Fox-IT's Driehuis on Why Attribution MattersCriminals Behind Dridex, Other Malware Are Often Connected
Attributing cybercrime to specific cybercriminals is becoming increasingly critical, says Eward Driehuis of cybersecurity and threat intelligence firm Fox-IT. Using the elusive Dridex campaign as an example, Driehuis explains how and why most malware attacks and the cybercriminals behind them are connected, making it essential for law enforcement and cybersecurity professionals to closely trace attackers' steps.
See Also: Threat Briefing: Ransomware
In this video interview at Information Security Media Group's recent Fraud Summit in Toronto, Driehuis explains why security researchers are focusing more attention on the actors behind malware.
Tracing attackers' methods has proven more advantageous, long-term, than tracking the malware itself, Driehuis contends. That's because attackers often change tools but not behavior.
"They will change malware; they will change the Web injects and so on; they will even change parts of their supply chain, including how they mule the money," he says. "But, in essence, they are often one-trick ponies; they operate in a certain way, so understanding who they are, the attribution, will also tell you how they will do it."
In the recent Dridex takedown, which, according to threat researchers at IBM and security firm Proofpoint, appears to have been short-lived, Driehuis says the focus was more on the actors, not the malware (see Inside the Dridex Malware Takedown).
"We've been tracking these guys for almost five years," Driehuis says. They have links to other banking Trojans, such as peer-to-peer, Gameover, Zeus and Dyre, he adds.
"We go as far as to provide the link analysis between the criminal groups that you need to have in order to understand who they're dealing with, who is in their criminal supply chain, who their partners are, who their suppliers are and who their customers are," Driehuis says. "We go as far as their persona or their nicknames. We track those links, those relationships between the criminals, and that's, of course, where law enforcement can go further."
Both IBM and Proofpoint claim they've confirmed that within 48 hours of global law enforcement agencies' takedown of Dridex on Oct. 13, a new variant of the malware had already been detected in the wild. Kevin Epstein, vice president of threat operations at Proofpoint, says it's not clear that Dridex "ever left." And Limor Kessem, a senior cybersecurity evangelist within IBM Security Systems, says Dridex has "resurrected."
During this interview, Driehuis also discusses:
- How Fox-IT and other companies are working with the Financial Services Information Sharing and Analysis Center to streamline threat intelligence and information sharing;
- The evolution of cyber-attacks; and
- Why tracking attackers' workflow has proved successful for law enforcement and others.
Driehuis is the director of the product management and marketing at Fox-IT, where he works with financial institutions, e-commerce companies and other corporate enterprises in the U.S., Europe, the Middle East, Asia and Australia. Before joining Fox-IT, Driehuis spent 18 years working as a chief technology officer and business director for various companies.