises in the U.S., Europe, the Middle East, Asia and Australia. Before joining Fox-IT, Driehuis spent 18 years working as a chief technology officer and business director for various companies.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network