DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > Why Is it so Hard to Arrest Hackers?

Why Is it so Hard to Arrest Hackers?

Cyber crimes and cyberattacks have been generating a lot of media attention. MVB Christoper Lamb explains why it's so hard to catch cyber criminals.

Christopher Lamb user avatar by
Christopher Lamb
CORE ·
Mar. 23, 17 · Security Zone · Opinion
Like (7)
Save
Tweet
6.19K Views

Join the DZone community and get the full member experience.

Join For Free

So recently I was chatting with an acquaintance of mine, and he asked me about recent hacking allegations and why we never see anybody arrested for cyber crime.

Well, first, we do see arrests, though they're not usually widely publicized in mass media, and we don't see enough of them. But people do get caught.

But really, why so few? Well, honestly, because it's really hard to prove that cyber crimes are committed by specific individuals, despite all the allegations you'll see in the press, especially recently. And I mean prove - with evidence that will hold in a justice system.

There are a few reasons for this. First, it's really hard to track careful criminals down. Second, even if you have malware samples, it's pretty easy for attackers to have sanitized them. And it's easy to plant false flags if you're savvy. Finally, finding the appropriate evidence is difficult as well, not in the least because of jurisdictional problems.

Tracking determined cyberattackers down is hard, and it takes time. Many attackers use stolen infrastructure, and they will frequently camouflage access through yet other compromised systems in difficult to access countries. This leaves a trail of systems that needs to be traversed in order to find the originating system. And these trails will change frequently, or involve Tor.

Malware samples usually don't have much in them of value, unless you've been able to acquire the cyberattacker's workstation. Actually compiled payload code, or macros in MS Word documents, can be effectively sterilized, so it contains no identifying traces. Now, it's difficult to remove all stylistic traces, so it's best to use industry standard conventions in your code, not things that can be used for later sample correlation if you're an attacker. But even when engineers do use odd tricks, that really only gives analysts a way to show that selected payloads come from the same author, not that a specific author is a specific person.

False flags are easy to plant in malware as well. When do command and control systems operate? When are manual intrusions attempted? What kinds of variable names are used, and what kinds of characters? Are there characters from a specific alphabet? These kinds of tricks can all be used to lead analysts to the true authors, but it can be forged too.

Extracting evidence from computer systems is a well defined and refined field. But you need to get your hands on the system first, and the system needs to have something compelling to link malware or command and control to that particular system. Both of these can be difficult problems, especially when dealing with criminals in other countries, or countries that don't have particularly strong relationships with the one you're in if you're an analyst.

Really, like many cases in the outside world, criminals are eventually caught because they are careless. They provide a trail from cybercrime forums to domain names, then to identifying information, for example. Or they brag about a campaign. It just takes time - though sometimes it seems like too much.

Command and control IT

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • What Is Kafka? Everything You Need to Know
  • 10 Programming Habits a Web Developer Should Embrace
  • Which Backend Frameworks Are Impacting Web App Development Immensely?
  • How to Submit a Post to DZone

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo