WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
As we highlighted in our recent blog on Cybercriminal Law Enforcement Crackdowns in 2021, this year has been a busy one in terms of security services disrupting the cybercriminal underground, with dark web marketplaces taken down, malware operators arrested, and major ransomware groups disrupted. These activities got us thinking about how cybercriminals view the possibility of law enforcement operations, which are an ever-present shadow hanging over any threat actor conducting malicious activity. How worried are cybercriminals about the prospect of being arrested? Does it deter threat actors from committing cybercriminal acts, or do the potential lucrative payouts outweigh the perceived risks? We visited a few cybercriminal forums to gather clues and report on the cybercriminal perspective on arrest, prosecution, and incarceration.
Personal OPSEC
The ever-increasing number of threads on cybercriminal forums discussing operational security (OPSEC) practices suggests that avoiding detection by law enforcement is a subject at the forefront of many threat actors’ minds. Of course, the best way to evade arrest is to not be suspected in the first place. Regardless of their language community, forum users are constantly chatting about ways to stay anonymous and sharing recommendations for the best techniques to avoid their real-life identities being linked to their online activity. We observed numerous threads discussing aspects of operational security, ranging from which Jabber servers are the best to virtual and physical practices for securing data. Such threads generate a good deal of debate, and discussion frequently becomes heated and absolutist.
For instance, one common topic of discussion is hard drive encryption or erasing. One forum user remarked that without proper measures, law enforcement “will find whatever takes their fancy.” Another said, “Also, at the moment, there are opportunities and mechanisms available that make it possible to deny the presence of encrypted data plausibly.” While many forum members expressed confidence that such measures would be enough to avoid ending up on law enforcement’s radar, others were not sure. One user quipped, “if it were all as simple as that, then major [cybercrime] cases would never be solved.”
Taking Care When Working With Others
The risks of working with others also came up frequently. One typical post read, “you can’t have friends on the darknet.” It continued: “restrict communication to work,” and warned: “You’ve got to understand that the majority [of people on the dark web] will sell you out.” Yet, we also found comments from users claiming they had made friends on cybercriminal forums. It’s a catch-22 situation: You can’t develop a solid cybercriminal career without working with others, but collaboration threatens this career if your counterpart isn’t as meticulous as you. Added to this is the risk that once an associate has been captured, they could try to save their skin by informing law enforcement on others. One user noted, “don’t think that you’re too smart [to get caught], if serious players have already given you up, then it’s too late for VPNs and passwords.” The saying “a chain is only as strong as its weakest link” comes to mind…
Erasing the Past
While we may worry about new friends stumbling upon embarrassing pictures of us on social media captured during our formative years, cybercriminals have to worry about what they did when first starting out. Mistakes made in the early days of a cybercriminal career are hard—or, in some cases, impossible—to amend. Many a threat actor’s downfall stemmed from poor OPSEC practices when they first decided to don the black hat, such as using a spouse’s email address, forgetting to mask their IP, or letting their real name and address slip. And once you realize your mistake, it might be too late. We previously blogged on cybercriminals’ frequent inability to delete old forum accounts containing potentially incriminating evidence. We even saw one thread in which a user requested that their account be deleted because they had been arrested.
Selective Choice of Victims
One often-quoted tenet of the Russian-speaking cybercriminal community is that law enforcement will leave you alone if you do not target victims in former Soviet Union nations. For instance, one forum user said: “If you’re working on the Russian Federation, then [law enforcement will] hunt you down, but if you’re working on the EU or the US, then nothing will happen, no one will care.”
While the involvement of Ukrainian police in the recent takedown of Emotet by Dutch law enforcement and international partners suggests that this rule may not be foolproof, the popularity of this view on cybercriminal forums is telling. This leads us to another aspect threat actors have to worry about: foreign travel.
Avoiding Foreign Travel
I’m betting that you’ve spent a fair bit of time daydreaming about your next holiday destination once the world returns to “normal.” The sky’s the limit for us, but cybercriminals may only want to go as far as the border. The advice “a Russian resort is better than a US prison” is frequently touted on forums to dissuade threat actors from traveling abroad. Many in the Russian-language cybercriminal scene understand that while their governments might leave them alone, they would not be so lucky when venturing abroad. One user commented: “[these hackers] live peacefully in Russia, decided to go on holiday abroad – and that’s it, they don’t even make it out of the airport without the cuffs on.” Perhaps the cybersecurity adage of “Hackers only need to get it right once; we need to get it right every time” works both ways—just one momentary slip up in any part of a threat actor’s life can haunt them forever.
