Cyber-Criminal OPSEC – a Three-Part Series. Part III: TTTP

Posted on 15 June 2012 by


In Part I of this three-part series, we discussed the most basic of attribution methods, IP address analysis. In Part II, we talked about computer environmentals, and how it’s possible to build a device fingerprint based on what the user presents when they show up to a web server and ask for something and how they respond to additional requests for information. In this Part III, we’ll talk about how one stops handing over information.

NB: This is a basic primer. By this I mean that information security professionals and experienced investigators won’t learn any new concepts or strategies here (but if I have screwed anything up, or omitted anything, please let me know). What this also means is that if you are in law enforcement, are a prosecutor or intelligence analyst and looking at OSINT or cyber crime and you do learn any new concepts here, it is a primary indication that you and your agency and prosecutor’s office are in immediate need of training. That’s not to make you feel bad, in fact it’s great to know! We’ll even help you get the training you need! Also, note, the training thing is not exclusively true: this series by no means covers all the areas in which one should be fundamentally knowledgeable in order to have a good grasp of the issues of cyber criminal tools, tactics, techniques and procedures (TTTP).

If you are a legislator, and you have spoken about the need to overhaul cybercrime legislation publicly in the past, and you learn any new concepts here, you need to seriously shut the heck up right now.


I like the movie The Departed (not least because it’s the one of the few films in which the word “cop” was extended to its full, Bostonian, three-syllable length and includes the often-silent “w”). At the end of the film, we witness a murder committed by a state police officer, Sergeant Dignam.

Because Dignam is familiar with forensics and procedures, we notice (it’s not spoken about) that he has taken some precautions. As he commits the crime, he is wearing a surgical hair cap, booties, latex gloves and other protective clothing – he is anonymizing himself and denying investigators evidence of his presence in the room. After firing his gun, he polices his brass and takes it with him.

Yes, of course, with murders, there’s one hell of a lot of stuff to think about. We’ve all seen and read and experienced that, with a little trace evidence, the Fuzz can tell you what the murderer had for Tuesday lunch, but in a murder investigation, the stakes are high.

Not so much with the cyber crime.

In fact, with a little planning and a little discipline, making it very difficult to trace whodunnit – that is, to establish attribution – is kind of easy. It also doesn’t cost a lot – in fact, it’s free.

With some understanding of what kind of data gets you caught, the utility cyber-criminal routinely takes steps to avoid publishing that data. And make no mistake, cyber criminals are taking note.

Start Taking Cyber Criminals Seriously
If you think that cyber criminals are surly teenagers in their parents’ house, think again: Organised Crime in the Digital Age, a recent study commissioned by BAE Systems Detica and The John Grieve Centre for Policing and Community Safety, argues that 80% of all digital crime committed now originates from organised digital crime groups. Their key findings included:

  • More organized digital crime members are over 35 years of age than are under 25 years of age.
  • Half of groups comprise six individuals or more, with one quarter comprising 11 or more, however, group size does not correlate with the impact or scope of offending – in the digital era, a small number can inflict large damage
  • 25 percent of active groups have operated for less than six months

This confirms what we have seen for some time, that cyber criminals are largely organized, largely older and largely experienced.

In other words, the kind of people who, if they knew that there were hair caps and booties available for their computers, they’d get them.

In this post we’re describing the tools, techniques, tactics and procedures (TTTP) of cyber criminals, whether they’re out to steal information, money, or merely to cause trouble.

It is not exhaustive. It is merely here to give investigators a sense of what is possible. It’s also being written to give prosecutors an idea of the kinds of things that people are doing.

IP Address and Browser
The first thing that everyone in the criminal justice system looks for is the IP address. Prosecutors and police administrators have a Pavlovian response to cyber crime reports, which is to ask, “And have you traced the IP address back to that person’s location?”

Projects like TOR and the TOR Browser Bundle mean that the answer to that question is, increasingly, “No.”

TOR and Other Anonymizing Services The name TOR stands for “The Onion Router” and essentially it distributes traffic in a manner that buries requests in layer upon layer of both security and obscurity. It routes traffic through a range of randomly selected relays, breaking up your traffic and stripping it of identifying elements in such a manner that it is very difficult to track back form where the traffic originated.

TOR hidden services actually allow one to host a website in a similarly obscured manner, making locating the host server very hard.

You get the tool by going to the site and downloading the browser bundle. It’s platform independent:

The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.

You Need To Use TOR, Too
Far from a criminal enterprise, TOR began as a US Naval Research Project to provide a secure method of seeking information and interactivity without revealing information about the person initiating the communication with a web resource.

According to TOR, the Navy and other government personnel still use the service to conduct OSINT research, and so do we.

So should you: if you’re doing OSINT research on gangs or criminals; if you’re doing social media lookups; or espcially if you’re going to criminal or suspect websites or communicating with them, you absolutely should be anonymizing your traffic so that they cannot figure out who you are, which could endanger your operation and even affect officer safety.

Oh! It’s You! Let’s up the Price So yes, criminals use TOR and other anonymization tools as one easy method to cover their tracks. But before you dust off the penal code entry under “criminal instrument”, have a lookie here: there are many, many legitimate reasons why one would wish to anonymize – from operational security in research to allowing democracy organizers and victims of crime to freely communicate and discuss issues of interest.

Here’s another thing: if you’ve ever bought tickets online at something like Travelocity or Hotwire, go back there and log in, and search for a airline ticket to someplace, like LA or Paris. Note the prices.

Now clear your cookies, wipe your Internet history, restart your browser and go back and look at the same ticket.

Did the price change? It went down, didn’t it?

That’s just one of the zillions of reasons you want to anonymize your traffic: when people know you, they can make decisions about and for you, and you may not like all of them.

Other Anonymizing Services
Since the dawn of the World Wide Web, people and groups have been concerned about privacy, and there is a range of anonymizing services out there for those so inclined. Many of the commercial services will cooperate with law enforcement, so criminals using Anonymizer may be in for an unpleasant surprise (should an enterprising flatfoot ever trouble to trace back the traffic – and they often don’t bother).

But firms outside the US, like MetroPipe are harder to deal with unless you have some serious resources. And then, of course, there are others: KProxy, Proxify, Anonymouse – the list goes on and on.

There are also a lot of other ways to do this: shell accounts, anonymizing proxies, VPNs and other services abound, though things get more complex and you’ll need a little bit of tech-fu to get it going.

Riseup is an organization that provides re-mailing and now some limited web anonymization services, targeting “activists”; in the past, this has fallen foul of the FBI, but again, there is an undeniable dual-purpose nature to this that makes problemtic shutting down sites like this permanently.

Have a look here for a reasonably good overview of the kinds of things you can expect to find out there, and some starting points on where to find them.

Another cyber 101 is BackTrack Linux. We’ve written about this before, and if you didn’t look it up then, you should do it now. This is the mother lode of free tools, and it – like TOR and most other tools we will talk about – is dual-purpose. Dave and I use BackTrack and tools like it to learn about exploits and hacking tools, and security researchers use it frequently.

So do criminals.

BackTrack is a Linux distribution which contains the tools one will need to conduct security audits. This means that built inside this free and freely-downloadable disk are tools to perform reconnaissance, assess vulnerabilities in computer networks and computers, the attacks to exploit the vulnerabilities you find, crack passwords, break wireless protocols and eavesdrop on traffic, become resident on someone’s computer network and exfiltrate – steal – data, and a whole lot more all while covering your tracks.

If you have not played with this kind of stuff, you should go to Best Buy today, get yourself a cheap laptop, download BackTrack and start playing with it (on your own network, of course – don’t, like, attack anyone. Seriously).

There have been several attempts to create digital currencies which are not traceable, and again, these have dual-purposes. If you’ve ever bought something online you’d be embarrassed to have others know about, or if you’ve ever bought anything in cash in the real world so that the purchase didn’t appear on your credit card, you know yourself that there are myriad reasons why you might legitimately and legally wish to do so.

In the digital world, among recent (and flawed, but useful) hopes for such an ability is BitCoin.

Bitcoin is an experimental new digital currency that enables instant payments to anyone, anywhere in the world. Bitcoin uses peer-to-peer technology to operate with no central authority: managing transactions and issuing money are carried out collectively by the network.

The FBI twazzed out a bit at the advent of BitCoin, stating that they believe the current size of the BitCoin economy ranges from $35-44 million.

Criminals can use BitCoin and other digital currencies to buy tools to assist them with cyber crimes, such as purchasing stolen credit cards and account information, making tracing these transactions very difficult.

Tactics and Techniques
As my dad used to continually remind me, it’s not about the equipment, it’s about how you use it. I know a photographer who can take a better portrait with an iPhone than I can with my top-of-the-line Nikon, so I know that’s true.

The trick, then, is to use the tools properly. Much of this gets into some stuff that we will discuss privately, but it’s not rocket science. In fact, if we are talking about criminal cyber TTP, they need only adhere to three easy steps to being very difficult to find.

1. Always anonymize. Always. This rule is very important, because while web information sessions take place quickly, logs are forever. It only takes one slip up to leave a trail right to your front door.

2. Proffer the Smallest Surface Possible. This speaks to the environmentals I spoke of in Part II: you want to use a disposable computer, preferably one that boots from read-only media, that gives away as little of you as possible, and stores as little as possible that might be used against you forensically.

3. Change Countries. Often. Take advantage of the lack of coordination among the more than 250 countries connected to the Internet when it comes to cyber crime legislation, and bounce your traffic and take your payments and target your victims in different countries, to make prosecution difficult, time consuming and above all, expensive.  Sure, it fails sometimes. But often, it succeeds.

Fighting Cyber Crime
These above, and those covered in Part I and Part II, are the issues that prosecutors and law enforcement officers must face when they think about taking on cyber criminals.

Note that none of these issues has anything to do with the length of prison sentences, or any other hogwash that frequently gets raised by blowhard politicians when they talk about getting “tough” on cybercrime.

To win this fight, we need to fight the fight that we’re in – not the fight that the press-secretary of that blowhard thinks he can boil down into a soundbite to make the congressman sound tougher.

You ready to fight?