So how do cybercriminals rate their chances of being let go once there’s a target on their back? Well, there is little chatter about being arrested in the English-language scene due to English-language forums’ fickle reputation—English-language platforms are frequently disrupted or taken down by law enforcement. In addition to this, there are numerous allegations of English-language forums and marketplaces becoming law enforcement honey pots. It’s a less trusting environment than Russian-language forums, on which users talk more freely about law enforcement practices, sharing anecdotes of arrests and incarceration.
Most cybercriminals doubt they could wriggle out of detention once the cops are at the door. One user wrote that “[putting] bars on your windows and doors” would give cybercriminals “more security than dual VPNs, TORs, etc.” Threat actors also frequently refer to the “human factor”—no matter how good password encryption practices are, the police will access cybercriminals’ information “sooner or later.” Some commenters on Russian-language forums held that law enforcement would “stop at nothing” to get information, even sharing graphic anecdotes about police torture. Many posts asserted that cybercriminals, unlike other types of law-breakers, would not be able to sustain physical punishment. One user alleged that the police would “catch you,” then “‘treat’ you with a stun gun and spell out what’s in store for you […] if you don’t give up all your passwords”. They concluded, “like a nice dear you’ll give them up.”
Other users disagreed, saying that while the police may threaten violence, such threats were empty and that “only an idiot would fall for the cops’ bluff.” Some refuted the idea that law enforcement in the former Soviet Union would even threaten violence to get past encryption, saying that the police aren’t interested in such crimes as long as there’s no “public threat to life.” One remarked, “people don’t get tortured for having unlicensed Windows on a disk in their wardrobe.” Despite the lack of agreement on this issue, the possibility of violence from police following arrest is a clear worry for many cybercriminals.
So, poor OPSEC has led to a cybercriminal’s arrest and detention. The cops have all their computers… What happens next?
Some in the cybercriminal community are pretty bullish about the prospect of actually being convicted of any crime. For instance, we found one comment claiming that if any dark web site were compromised, this would only provide law enforcement “the [mere] prospect of identifying entities and facts concerning illegal activities; in fact, little can be used in court even if you post about the sale of malware, installs, etc., there can be no proof that it was really you who wrote them.”
Whatever the truth of this view, it’s true that for many cybercriminals who await trial, the legislation simply hasn’t caught up with the nature of the crimes they’ve committed. Conviction rates for cybercrime in Russia have fallen in recent years. Even in Western countries like the US, it’s notoriously challenging to convict cybercriminals compared to, say, those accused of offline theft or drug dealing. The burden of proof may be much higher, and the specificities of the crime are often too complex for members of the courts to understand, particularly if they don’t have a background in cybersecurity.
We also found many comments from Russian-speaking cybercriminals who took great comfort in the belief that law enforcement and the courts could be corrupted. Many users spoke about needing to save funds to bribe the right individuals and provided anecdotes of personal experiences of evading prosecution through paying people off. The value of a “motivated and trusted” lawyer is recognized throughout the cybercriminal community. This was seen as even more critical in countries where the courts may be more susceptible to financial influence. As one user put it, “a good lawyer knows the law, a better one knows the judge.” For all the talk of bulletproof OPSEC practices and blasé attitudes towards the police and the courts, in the world of cybercriminality the idea of arrest can never be ignored. Otherwise, they can look forward to, as one user put it, “housing and three meals a day” at the government’s expense.
Despite confidence in bribing law enforcement and the appallingly low conviction rates worldwide, threat actors continue to actively discuss ways to avoid detection, dissecting where convicted threat actors went wrong, and sharing post-arrest experiences. This constant chatter suggests that the threat of prosecution is very real in the minds of cybercriminals.
This debate shows us that, like the organizations they target, cybercriminals must always have one eye on their security practices. There are so many things for them to worry about and ways they can slip up. It must be pretty tiring. Threat actors must keep looking over their shoulders, fixing past mistakes, and coming up with new ways to beat the technology used to track them. Digital Shadows (now ReliaQuest) monitors threat actor activity across the cybercriminal landscape, providing unique insights to help organizations understand the nature of the threat actors looking to get access to their assets. If you’d like to search the dark web and cybercriminal underworld for malicious mentions of your organization or exposed data for sale, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.